2

With the recent changes to Firefox (and NoScript apparently) I am getting frequent XSS warnings from "tqn" in particular. It seems to happen every time I do even minor things like open a new tab in Firefox. This is what it looks like:

enter image description here

Can somebody help parse this error and explain to me why it is happening?

Tyler Durden
  • 6,011
  • 19
  • 57
  • 99
  • I am getting similar warnings for tidal.com (which I visited once). Always allow doesn't stop the popups – DavidPostill Nov 29 '17 at 14:44
  • It did something like this for me from the search bar, the first time I searched for a Wikipedia entry. I suppose it is a cross-script to load something, maybe even just the favicon. My guess is that You might get more eyes on this question on the NoScript support forum. https://forums.informaction.com/viewforum.php?f=7 – Mike Chapman Nov 30 '17 at 22:44
  • Did you solve it? I had the same, but it stopped. I wish I knew why and what's tqn in the first place – fede s. Dec 18 '17 at 15:49
  • @fedes. Nope still happening and getting worse. – Tyler Durden Dec 18 '17 at 15:52
  • According to FF Lightbeam in my case it seems it's some kind of favicon request from lifewire.com – fede s. Dec 18 '17 at 18:16

2 Answers2

1

My partial results:

whois.com says tqn.com is registered to MarkMonitor Inc., that has a markmonitor.com site.

In markmonitor.com says Mark Monitor Inc. is some company selling intellectual property protection related stuff.

The request in my case came from a favicon request for a lifewire.com page. Revisiting that page triggered the NoScript warning again.

I don't know why a favicon request would trigger an XSS warning though, so this is not a complete answer. I put this here in case it's useful to someone.

Maybe some kind of fingerprinting going on?

fede s.
  • 121
  • 3
0

These urls are generated with thumbor. You can apply filter on some images via thumbor. In your example, a fill filter is applied. Thumbor filter uses parenthesis. Parenthesis are valid characters in URI (see RFC 3986 - Section 2: Characters).

IMO the problem is No-Script extension which is too restrictive. You should report the problem to No-Script communauty.

Community
  • 1
franek
  • 1