Search found 46 matches

by bgmnt
Wed Feb 11, 2015 7:50 pm
Forum: NoScript Development
Topic: noscript.forbidXHR removal
Replies: 10
Views: 1158

Re: noscript.forbidXHR removal

I'm withholding NoScript's update as well. I'm uncomfortable with NoScript being stuck with the equivalent of a forbidXHR set to 0 (Allow any XHR) instead of 1 (Allow cross-site XHR across trusted sites only). An explanation would be very welcome. Why isn't cross-site XHR a security threat anymore ?...
by bgmnt
Wed Feb 11, 2015 7:19 pm
Forum: NoScript General
Topic: Origin header: CORS and the Fetch standard
Replies: 16
Views: 2688

Re: Origin header: CORS and the Fetch standard

Oh noes. I take it that from now on, NoScript will behave as if it had forbidXHR set to 0 (Allow any XHR) instead of 1 (Allow cross-site XHR across trusted sites only) ? I don't even know if 1 can be replicated with ABE ? Either way, I would very much like to hear the reasoning on why this feature w...
by bgmnt
Sun Jan 25, 2015 5:07 pm
Forum: NoScript General
Topic: Origin header: CORS and the Fetch standard
Replies: 16
Views: 2688

Re: Origin header: CORS and the Fetch standard

Nice! And the default is good if it indeed means both source and target sites must be whitelisted for XHR to be allowed. I'm going to leave it as default. Thank you! Now the fetch thing hopefully doesn't work without JavaScript or something. I really need to read more about it before Firefox enables...
by bgmnt
Fri Jan 23, 2015 9:38 am
Forum: NoScript General
Topic: Origin header: CORS and the Fetch standard
Replies: 16
Views: 2688

Re: Origin header: CORS and the Fetch standard

Yep.

One could want to forbid cross-origin XML Http Requests through a NoScript anti-XSS about:config option that would be turned off by default, if nothing else fits the bill.

Dunno. Thanks for the feedback anyway :)
by bgmnt
Thu Jan 22, 2015 5:07 am
Forum: NoScript General
Topic: Origin header: CORS and the Fetch standard
Replies: 16
Views: 2688

Re: Origin header: CORS and the Fetch standard

The security vulnerability occurs when the site assumes that it can use the header to distinguish real users from CSRF attacks, and then you forge it so that traffic from your browser always looks legitimate. Bingo, CSRF comes back. CSRF is only a nuisance for the client when it has credentials on ...
by bgmnt
Thu Jan 22, 2015 12:33 am
Forum: NoScript General
Topic: Origin header: CORS and the Fetch standard
Replies: 16
Views: 2688

Re: Origin header: CORS and the Fetch standard

Origin contains the host instead of the whole URL, but that's still a privacy concern IMO. I'm not comfortable with it. Maybe NoScript's normal XSS protection feature is good enough that we don't need the Origin header. I mean, NoScript goes pretty far already in tinkering with requests when it tran...
by bgmnt
Wed Jan 21, 2015 5:24 pm
Forum: NoScript General
Topic: Origin header: CORS and the Fetch standard
Replies: 16
Views: 2688

Re: Origin header: CORS and the Fetch standard

I think the guy actually asks for Origin *to be sent* with every POST request, as a CSRF protection measure. Because Firefox doesn't send it yet for regular POST (but Chrome apparently does). Now I could be wrong but I believe Firefox does send it with cross site XML Http Requests, and I was wonderi...
by bgmnt
Wed Jan 21, 2015 5:52 am
Forum: NoScript General
Topic: Origin header: CORS and the Fetch standard
Replies: 16
Views: 2688

Origin header: CORS and the Fetch standard

Hi, I'm currently digging into cross-origin requests and how they evolve as the World Wide Web Consortium and the Internet Engineering Task Force keep spawning standard after standard. It's all fine and good, but these groups are populated with a number of huge companies with direct interests in the...
by bgmnt
Fri Aug 01, 2014 3:31 am
Forum: FlashGot Support
Topic: Compatibility with Australis (as a CustomizaleUI widget)
Replies: 5
Views: 1824

Re: Compatibility with Australis (as a CustomizaleUI widget)

The button continually reverts to the wrong place. I move it, restart Firefox, and it goes back to the default location.
by bgmnt
Wed Jun 25, 2014 2:07 am
Forum: FlashGot Support
Topic: Compatibility with Australis (as a CustomizaleUI widget)
Replies: 5
Views: 1824

Re: Compatibility with Australis (as a CustomizaleUI widget)

Anxiously awaiting a fix for this!
by bgmnt
Mon May 19, 2014 11:14 pm
Forum: NoScript Development
Topic: [solved, false alarm] NoScript crashes Firefox on bahn.de
Replies: 7
Views: 1478

Re: [solved, false alarm] NoScript crashes Firefox on bahn.d

As expected, no crashes in Safe Mode. I was able to narrow it down to the option gfx.direct2d.disabled, my Firefox crashes when it is set to the default value false (and hardware acceleration is enabled). Changing gfx.direct2d.disabled to true and restarting Firefox is enough, no need to disable har...
by bgmnt
Sun May 18, 2014 8:08 pm
Forum: NoScript Development
Topic: [solved, false alarm] NoScript crashes Firefox on bahn.de
Replies: 7
Views: 1478

[solved, false alarm] NoScript crashes Firefox on bahn.de

Update: It looks like I have been just too impatient. While the crashes seem to come less frequent, they still happen without NoScript. Disabling hardware acceleration has helped, no more crashes since then, regardless of wether NoScript is installed/enabled. Might be related to https://bugzilla.moz...
by bgmnt
Mon Nov 18, 2013 1:23 pm
Forum: NoScript Development
Topic: Stop pages from nagging the user when closing them
Replies: 9
Views: 3281

Re: Stop pages from nagging the user when closing them

Try this surrogate. noscript.surrogate.noflashexit.replacement: window.addEventListener("load", function() window.onbeforeunload=function(){for(let o of document.querySelectorAll("object,embed"))o.parentNode.removeChild(o);}, false) noscript.surrogate.noflashexit.sources: @^http...
by bgmnt
Sun Nov 17, 2013 5:19 pm
Forum: NoScript Development
Topic: Stop pages from nagging the user when closing them
Replies: 9
Views: 3281

Re: Stop pages from nagging the user when closing them

Hi, thanks for the suggestion. Unfortunately it doesn't work, I still get the prompt.

/e: That's also what one of the Greasemonkey scripts tried to do.