frequent XSS warnings on IronFox: "A network error occurred.", mostly involving js.stripe.com - IronFox 148.0.2.1 on Android 16

[jonpsp]

Using IronFox 148.0.2.1 on Android 16, I am getting frequent XSS warnings, mostly on pages that want to load js.stripe.com. This has been happening for a while, more than a week, maybe less than a month? The odd thing is that most of the URLs listed are the extension ID. I could always allow them, but as I'm not shopping or paying for anything (i.e. not actively using stripe.com) at the time, I don't think I should be bothered by the warnings, and it's a definite change in behaviour from the extension.

I have NoScript 13.6.6, Privacy Badger, CanvasBlocker, and uBlock Origin extensions installed.

e.g. https://www.iop.org when opening my profile

NoScript detected a potential Cross-Site Scripting attack

from https://www.iop.org to https://js.stripe.com.

Suspicious data:

A network error occurred.

include@moz-extension://5e1ce7c3-6e73-4d84-b983-63f8018856b9/xss/InjectionCheckWorker.js:23:21

makeAsync/this[asyncName]@moz-extension://5e1ce7c3-6e73-4d84-b983-63f8018856b9/nscl/common/SyntaxChecker.js:33:17

checkJSSyntax@moz-extension://5e1ce7c3-6e73-4d84-b983-63f8018856b9/xss/InjectionChecker.js:131:24

checkJSBreak@moz-extension://5e1ce7c3-6e73-4d84-b983-63f8018856b9/xss/InjectionChecker.js:735:28

,(URL) https://js.stripe.com/v3/m-outer-3437aaddcdf6922d623e172c2d6f9278.html#url=https://www.iop.org/&title=Institute of Physics - For physics � For physicists � For all : Institute of Physics&referrer=&muid=NA&sid=NA&version=6&preview=false&__shared_params__[version]=v3

From http://clicks.qobuz.com/f/a/... (I shortened the URL)

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://01.emailinboundprocessing.eu.

Suspicious data:

A network error occurred.

include@moz-extension://5e1ce7c3-6e73-4d84-b983-63f8018856b9/xss/InjectionCheckWorker.js:23:21

makeAsync/this[asyncName]@moz-extension://5e1ce7c3-6e73-4d84-b983-63f8018856b9/nscl/common/SyntaxChecker.js:33:17

checkJSSyntax@moz-extension://5e1ce7c3-6e73-4d84-b983-63f8018856b9/xss/InjectionChecker.js:131:24

checkJSBreak@moz-extension://5e1ce7c3-6e73-4d84-b983-63f8018856b9/xss/InjectionChecker.js:735:28

,(URL) https://01.emailinboundprocessing.eu/enc_user/unsubscribe?d=$1$RN4qjEhq8TfTXrNGZ/KDLQ==$uHbm4bMdghmZpdQJb81kjKTduUgsAXAYHwGa6GPCkc9XZjGXNXPLeLF+t2Fn

afSkrzcfIvq2c1isFi7BrYlAot1lsSSxYCYAUrNSkD2Z4n4gTLoyXikF6JZN

Qybz8TBrwbgR2kozPS+NajPCd7VvXVIKX34D1B7oUTxyi4yM7TGnTWS6GFVD

JuqH9Kchdwasm0u56wuVN3KobRi4AZmSuGq6zRw4dA5A5m4S1fqAiyhezi13

G6jrKgIVQmXwgBYBOmA9SQX3kTQOVTncj9m7p4ageBkbJpFVuTHR+xZYBeMQ

bjMoGhg6JemWtJSVHsnh8yQIpOLT/bFSwSsv/F8m98UncKR/GOfXuPLS2tq3

Yrc=&1=1

The following two screenshots are for two different attempts to logon to my IOP profile:-

[jonpsp]

I tried uninstalling NoScript, reinstalling, resetting the NoScript config to defaults and left in Strict mode, then opened https://www.iop.org/ . I then set iop.org and stripe.com as Trusted in NoScript, and got the same XSS warning.

[hackademix]

I can't reproduce on Firefox for Android 148.0.2.
This means this is a false positive, very likely due to a stricter CSP for extensions enforced by Ironfox vs Firerfox, just like Manifest V3 was in use (which is not on Gecko), causing the code to follow the fallback Manifest V3 path and failing to load the acorn.js parser, which is intentionally left out from the Manifest V2 package to avoid useless bloat.

I will try to reproduce and understand what exactly is happening on Ironfox and if a work-around is possible.

[jonpsp]

Another example, in case it helps. https://socksonrecords.bigcartel.com/product/the-scary-god-socks-weekender-bender - just opening the page generates the warning.

NoScript detected a potential Cross-Site Scripting attack

from https://socksonrecords.bigcartel.com to https://js.stripe.com.

Suspicious data:

A network error occurred.

include@moz-extension://6cc9e31c-3f53-4acc-9e69-cb36ab4b69c0/xss/InjectionCheckWorker.js:23:21

makeAsync/this[asyncName]@moz-extension://6cc9e31c-3f53-4acc-9e69-cb36ab4b69c0/nscl/common/SyntaxChecker.js:33:17

checkJSSyntax@moz-extension://6cc9e31c-3f53-4acc-9e69-cb36ab4b69c0/xss/InjectionChecker.js:131:24

checkJSBreak@moz-extension://6cc9e31c-3f53-4acc-9e69-cb36ab4b69c0/xss/InjectionChecker.js:735:28

,(URL) https://js.stripe.com/v3/controller-with-preconnect-3ec8959c192a6242a4d549b78e4c1f08.html#__shared_params__[version]=v3&__shared_params__[light_experiment_assignments]={"token":"cd3d31af-af80-4da4-82cc-2f4ffd7fd583","assignments":{"link_ewcs_prewarm_experiment_v2":"treatment"}}&apiKey=pk_live_ITTNkDEvVgmNxeZSoKpudGhR&stripeAccount=acct_1Nkv4mJ1tlBeKXXk&stripeJsId=cd3d31af-af80-4da4-82cc-2f4ffd7fd583&stripeObjId=sobj-ceff5f95-2e2a-4c2b-882b-f87885f44c03&firstStripeInstanceCreatedLatency=800&controllerCount=1&isCheckout=false&stripeJsLoadTime=1773593837517&manualBrowserDeprecationRollout=false&mids[guid]=NA&mids[muid]=NA&mids[sid]=NA&referrer=https://socksonrecords.bigcartel.com/product/the-scary-god-socks-weekender-bender&controllerId=__privateStripeController1201

[hackademix]

I'm unable to install IronFox from FDroid (it says checksum doesn't match).

Could you please check whether the problem persists in https://secure.informaction.com/download/betas/noscript-13.6.7.905.xpi ?

[jonpsp]

Unfortunately, I can't work out how to install it. Clicking the link in IronFox doesn't do anything. There is no menu item to allow add-on installation from particular sites, and no option to install an xpi that I have downloaded to the phone.

[hackademix]

I did manage to install IronFox in the end.

I can't work out how to install it [NoScript]. Clicking the link in IronFox doesn't do anything.

I've managed to install it by clicking on the link from https://noscript.net/getit#devel - and it seems to fix this issue, but I'll wait for your verification, thanks.