Search found 32 matches
- Wed Jul 15, 2015 11:44 am
- Forum: NoScript Development
- Topic: ABE Anonymize action not applied to JavaScript cookie access
- Replies: 8
- Views: 3112
Re: ABE Anonymize action not applied to JavaScript cookie ac
Any site that allows state-changing operations via GET is basically broken and can't be protected via the usual mechanisms. If you really want to protect it, you'll need to use Deny rather than Anonymize. It would be protected if access to cookies were suppressed.... Using Deny is not an appealing ...
- Wed Jul 15, 2015 12:29 am
- Forum: NoScript Development
- Topic: ABE Anonymize action not applied to JavaScript cookie access
- Replies: 8
- Views: 3112
Re: ABE Anonymize action not applied to JavaScript cookie ac
I'm not talking about XSS ... CSRF basically relies upon two things ... the ability to send a command (e.g. transfer money), and authentication for that request (e.g. via cookie). For example, the following URL might be loaded in an invisible iframe: https://bank.example.com/transfer/?amount=100&...
- Tue Jul 14, 2015 11:43 am
- Forum: NoScript Development
- Topic: ABE Anonymize action not applied to JavaScript cookie access
- Replies: 8
- Views: 3112
Re: ABE Anonymize action not applied to JavaScript cookie ac
CSRF can occur whether the cookie processing is done by the target site on the server side or on the client side (in the case of frames). Attacks that rely upon server side processing of cookies do not rely upon hostile PHP/Perl/ASP/whatever coding on the target site either. An attacker's request ca...
- Mon Jul 13, 2015 5:46 pm
- Forum: NoScript Development
- Topic: ABE Anonymize action not applied to JavaScript cookie access
- Replies: 8
- Views: 3112
ABE Anonymize action not applied to JavaScript cookie access
JavaScript is able to read and write cookies despite ABE applying the Anonymize action
- Tue Jul 07, 2015 7:47 pm
- Forum: NoScript Development
- Topic: ABE should be able to compare against parent (bug? RFE?)
- Replies: 4
- Views: 2792
Re: ABE should be able to compare against parent (bug? RFE?)
Code: Select all
Site *
Accept SUB parent SELF++
Anonymize SUB
Code: Select all
Site *
Accept INCLUSION(SUBDOC) parent SELF++
Anonymize INCLUSION(SUBDOC)
Code: Select all
Site *
Accept ALL parent SELF++
Anonymize SUB
Code: Select all
Site *
Accept ALL parent SELF++
Anonymize INCLUSION(SUBDOC)
- Tue Jul 07, 2015 7:38 pm
- Forum: NoScript Development
- Topic: ABE should be able to compare against parent (bug? RFE?)
- Replies: 4
- Views: 2792
Re: ABE should be able to compare against parent (bug? RFE?)
It might make the most sense to add an alternative to "from", such as "parent". This would also take care of the same ambiguity issue which applies to a ruleset which specifies "Accept ALL from SELF++" ahead of "Anonymize SUB" / "Anonymize INCLUSION(SUBDO...
- Tue Jul 07, 2015 7:02 pm
- Forum: NoScript Development
- Topic: ABE should be able to compare against parent (bug? RFE?)
- Replies: 4
- Views: 2792
ABE should be able to compare against parent (bug? RFE?)
Site * Accept SUB from SELF++ Anonymize SUB Site * Accept INCLUSION(SUBDOC) from SELF++ Anonymize INCLUSION(SUBDOC) I believe the above two rulesets are functionally identical. In either case, I expected either of these rulesets to always Anonymize a site if it is within an iframe, unless the paren...
- Tue Jul 07, 2015 2:09 am
- Forum: ABE
- Topic: Error in documentation
- Replies: 6
- Views: 5366
Error in documentation
# This one defines normal application behavior, allowing hyperlinking # but not cross-site POST requests altering app status # Additionally, pages can be embedded as subdocuments only by documents from # the same domain (this prevents ClickJacking/UI redressing attacks) Site *.somesite.com Accept P...
- Mon Jul 06, 2015 3:02 am
- Forum: NoScript Development
- Topic: [RFE] option to disable password filling for i/frames
- Replies: 1
- Views: 1326
[RFE] option to disable password filling for i/frames
It would be useful if there were an option to disable password filling for frames and iframes. Perhaps this could be part of ABE's Anonymize action, or perhaps it would be entirely separate from ABE. This would be useful to complement other countermeasures NoScript offers against clickjacking. These...
- Sun Jul 05, 2015 7:27 pm
- Forum: NoScript Development
- Topic: "Allow sites to push their own rulesets" causes crashes
- Replies: 13
- Views: 15935
Re: "Allow sites to push their own rulesets" causes crashes
I've done a bit of research to get a general idea about adoption of ABE for Web Authors as I've been reconsidering keeping "Allow sites to push their own rulesets" enabled due to the stability issues noted in this thread. I checked the status codes for Alexa's top 500 sites (for both globa...
- Tue Jun 30, 2015 11:31 pm
- Forum: NoScript Development
- Topic: ABE Anonymize action breaking icons on lots of sites
- Replies: 2
- Views: 1363
Re: ABE Anonymize action breaking icons on lots of sites
Specifically, the Anonymize action strips the query string if it consists of a single GET parameter without a value specified. So, while the following request gets modified (by removal of the query string): http://a.fsdn.com/sd/css/app.css?release_20150630 The following requests are allowed to pass ...
- Tue Jun 30, 2015 10:54 pm
- Forum: NoScript Development
- Topic: ABE Anonymize action breaking icons on lots of sites
- Replies: 2
- Views: 1363
ABE Anonymize action breaking icons on lots of sites
ABE Anonymize action breaks icons on lots of sites. An example is slashdot.org ... Site * Accept from SELF++ Anonymize Upon navigating to slashdot.org, towards the upper right there's a search field ... this should have a magnifying glass icon on its right side, but instead it shows an invalid/missi...
- Wed Jun 24, 2015 2:05 am
- Forum: NoScript Development
- Topic: "Allow sites to push their own rulesets" causes crashes
- Replies: 13
- Views: 15935
Re: "Allow sites to push their own rulesets" causes crashes
Also affects googleonlinesecurity.blogspot.com ...
Is there any reason for me to continue to make note of any other sites I notice are affected at this point?
Is there any reason for me to continue to make note of any other sites I notice are affected at this point?
- Tue Jun 23, 2015 6:31 pm
- Forum: NoScript Development
- Topic: "Allow sites to push their own rulesets" causes crashes
- Replies: 13
- Views: 15935
Re: "Allow sites to push their own rulesets" causes crashes
Affects sears.com as well.
- Tue Jun 23, 2015 3:42 pm
- Forum: NoScript Development
- Topic: "Allow sites to push their own rulesets" causes crashes
- Replies: 13
- Views: 15935
Re: "Allow sites to push their own rulesets" causes crashes
addons.prestashop.com also seems to be affected, although I can't reproduce as consistently. Seem to be able to reproduce about half the time on average.