Search found 129 matches

by tlu
Sat Oct 22, 2011 10:55 am
Forum: NoScript Support
Topic: XSS examples not blocked by Noscript?
Replies: 20
Views: 8439

Re: XSS examples not blocked by Noscript?

you'd see that NoScript's XSS filter can't do anything specific to block them, because otherwise no redirection service or any other web application which takes absolute URLs as parameters (e.g. URL shorteners, or any blog comment form) would work. The problem here is the incredible stupidity of th...
by tlu
Sat Oct 22, 2011 10:41 am
Forum: NoScript Support
Topic: XSS examples not blocked by Noscript?
Replies: 20
Views: 8439

Re: XSS examples not blocked by Noscript?

Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source". I guess you don't get what TRUSTED means which is to say that you are allowing it to do whatever because you TRUSTED it. Scrip...
by tlu
Fri Oct 21, 2011 4:44 pm
Forum: NoScript Support
Topic: XSS examples not blocked by Noscript?
Replies: 20
Views: 8439

Re: XSS examples not blocked by Noscript?

These examples only work if also davidlynch.org is whitelisted Actually both davidlynch.org & the "host" domain need to be Allowed. That's what i wrote above. And given that, I suppose that is why NoScript does not notify. I think it should considering the quotation in my last post. O...
by tlu
Fri Oct 21, 2011 3:12 pm
Forum: NoScript Support
Topic: XSS examples not blocked by Noscript?
Replies: 20
Views: 8439

Re: XSS examples not blocked by Noscript?

Neat, http://news.cnet.com/ , heh. Yes, all of these examples are funny. But since m says: Furthermore, NoScript's sophisticated InjectionChecker engine checks also all the requests started from whitelisted origins for suspicious patterns landing on different trusted sites: if a potential XSS attac...
by tlu
Fri Oct 21, 2011 11:54 am
Forum: NoScript Support
Topic: XSS examples not blocked by Noscript?
Replies: 20
Views: 8439

XSS examples not blocked by Noscript?

I just learned about

http://davidlynch.org/blog/2011/10/xss-is-fun/

which provides some XSS examples for several popular websites.

These examples only work if also davidlynch.org is whitelisted so we are protected by default. Nevertheless, shouldn't the XSS filter of Noscript stop these examples even if the originating site is whitelisted?
by tlu
Sat Oct 15, 2011 2:09 pm
Forum: NoScript General
Topic: Every once in a while, I still see Flash objects. Why?
Replies: 13
Views: 3888

Re: Every once in a while, I still see Flash objects. Why?

Besides, the upcoming Noscript 3 aka NSA will offer more flexibility. The desktop version will hopefully be available very soon.
by tlu
Sun Oct 02, 2011 6:31 pm
Forum: NoScript General
Topic: NoScript Sightings
Replies: 153
Views: 356920

Re: NoScript Sightings

The man in the browser and Phishing with legit URL’s

Of course noscript will prevent these kind of attacks ...
by tlu
Wed Sep 21, 2011 11:03 am
Forum: NoScript Development
Topic: Noscript for Google Chrome?
Replies: 154
Views: 469522

Re: Noscript for Google Chrome?

nickr wrote:I'd add a #3 to this:
3. FF does not free up memory when closed (that is, when the application itself is closed it continues to hold onto memory for some time)


Really? I've never observed that on my machine regardless which FF version I was using.
by tlu
Tue Sep 20, 2011 11:50 am
Forum: NoScript Support
Topic: Hackers break SSL encryption used by millions of sites
Replies: 12
Views: 6266

Hackers break SSL encryption used by millions of sites

m This sounds really horrible. BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection.. The details will be revealed later this week. Hopefully, Noscript can prote...
by tlu
Tue Sep 06, 2011 4:38 pm
Forum: NoScript Development
Topic: Noscript for Google Chrome?
Replies: 154
Views: 469522

Re: Noscript for Google Chrome?

> Memory consumption is dramatically lower A lower "number" is not necessarily "better". Agreed. But most complaints in the past were referring to the fact that 1. FF did not free up memory when tabs were closed, and 2. memory consumption steadily increased over several hours pa...
by tlu
Tue Sep 06, 2011 2:24 pm
Forum: NoScript Development
Topic: Noscript for Google Chrome?
Replies: 154
Views: 469522

Re: Noscript for Google Chrome?

Yeah, the memory leak problems in Firefox are what finally did it in for me too. It's significant to note though that Firefox has suffered from this memory leak (it has gotten worse recently though) for quite some time. Mozilla Developers just ignored the issue for a long time despite user complain...
by tlu
Sun Jul 17, 2011 3:55 pm
Forum: NoScript Development
Topic: V. 2.1.2.4rc2: FF doesn't load any other websites
Replies: 2
Views: 644

Re: V. 2.1.2.4rc2: FF doesn't load any other websites

Giorgio Maone wrote:Fixed in rc3.


Wow, that was fast ;) Thanks, Giorgio!
by tlu
Sun Jul 17, 2011 3:51 pm
Forum: NoScript Development
Topic: V. 2.1.2.4rc2: FF doesn't load any other websites
Replies: 2
Views: 644

V. 2.1.2.4rc2: FF doesn't load any other websites

After installing the newest development version in FF 5.0 under Kubuntu 11.04 and restarting the browser I was able to click and load any links in the open website previously loaded. New websites from bookmarklets or from the address bar are not loaded anymore. The problem disappears after disabling...
by tlu
Sat Jun 11, 2011 6:58 pm
Forum: NoScript Development
Topic: Discussion: Site Specific Permissions Policy
Replies: 165
Views: 69107

Re: Discussion: Site Specific Permissions Policy

Giorgio Maone wrote:
tlu wrote:EDIT: It's blocked with the $object rule, though.

Look again ;)


Ha - you beat me again :lol:

Well, I hope that you're making good progress with NSA then - obviously the only suitable solution for our problem ;)
by tlu
Sat Jun 11, 2011 5:13 pm
Forum: NoScript Development
Topic: Discussion: Site Specific Permissions Policy
Replies: 165
Views: 69107

Re: Discussion: Site Specific Permissions Policy

As long as Noscript 3 isn't available yet, there is a workaround using AdblockPlus. If you want to block flash by default just add this custom filter: swf| Hmm, no . Oops - I didn't know that. Although I knew that Flashblock can be defeated. Thanks for that hint, Giorgio. EDIT: It's blocked with th...