InformAction Forums

FlashGotters and NoScripters of all lands, unite!

Skip to content

XSS examples not blocked by Noscript?

Ask for help about NoScript, no registration needed to post
Post a reply

Re: XSS examples not blocked by Noscript?

Postby al_9x » Sun Oct 23, 2011 5:26 am

Giorgio Maone wrote:Please check latest development build 2.1.8rc1


  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs
  4. logs when script domain is not whitelisted
Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0
al_9x
Master Bug Buster
 
Posts: 871
Joined: Thu Mar 19, 2009 4:52 pm
Top

Re: XSS examples not blocked by Noscript?

Postby tlu » Sun Oct 23, 2011 11:07 am

Giorgio Maone wrote:Please check latest development build 2.1.8rc1


Thanks again! Those examples are indeed successfully blocked! (Somehow I was pretty sure that you would come up with a solution - you're really incredible :D )
Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
tlu
Senior Member
 
Posts: 128
Joined: Fri Jun 05, 2009 8:01 pm
Top

Re: XSS examples not blocked by Noscript?

Postby saywot » Tue Oct 25, 2011 4:46 pm

Giorgio Maone wrote:Please check latest development build 2.1.8rc1


Confirmed. After AMO caught up with the version ;-)
NS AMO Beta channel subscription.
Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
saywot
Junior Member
 
Posts: 20
Joined: Wed Aug 03, 2011 4:36 am
Top

Re: XSS examples not blocked by Noscript?

Postby Giorgio Maone » Thu Oct 27, 2011 11:04 am

al_9x wrote:
  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs

Done/fixed in latest development build 2.1.8rc2

al_9x wrote:4. logs when script domain is not whitelisted

By design. You may want to know in advance if a site wants to engage in potentially hostile activities.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
User avatar
Giorgio Maone
Site Admin
 
Posts: 6834
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Top

Re: XSS examples not blocked by Noscript?

Postby al_9x » Thu Oct 27, 2011 10:30 pm

Giorgio Maone wrote:
al_9x wrote:
  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs

Done/fixed in latest development build 2.1.8rc2


This may not be very important, but I noticed in at least couple of places (rapidFireCheck, checkInclusions) that you check the pref at the last minute having done all the preparatory work for the feature in question. In general, I think it's a good idea for a toggle pref to completely bypass the codepath of the functionality it disables, since that could be the reason for and the benefit of disabling it.
Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0
al_9x
Master Bug Buster
 
Posts: 871
Joined: Thu Mar 19, 2009 4:52 pm
Top

Re: XSS examples not blocked by Noscript?

Postby Giorgio Maone » Thu Oct 27, 2011 10:38 pm

al_9x wrote:I think it's a good idea for a toggle pref to completely bypass the codepath of the functionality it disables, since that could be the reason for and the benefit of disabling it.

It's an optimization for the common case, since preference access (through XPCOM) is relatively expensive and these features are very unlikely to be turned off (hence it makes little sense to observe & cache yet another pref value).
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
User avatar
Giorgio Maone
Site Admin
 
Posts: 6834
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Top
Previous
Post a reply

Return to NoScript Support

Who is online

Users browsing this forum: No registered users and 3 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group