Search found 48 matches

by bgmnt
Fri Apr 03, 2015 11:47 am
Forum: NoScript General
Topic: HTTP Alternative Services
Replies: 9
Views: 2677

Re: HTTP Alternative Services

Thanks it's clearer now. That settles it then, if both of you have it disabled I'm doing it too I noticed that I actually disabled SPDY and HTTP/2 temporarily for similar reasons when they were released, ie. less fishy than alt-svc but young, not tested enough, and me unsure of the security and priv...
by bgmnt
Fri Apr 03, 2015 7:48 am
Forum: NoScript General
Topic: HTTP Alternative Services
Replies: 9
Views: 2677

Re: HTTP Alternative Services

I just don't like the idea of not knowing what I'm loading, sorry. That's why I refuse to use such a feature if it's at all opaque to me. That irks me too. On the other hand, load balancing has been doing something similar for more than a decade. Instead of redirecting the browser to a separate hos...
by bgmnt
Thu Apr 02, 2015 10:17 pm
Forum: NoScript General
Topic: HTTP Alternative Services
Replies: 9
Views: 2677

Re: HTTP Alternative Services

My question is, are the security concerns sufficient that that extension could be NoScript? I don't know, but if NoScript has an option to forbid meta refreshes, shouldn't it consider monitoring the use of HTTP alternative services as well ? (I can't read well those IETF drafts and what they imply,...
by bgmnt
Thu Apr 02, 2015 3:48 pm
Forum: NoScript General
Topic: HTTP Alternative Services
Replies: 9
Views: 2677

HTTP Alternative Services

Hi, Firefox 37 enabled opportunistic encryption for HTTP/2 connections. It's a good thing, but depends on HTTP Alternative Services (Alt-svc), a concept that doesn't sound very secure, much less transparent. From what I read, alternative services allow an URL to be redirected in a silent way to a di...
by bgmnt
Wed Feb 18, 2015 7:24 pm
Forum: NoScript General
Topic: Origin header: CORS and the Fetch standard
Replies: 16
Views: 3326

Re: Origin header: CORS and the Fetch standard

The Fetch standard is vast and apparently does encompass JS-less requests such as those from HTML and CSS. It supports CORS and the Origin header. This can improve security, but it's awful for privacy unless Firefox respects referrer preferences, which it won't. If I understand correctly, any image ...
by bgmnt
Fri Feb 13, 2015 10:18 pm
Forum: Security
Topic: Attention EasyList & EasyPrivacy users
Replies: 11
Views: 4906

Re: Attention EasyPrivacy users

Yeah that filter exception is dubious indeed. EasyPrivacy openly makes exceptions for site compatibility all over the place, so you can just turn off all EasyPrivacy exceptions. It's quick: Just select all exceptions and press space.
by bgmnt
Fri Feb 13, 2015 9:51 pm
Forum: Security
Topic: Coping with Flash vulnerabilities
Replies: 4
Views: 2034

Re: Coping with Flash vulnerabilities

Two recently-reported Flash Player vulnerabilities (CVE-2015-0313 and -0311) are leading me to block most Flash videos. While blocking active content is never a bad idea, one has to salute the transparency of the Flash Player team. There are TONS of vulnerabilities in both Firefox and Chrome (Chrom...
by bgmnt
Fri Feb 13, 2015 2:33 am
Forum: NoScript General
Topic: "Cascade" feature is a godsend
Replies: 9
Views: 2160

Re: "Cascade" feature is a godsend

Ok :)

I thought the cascading feature had some code that could be tweaked to improve the auto-allow thing without too much work. From what I understand, NoScript 3 is scheduled for whenever Firefox release channel has e10s enabled by default ? Like, maybe July or something. Sounds good enough :)
by bgmnt
Fri Feb 13, 2015 2:18 am
Forum: NoScript General
Topic: "Cascade" feature is a godsend
Replies: 9
Views: 2160

Re: "Cascade" feature is a godsend

Cascading just changes the extent of the meaning of being on the whitelist. There isn't another way to allow a site... If it makes things clearer you could imagine a special whitelisted item such as "$first-party", translated by NoScript's whitelist parser as "allow first party site ...
by bgmnt
Thu Feb 12, 2015 8:45 pm
Forum: NoScript General
Topic: "Cascade" feature is a godsend
Replies: 9
Views: 2160

Re: "Cascade" feature is a godsend

Well it's not any safer on a given site that has been whitelisted. But all non whitelisted sites are almost as safe as they are with NoScript's default config (i.e. JS disallowed). Now if only this behaviour was used with the "Temporarily allow first level domains by default" feature, wher...
by bgmnt
Thu Feb 12, 2015 4:00 pm
Forum: NoScript General
Topic: "Cascade" feature is a godsend
Replies: 9
Views: 2160

Re: "Cascade" feature is a godsend

How does it differ from "Allow all this page" by the way ? I never used that feature, so not sure. I'd guess, allow all this page allows what can be seen and then reload, sometimes bumping into new domains that won't be allowed, whereas cascading allows any domain that may come up after re...
by bgmnt
Thu Feb 12, 2015 3:34 pm
Forum: NoScript Development
Topic: noscript.forbidXHR removal
Replies: 10
Views: 1513

Re: noscript.forbidXHR removal

Ok, thanks again for clearing it up.

I don't know enough on data: URI to give input so I'm going to trust you :)
by bgmnt
Thu Feb 12, 2015 11:57 am
Forum: NoScript Development
Topic: noscript.forbidXHR removal
Replies: 10
Views: 1513

Re: noscript.forbidXHR removal

Thanks! In the latter it could give help work around size restrictions I wonder what are those size restrictions and how XHR helps a compromised site getting around them. Anyway, when you will be publishing a release build with a modified forbidXHR feature, would you mind explaining how it has chang...
by bgmnt
Thu Feb 12, 2015 12:29 am
Forum: NoScript Support
Topic: Information on ES6 attacks thwarted by NoScript 2.6.9.13
Replies: 2
Views: 412

Re: Information on ES6 attacks thwarted by NoScript 2.6.9.13

Ok thanks, I'll see if he publishes something in English For anyone interested in new threats posed by ES6, I found this . A vulnerability with NoScript XSS protection was even found and quickly fixed. It's interesting to see that ES6 features can take even NoScript off guard, but of course there ne...
by bgmnt
Wed Feb 11, 2015 11:50 pm
Forum: NoScript Development
Topic: noscript.forbidXHR removal
Replies: 10
Views: 1513

Re: noscript.forbidXHR removal

Privacy issue: Cross-site XHR with CORS doesn't respect referrer preferences. If no referrer is sent, Origin is still set. Consistency issue: I'm guessing form submission means cross-site POST requests, in which case NoScript can turn them into GET requests with no parameters, and they respect refer...