We conducted a similar experiment on the top 1000 websites and found 820 unique DOM-Based XSS vulnerabilities in these sites! You can find out more about our techniques in our paper here http://www.comp.nus.edu.sg/~enricob/2015/fse15-main.pdf
Douglas Crockford warned[1] us many years ago that mixing Javascript from multiple sources was fundamentally unsafe. The security model of the Javascript and the DOM was never designed for isolation within a page. If you're including Javascript from a foreign domain in the page, you're giving them access to any data in the page (and allowing stuff like this XSS problem). In most cases, this is irresponsible.
> As a user why should I allow this for something that provides me no value (ads, tracking, js comment systems that I dont care about etc).
You're presumably getting value from the page/site you're on. The person running that site is doing so because the ads, tracking, and things you don't care about allows that person to pay for the site and the time it takes to run and produce it.
What I am missing in NoScript is ability to allow 3rd party scripts (say "google.com") but just for this domain. If I allow facebook.com, I want it whitelisted only on its own domain, not elsewhere.
I used to be a heavy NoScript user. I dumped it some time ago when they started doing a ton of weird stuff in the name of "security". Take a look at their list of features:
NoScript is way beyond just blocking scripts by domain at this point. They attempt to prevent things like clickjacking by subtle Javascript trickery. This broke too many web sites for me (often in infuriating and unpredictable ways) to be usable.
Really? I had a feeling everything is javascript heavy these days. Especially with React, angular, backbone, meteor... Maybe I should give it another try.
> Really? I had a feeling everything is javascript heavy these days. Especially with React, angular, backbone, meteor... Maybe I should give it another try.
The point is to white list scripting on websites . It allows faster browsing, lessens CPU load and memory consumption and save battery life on mobile and laptop. Most websites do not need javascript to be turned on to be browsed.
uBlock Origin has many more capabilities that can be found in the advanced options[0], and you can configure blocking of third party content in general that "stacks" with the default ad blocking behavior. I have uBlock Origin configured to disable all javascript by default, for example, and when I do need to enable javascript I find the uBlock interface makes it (relatively) easy to get sites working.
Is there anything that could fix this? Off the top of my head, browsers could encode the results of any functions that get the URL. But after encoding/decoding requests/responses and unknown server logic, the encoding may be removed.
Ad blockers would fix it. Outside of that, ad companies hiring competent devs would fix it. But I suspect they're moving too fast and breaking too many things to worry about trivial matters like XSS scripting vulnerabilities.
As a site owner, not embedding third party ads on your site would fix it. Then you only need to worry about your own code.
If you do ad placements with iframes, that can mitigate some vectors, but then it is very hard to have full screen takeovers or many other hideous things that seem to make advertisers happy.
Probably cross-domain abuse. I'd imagine there's a few edge cases that result in behavior Google doesn't want for ads. For example, double serving, accidental clicks, ad obscuring, etc.
Their FAQ does mention that they'll grant exceptions though.
For a site owner, using properly configured Content Security Policy somewhat mitigates the risk... depends on what you can close down though, some pages have just too many functionalities.
Unfortunately - this is because the ad industry has way too many vendors (almost 0 effort required to get some shady network off the ground trafficking in bad ads) with sloppy code and bad tech.
Similar to many other industries that operate without many standards or QA/enforcement.
