Search found 32 matches

by RobertDrew
Wed Jul 15, 2015 11:44 am
Forum: NoScript Development
Topic: ABE Anonymize action not applied to JavaScript cookie access
Replies: 8
Views: 1341

Re: ABE Anonymize action not applied to JavaScript cookie ac

Any site that allows state-changing operations via GET is basically broken and can't be protected via the usual mechanisms. If you really want to protect it, you'll need to use Deny rather than Anonymize. It would be protected if access to cookies were suppressed.... Using Deny is not an appealing ...
by RobertDrew
Wed Jul 15, 2015 12:29 am
Forum: NoScript Development
Topic: ABE Anonymize action not applied to JavaScript cookie access
Replies: 8
Views: 1341

Re: ABE Anonymize action not applied to JavaScript cookie ac

I'm not talking about XSS ... CSRF basically relies upon two things ... the ability to send a command (e.g. transfer money), and authentication for that request (e.g. via cookie). For example, the following URL might be loaded in an invisible iframe: https://bank.example.com/transfer/?amount=100&...
by RobertDrew
Tue Jul 14, 2015 11:43 am
Forum: NoScript Development
Topic: ABE Anonymize action not applied to JavaScript cookie access
Replies: 8
Views: 1341

Re: ABE Anonymize action not applied to JavaScript cookie ac

CSRF can occur whether the cookie processing is done by the target site on the server side or on the client side (in the case of frames). Attacks that rely upon server side processing of cookies do not rely upon hostile PHP/Perl/ASP/whatever coding on the target site either. An attacker's request ca...
by RobertDrew
Mon Jul 13, 2015 5:46 pm
Forum: NoScript Development
Topic: ABE Anonymize action not applied to JavaScript cookie access
Replies: 8
Views: 1341

ABE Anonymize action not applied to JavaScript cookie access

JavaScript is able to read and write cookies despite ABE applying the Anonymize action :(
by RobertDrew
Tue Jul 07, 2015 7:47 pm
Forum: NoScript Development
Topic: ABE should be able to compare against parent (bug? RFE?)
Replies: 4
Views: 1263

Re: ABE should be able to compare against parent (bug? RFE?)

Code: Select all

Site *
Accept SUB parent SELF++
Anonymize SUB

Code: Select all

Site *
Accept INCLUSION(SUBDOC) parent SELF++
Anonymize INCLUSION(SUBDOC)

Code: Select all

Site *
Accept ALL parent SELF++
Anonymize SUB

Code: Select all

Site *
Accept ALL parent SELF++
Anonymize INCLUSION(SUBDOC)
by RobertDrew
Tue Jul 07, 2015 7:38 pm
Forum: NoScript Development
Topic: ABE should be able to compare against parent (bug? RFE?)
Replies: 4
Views: 1263

Re: ABE should be able to compare against parent (bug? RFE?)

It might make the most sense to add an alternative to "from", such as "parent". This would also take care of the same ambiguity issue which applies to a ruleset which specifies "Accept ALL from SELF++" ahead of "Anonymize SUB" / "Anonymize INCLUSION(SUBDO...
by RobertDrew
Tue Jul 07, 2015 7:02 pm
Forum: NoScript Development
Topic: ABE should be able to compare against parent (bug? RFE?)
Replies: 4
Views: 1263

ABE should be able to compare against parent (bug? RFE?)

Site * Accept SUB from SELF++ Anonymize SUB Site * Accept INCLUSION(SUBDOC) from SELF++ Anonymize INCLUSION(SUBDOC) I believe the above two rulesets are functionally identical. In either case, I expected either of these rulesets to always Anonymize a site if it is within an iframe, unless the paren...
by RobertDrew
Tue Jul 07, 2015 2:09 am
Forum: ABE
Topic: Error in documentation
Replies: 6
Views: 2733

Error in documentation

# This one defines normal application behavior, allowing hyperlinking # but not cross-site POST requests altering app status # Additionally, pages can be embedded as subdocuments only by documents from # the same domain (this prevents ClickJacking/UI redressing attacks) Site *.somesite.com Accept P...
by RobertDrew
Mon Jul 06, 2015 3:02 am
Forum: NoScript Development
Topic: [RFE] option to disable password filling for i/frames
Replies: 1
Views: 566

[RFE] option to disable password filling for i/frames

It would be useful if there were an option to disable password filling for frames and iframes. Perhaps this could be part of ABE's Anonymize action, or perhaps it would be entirely separate from ABE. This would be useful to complement other countermeasures NoScript offers against clickjacking. These...
by RobertDrew
Sun Jul 05, 2015 7:27 pm
Forum: NoScript Development
Topic: "Allow sites to push their own rulesets" causes crashes
Replies: 13
Views: 3177

Re: "Allow sites to push their own rulesets" causes crashes

I've done a bit of research to get a general idea about adoption of ABE for Web Authors as I've been reconsidering keeping "Allow sites to push their own rulesets" enabled due to the stability issues noted in this thread. I checked the status codes for Alexa's top 500 sites (for both globa...
by RobertDrew
Tue Jun 30, 2015 11:31 pm
Forum: NoScript Development
Topic: ABE Anonymize action breaking icons on lots of sites
Replies: 2
Views: 525

Re: ABE Anonymize action breaking icons on lots of sites

Specifically, the Anonymize action strips the query string if it consists of a single GET parameter without a value specified. So, while the following request gets modified (by removal of the query string): http://a.fsdn.com/sd/css/app.css?release_20150630 The following requests are allowed to pass ...
by RobertDrew
Tue Jun 30, 2015 10:54 pm
Forum: NoScript Development
Topic: ABE Anonymize action breaking icons on lots of sites
Replies: 2
Views: 525

ABE Anonymize action breaking icons on lots of sites

ABE Anonymize action breaks icons on lots of sites. An example is slashdot.org ... Site * Accept from SELF++ Anonymize Upon navigating to slashdot.org, towards the upper right there's a search field ... this should have a magnifying glass icon on its right side, but instead it shows an invalid/missi...
by RobertDrew
Wed Jun 24, 2015 2:05 am
Forum: NoScript Development
Topic: "Allow sites to push their own rulesets" causes crashes
Replies: 13
Views: 3177

Re: "Allow sites to push their own rulesets" causes crashes

Also affects googleonlinesecurity.blogspot.com ...

Is there any reason for me to continue to make note of any other sites I notice are affected at this point?
by RobertDrew
Tue Jun 23, 2015 3:42 pm
Forum: NoScript Development
Topic: "Allow sites to push their own rulesets" causes crashes
Replies: 13
Views: 3177

Re: "Allow sites to push their own rulesets" causes crashes

addons.prestashop.com also seems to be affected, although I can't reproduce as consistently. Seem to be able to reproduce about half the time on average.