InformAction Forums

[NoScript XSS] 净化从 [https://auth.alipay.com/login/index.htm] 至 [https://umidprod.alipay.com/gather.htm###DATA###ce%3D1%26fe%3D1%26fv%3D16.0.0%26dt%3DWin32%26cpu%3D%26bl%3Dzh-CN%26tz%3D%252B8%26sr%3D1366*768%26pl%3D-2.0.0.4%253A%253Aapplication%252Fbd-npupload-plugin%7E%253B-2.0.0.4%253A%253Aapplica...

[19:51:15.137] [NoScript XSS] Sanitized suspicious request. Original URL [http://www.baidu.com/s?wd=%C1%E2%BD%C7] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://www.baidu.com/#6325863177406117981]. -- [19:51:55.898] [NoScript XSS] Sanitized suspicious request. Original...

You can, actually. Rather than putting the code in the noscript.surrogate.xyz.replacement preference, put there a file:/// URL pointing at your local external script. That sounds great! It is similar to Local Load , which has not been updated for a long time~ Hope you can give some practical or det...

Thrawn wrote:No, it applies to embeddings as well. It performs 'Temporarily allow' for any site that you visit.

Sorry I think I was wrong, I selected the "also block trusted sites`s embeded objects"

No, it applies to embeddings as well. I see the explaination said this： Temporarily allow top-level sites by default, not recommended and disabled by default, grants permissions "on the fly" to the address of the main page (the one usually displayed in the location bar), excluding subfram...

Temporarily allow top-level sites by default

My understanding of this option in the General part is designed for JS permission only, am I right?

Thrawn wrote:Can you re-try your link, either inside [ url ] tags, or without parsing URLs?

I edit the url

Site ^file://.*
#Accept from ^chrome://browser/content/browser\.xul$
Deny

The Multi-Process version will filter file:// jar:// about://, so I want to try it with ABE:
https://wiki.mozilla.org/Necko:_Electrolysis_design_and_subprojects#Protocols_that_need_work_for_e10s

noscript.ABE.legacyPrompt

I want to know the meaning of this preference?

Thrawn wrote:Yes, I believe it can. It is capable of blocking requests from chrome: code.

However, it's always possible for another addon to interfere with ABE's code, since they have the same privileges. You shouldn't rely on NoScript to protect you from malicious addons.

Got it, Thank you

I know ABE is firewall style, so can it achieve the functions?

As soon as browser support for the Origin HTTP header becomes widespread and reliable, an external version of ABE might be developed as a filtering proxy.

Does the filtering proxy means a online filter like http://www.privoxy.org/ , or filter like ABP?

The situations where you would need an extra ruleset are pretty limited and specialised. For example, I'm making use of one for my Firefox extension (under development), so that it can generate extra ABE rules without touching your existing rulesets, and it can easily delete them when uninstalled. ...

user_pref(" noscript.ABE.rulesets.USER2 ", "Site *\nDeny INC(SCRIPT) from ^http://(www\\.)??([0-9]{2,}[a-z]+|[a-z]+[0-9]{2,}[a-z]*)\\.com"); I tried to create a personal ABE ruleset，and It seems work, So I guess we can create rulesets apart from the built-in SYSTEM and USER, am I...