A friend posted this bit of code that seems to be a problem

[KoihimeNakamura]

This is with googleapis and the site domain's disallowed

URL: http://www.dazsmith.com/uploads/simtest.htm

When you hover over it, the site says http://google.com. Clicking it leads you to http://www.simchamber.net

Talking with him over it..

Code: Select all

[05:15:18] <MassEffectKitsune> Why did you encode that in hex?
[05:16:25] <@Daz> Eh. Why not.
[05:17:42] <@Daz> Mainly because I thought having something like that sitting at the very bottom of the page with the link you're directing to totally obscured is more concerning than not :P
[05:18:32] <MassEffectKitsune> Yes it is.
[05:18:42] <@Daz> $(document).ready(function(){
[05:18:43] <@Daz>    $("a").click(function(event){
[05:18:43] <@Daz>      event.preventDefault();
[05:18:43] <@Daz>      window.location = "http://simchamber.net;
[05:18:43] <@Daz>    });
[05:18:43] <@Daz>  });

ETA: I'm an idiot.


Browser is Pale Moon with NoScript 2.1.4

This also works on Firefox Nightly (UX) with NoScript 2.1.9rc4 (I should go update my Pale Moon I think..)

[GµårÐïåñ]

AFAIK, unless you allow scripting, it won't work. Now I am not familiar with your browser specifically but unless there is a gigantic hole in how they process scripting it shouldn't matter either. With NS installed and scripting forbidden or just default not allowed, it should not work. Giorgio?

[Tom T.]

On Fx 3.6.24, NS 2.1.9rc4, Google not allowed, clicking the "Google" link in the Demo takes me to .... Google.

The reason being that the dazsmith site is unknown to NoScript, and therefore, is default-denied, like every other unknown script on the planet.

This is true even with dazsmith temp-allowed and ajax.googleapis.com TA'd. One reason is RequestPolicy, which blocks cross-site requests. One must do several stages of allowing requests, allowing more script, etc. to get the demo to work.

Both developers -- Giorgio Maone of NoScript and Justin Samuel of Request Policy -- agree that the two complement each other very nicely, neither replacing the other, but adding extra protection for the user with just a little tech knowledge who can make the right choices.

I'll try this on the newer browser, but I expect NS protection to work there, as well.

[Tom T.]

On Fx 7.01, same NS and settings, the demo still doesn't work. After temp-allowing enough scripting *and* RequestPolicy, it will attempt to redirect to the demo site, but with a warning of same, a 301 redirect message asking whether to allow the redirection. This is in plain text at the top of the browser, so no invisible redirection can succeed.

Only if I allow that, or allow RP to connect from Google to Dazsmith, can it finally get to Dazsmith. Plenty of warning.

I haven't had a chance to install and configure Fx 8.0 yet, but I'd expect no less protection.

Bottom line: NoScript users who stick with the default-deny policy are protected. Clicking what looks like a Google link and seeing an unheard-of site like dazsmith is a huge red flag; so long as dazsmith isn't allowed, they're still protected. Request Policy adds yet another level of protection.

[Tom T.]

Ditto the above on Fx 8.0

[KoihimeNakamura]

That's... strange. Now it leads me to Google. Maybe I had a permission error in the cache? (On a side note, I would check it on Fx 11, but as NoScript isn't yet working with it, I'm going to hold off..)

[therube]

Seems to me there is nothing odd occurring there.

In order for it to work, both dazsmith.com & googleapis.com need to be allowed.
(Now googleapis.com is allowed by default, so that makes it easier.)

If either of those two domains are not allowed, the code in the <script> fails (or isn't run at all), & http://google.com/ loads.
If both domains are allowed, the obfuscated code in the <script> loads what it is told in place of google.com.

Code: Select all

<script>
var _0x2ce7=["\x70\x72\x65\x76\x65\x6...
</script>

Oh, & it only works with both domains allowed, & on a left-click.
A right or center-click opens google.com regardless.

[therube]

The real gimmick here (& that is what I consider it) is that the page says "Google" & the statusbar (does FF even have a statusbar any more?) shows "http//: google.com", but most (if you're not using NoScript or the like) are redirected elsewhere.

[Tom T.]

(does FF even have a statusbar any more?)

No, but if you hover the mouse pointer over a link, there will still appear a destination in the lower left.

but most (if you're not using NoScript or the like) are redirected elsewhere.

Yes, that's the idea. And NS protects against it by default.

That's... strange. Now it leads me to Google. Maybe I had a permission error in the cache? (On a side note, I would check it on Fx 11, but as NoScript isn't yet working with it, I'm going to hold off..)

Since you apparently had been chatting with Mr./Ms. Daz, it's quite likely that at some point, you temp-allowed her/his site, and forgot to revoke the temp permission before testing the demo.

On a subsequent start of the browser, temp permissions from the previous session are undone. So the demo fails.

Thanks for providing yet another piece of evidence of why NoScript is required for safe browsing, and what can happen to those who don't use it.