Search found 5 matches
- Sun Mar 07, 2010 7:40 am
- Forum: NoScript Support
- Topic: Features: CSRF and NoScript
- Replies: 9
- Views: 6581
Re: Features: CSRF and NoScript
Some sites which have complex cross-site relationships requiring authentication will likely break. That's why ABE allows very fine grained tuning, but you need to know what you're doing. Do you mean something like OpenID or just poorly-crafted multi-domain applications? I see just abuse in these ca...
- Sun Mar 07, 2010 7:06 am
- Forum: NoScript Support
- Topic: Features: CSRF and NoScript
- Replies: 9
- Views: 6581
Re: Features: CSRF and NoScript
Then, shouldn't ABE "Anon" rule be in the global System ruleset? If I understand correctly, there's a bug in Geckos which doesn't allow to strip HTTP Auth from CSR, and thus to implement CORS correctly? If ABE does this, and there's a dedicated extension just for that - wouldn't it to be r...
- Sun Mar 07, 2010 7:00 am
- Forum: NoScript Support
- Topic: Features: CSRF and NoScript
- Replies: 9
- Views: 6581
Re: Features: CSRF and NoScript
Thank you for clarifications. Unfortunately, they just mess everything more. The author of CsFire seems to be claiming contrary... If you wouldn't mind I'll write a PM just to protect the innocent if I'm missing the point. (Yes, NoScript and CSFR countermeasures - and security at all for me is not a...
- Fri Mar 05, 2010 10:43 am
- Forum: NoScript Support
- Topic: Features: CSRF and NoScript
- Replies: 9
- Views: 6581
Features: CSRF and NoScript
Hello, I've stumbled upon a Firefox addon CsFire [cite-1]. It should take countermeasures against CSFR. Q1: Does NoScript protect from such vulnerability? Q2: If not, shouldn't this be a core feature of NoScript? Q3: What consequences would you expect (GMail, Yahoo) if such anti-CSFR policy would be...
- Tue Feb 02, 2010 4:41 pm
- Forum: NoScript Support
- Topic: Load images from same (originating) server only?
- Replies: 0
- Views: 1633
Load images from same (originating) server only?
Hello, older versions fo Firefox/Mozilla had a preference to block images from foreign sites. Currently, this preference is not accessible from UI, only, according to http://kb.mozillazine.org/Network.image.imageBehavior , there is a hidden value for this preference. Motives are clear: back in the o...