InformAction Forums

I just don't like the idea of not knowing what I'm loading, sorry. That's why I refuse to use such a feature if it's at all opaque to me. That irks me too. On the other hand, load balancing has been doing something similar for more than a decade. Instead of redirecting the browser to a separate hos...

My question is, are the security concerns sufficient that that extension could be NoScript? I don't know, but if NoScript has an option to forbid meta refreshes, shouldn't it consider monitoring the use of HTTP alternative services as well ? (I can't read well those IETF drafts and what they imply,...

Hi, Firefox 37 enabled opportunistic encryption for HTTP/2 connections. It's a good thing, but depends on HTTP Alternative Services (Alt-svc), a concept that doesn't sound very secure, much less transparent. From what I read, alternative services allow an URL to be redirected in a silent way to a di...

The Fetch standard is vast and apparently does encompass JS-less requests such as those from HTML and CSS. It supports CORS and the Origin header. This can improve security, but it's awful for privacy unless Firefox respects referrer preferences, which it won't. If I understand correctly, any image ...

Yeah that filter exception is dubious indeed. EasyPrivacy openly makes exceptions for site compatibility all over the place, so you can just turn off all EasyPrivacy exceptions. It's quick: Just select all exceptions and press space.

Two recently-reported Flash Player vulnerabilities (CVE-2015-0313 and -0311) are leading me to block most Flash videos. While blocking active content is never a bad idea, one has to salute the transparency of the Flash Player team. There are TONS of vulnerabilities in both Firefox and Chrome (Chrom...

Ok

I thought the cascading feature had some code that could be tweaked to improve the auto-allow thing without too much work. From what I understand, NoScript 3 is scheduled for whenever Firefox release channel has e10s enabled by default ? Like, maybe July or something. Sounds good enough

Cascading just changes the extent of the meaning of being on the whitelist. There isn't another way to allow a site... If it makes things clearer you could imagine a special whitelisted item such as "$first-party", translated by NoScript's whitelist parser as "allow first party site ...

Well it's not any safer on a given site that has been whitelisted. But all non whitelisted sites are almost as safe as they are with NoScript's default config (i.e. JS disallowed). Now if only this behaviour was used with the "Temporarily allow first level domains by default" feature, wher...

How does it differ from "Allow all this page" by the way ? I never used that feature, so not sure. I'd guess, allow all this page allows what can be seen and then reload, sometimes bumping into new domains that won't be allowed, whereas cascading allows any domain that may come up after re...

Ok, thanks again for clearing it up.

I don't know enough on data: URI to give input so I'm going to trust you

Thanks! In the latter it could give help work around size restrictions I wonder what are those size restrictions and how XHR helps a compromised site getting around them. Anyway, when you will be publishing a release build with a modified forbidXHR feature, would you mind explaining how it has chang...

Ok thanks, I'll see if he publishes something in English :) For anyone interested in new threats posed by ES6, I found this . A vulnerability with NoScript XSS protection was even found and quickly fixed. It's interesting to see that ES6 features can take even NoScript off guard, but of course there...

Privacy issue: Cross-site XHR with CORS doesn't respect referrer preferences. If no referrer is sent, Origin is still set. Consistency issue: I'm guessing form submission means cross-site POST requests, in which case NoScript can turn them into GET requests with no parameters, and they respect refer...

Hi,

In the changelog there is:

x [XSS] Better protection against some ES6 attacks (thanks Masato Kinugawa for reporting)

I'm curious, which attacks did ES6 enabled that NoScript had to be tweaked to protect against ?

Thanks