Search found 47 matches
- Fri Apr 03, 2015 7:48 am
- Forum: NoScript General
- Topic: HTTP Alternative Services
- Replies: 9
- Views: 4969
Re: HTTP Alternative Services
I just don't like the idea of not knowing what I'm loading, sorry. That's why I refuse to use such a feature if it's at all opaque to me. That irks me too. On the other hand, load balancing has been doing something similar for more than a decade. Instead of redirecting the browser to a separate hos...
- Thu Apr 02, 2015 10:17 pm
- Forum: NoScript General
- Topic: HTTP Alternative Services
- Replies: 9
- Views: 4969
Re: HTTP Alternative Services
My question is, are the security concerns sufficient that that extension could be NoScript? I don't know, but if NoScript has an option to forbid meta refreshes, shouldn't it consider monitoring the use of HTTP alternative services as well ? (I can't read well those IETF drafts and what they imply,...
- Thu Apr 02, 2015 3:48 pm
- Forum: NoScript General
- Topic: HTTP Alternative Services
- Replies: 9
- Views: 4969
HTTP Alternative Services
Hi, Firefox 37 enabled opportunistic encryption for HTTP/2 connections. It's a good thing, but depends on HTTP Alternative Services (Alt-svc), a concept that doesn't sound very secure, much less transparent. From what I read, alternative services allow an URL to be redirected in a silent way to a di...
- Wed Feb 18, 2015 7:24 pm
- Forum: NoScript General
- Topic: Origin header: CORS and the Fetch standard
- Replies: 16
- Views: 6338
Re: Origin header: CORS and the Fetch standard
The Fetch standard is vast and apparently does encompass JS-less requests such as those from HTML and CSS. It supports CORS and the Origin header. This can improve security, but it's awful for privacy unless Firefox respects referrer preferences, which it won't. If I understand correctly, any image ...
- Fri Feb 13, 2015 10:18 pm
- Forum: Security
- Topic: Attention EasyList & EasyPrivacy users
- Replies: 11
- Views: 7357
Re: Attention EasyPrivacy users
Yeah that filter exception is dubious indeed. EasyPrivacy openly makes exceptions for site compatibility all over the place, so you can just turn off all EasyPrivacy exceptions. It's quick: Just select all exceptions and press space.
- Fri Feb 13, 2015 9:51 pm
- Forum: Security
- Topic: Coping with Flash vulnerabilities
- Replies: 4
- Views: 3226
Re: Coping with Flash vulnerabilities
Two recently-reported Flash Player vulnerabilities (CVE-2015-0313 and -0311) are leading me to block most Flash videos. While blocking active content is never a bad idea, one has to salute the transparency of the Flash Player team. There are TONS of vulnerabilities in both Firefox and Chrome (Chrom...
- Fri Feb 13, 2015 2:33 am
- Forum: NoScript General
- Topic: "Cascade" feature is a godsend
- Replies: 9
- Views: 4017
Re: "Cascade" feature is a godsend
Ok
I thought the cascading feature had some code that could be tweaked to improve the auto-allow thing without too much work. From what I understand, NoScript 3 is scheduled for whenever Firefox release channel has e10s enabled by default ? Like, maybe July or something. Sounds good enough
I thought the cascading feature had some code that could be tweaked to improve the auto-allow thing without too much work. From what I understand, NoScript 3 is scheduled for whenever Firefox release channel has e10s enabled by default ? Like, maybe July or something. Sounds good enough
- Fri Feb 13, 2015 2:18 am
- Forum: NoScript General
- Topic: "Cascade" feature is a godsend
- Replies: 9
- Views: 4017
Re: "Cascade" feature is a godsend
Cascading just changes the extent of the meaning of being on the whitelist. There isn't another way to allow a site... If it makes things clearer you could imagine a special whitelisted item such as "$first-party", translated by NoScript's whitelist parser as "allow first party site ...
- Thu Feb 12, 2015 8:45 pm
- Forum: NoScript General
- Topic: "Cascade" feature is a godsend
- Replies: 9
- Views: 4017
Re: "Cascade" feature is a godsend
Well it's not any safer on a given site that has been whitelisted. But all non whitelisted sites are almost as safe as they are with NoScript's default config (i.e. JS disallowed). Now if only this behaviour was used with the "Temporarily allow first level domains by default" feature, wher...
- Thu Feb 12, 2015 4:00 pm
- Forum: NoScript General
- Topic: "Cascade" feature is a godsend
- Replies: 9
- Views: 4017
Re: "Cascade" feature is a godsend
How does it differ from "Allow all this page" by the way ? I never used that feature, so not sure. I'd guess, allow all this page allows what can be seen and then reload, sometimes bumping into new domains that won't be allowed, whereas cascading allows any domain that may come up after re...
- Thu Feb 12, 2015 3:34 pm
- Forum: NoScript Development
- Topic: noscript.forbidXHR removal
- Replies: 10
- Views: 3260
Re: noscript.forbidXHR removal
Ok, thanks again for clearing it up.
I don't know enough on data: URI to give input so I'm going to trust you
I don't know enough on data: URI to give input so I'm going to trust you
- Thu Feb 12, 2015 11:57 am
- Forum: NoScript Development
- Topic: noscript.forbidXHR removal
- Replies: 10
- Views: 3260
Re: noscript.forbidXHR removal
Thanks! In the latter it could give help work around size restrictions I wonder what are those size restrictions and how XHR helps a compromised site getting around them. Anyway, when you will be publishing a release build with a modified forbidXHR feature, would you mind explaining how it has chang...
- Thu Feb 12, 2015 12:29 am
- Forum: NoScript Support
- Topic: Information on ES6 attacks thwarted by NoScript 2.6.9.13
- Replies: 2
- Views: 1195
Re: Information on ES6 attacks thwarted by NoScript 2.6.9.13
Ok thanks, I'll see if he publishes something in English :) For anyone interested in new threats posed by ES6, I found this . A vulnerability with NoScript XSS protection was even found and quickly fixed. It's interesting to see that ES6 features can take even NoScript off guard, but of course there...
- Wed Feb 11, 2015 11:50 pm
- Forum: NoScript Development
- Topic: noscript.forbidXHR removal
- Replies: 10
- Views: 3260
Re: noscript.forbidXHR removal
Privacy issue: Cross-site XHR with CORS doesn't respect referrer preferences. If no referrer is sent, Origin is still set. Consistency issue: I'm guessing form submission means cross-site POST requests, in which case NoScript can turn them into GET requests with no parameters, and they respect refer...
- Wed Feb 11, 2015 7:56 pm
- Forum: NoScript Support
- Topic: Information on ES6 attacks thwarted by NoScript 2.6.9.13
- Replies: 2
- Views: 1195
Information on ES6 attacks thwarted by NoScript 2.6.9.13
Hi,
In the changelog there is:
Thanks
In the changelog there is:
I'm curious, which attacks did ES6 enabled that NoScript had to be tweaked to protect against ?x [XSS] Better protection against some ES6 attacks (thanks Masato Kinugawa for reporting)
Thanks