Search found 5 matches

by gsm
Sun Mar 07, 2010 7:40 am
Forum: NoScript Support
Topic: Features: CSRF and NoScript
Replies: 9
Views: 6581

Re: Features: CSRF and NoScript

Some sites which have complex cross-site relationships requiring authentication will likely break. That's why ABE allows very fine grained tuning, but you need to know what you're doing. Do you mean something like OpenID or just poorly-crafted multi-domain applications? I see just abuse in these ca...
by gsm
Sun Mar 07, 2010 7:06 am
Forum: NoScript Support
Topic: Features: CSRF and NoScript
Replies: 9
Views: 6581

Re: Features: CSRF and NoScript

Then, shouldn't ABE "Anon" rule be in the global System ruleset? If I understand correctly, there's a bug in Geckos which doesn't allow to strip HTTP Auth from CSR, and thus to implement CORS correctly? If ABE does this, and there's a dedicated extension just for that - wouldn't it to be r...
by gsm
Sun Mar 07, 2010 7:00 am
Forum: NoScript Support
Topic: Features: CSRF and NoScript
Replies: 9
Views: 6581

Re: Features: CSRF and NoScript

Thank you for clarifications. Unfortunately, they just mess everything more. The author of CsFire seems to be claiming contrary... If you wouldn't mind I'll write a PM just to protect the innocent if I'm missing the point. (Yes, NoScript and CSFR countermeasures - and security at all for me is not a...
by gsm
Fri Mar 05, 2010 10:43 am
Forum: NoScript Support
Topic: Features: CSRF and NoScript
Replies: 9
Views: 6581

Features: CSRF and NoScript

Hello, I've stumbled upon a Firefox addon CsFire [cite-1]. It should take countermeasures against CSFR. Q1: Does NoScript protect from such vulnerability? Q2: If not, shouldn't this be a core feature of NoScript? Q3: What consequences would you expect (GMail, Yahoo) if such anti-CSFR policy would be...
by gsm
Tue Feb 02, 2010 4:41 pm
Forum: NoScript Support
Topic: Load images from same (originating) server only?
Replies: 0
Views: 1633

Load images from same (originating) server only?

Hello, older versions fo Firefox/Mozilla had a preference to block images from foreign sites. Currently, this preference is not accessible from UI, only, according to http://kb.mozillazine.org/Network.image.imageBehavior , there is a hidden value for this preference. Motives are clear: back in the o...