InformAction Forums

you'd see that NoScript's XSS filter can't do anything specific to block them, because otherwise no redirection service or any other web application which takes absolute URLs as parameters (e.g. URL shorteners, or any blog comment form) would work. The problem here is the incredible stupidity of th...

Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source". I guess you don't get what TRUSTED means which is to say that you are allowing it to do whatever because you TRUSTED it. Scrip...

These examples only work if also davidlynch.org is whitelisted Actually both davidlynch.org & the "host" domain need to be Allowed. That's what i wrote above. And given that, I suppose that is why NoScript does not notify. I think it should considering the quotation in my last post. O...

Neat, http://news.cnet.com/ , heh. Yes, all of these examples are funny. But since http://noscript.net/features#xss says: Furthermore, NoScript's sophisticated InjectionChecker engine checks also all the requests started from whitelisted origins for suspicious patterns landing on different trusted ...

I just learned about http://davidlynch.org/blog/2011/10/xss-is-fun/ which provides some XSS examples for several popular websites. These examples only work if also davidlynch.org is whitelisted so we are protected by default. Nevertheless, shouldn't the XSS filter of Noscript stop these examples eve...

Besides, the upcoming Noscript 3 aka NSA will offer more flexibility. The desktop version will hopefully be available very soon.

The man in the browser and Phishing with legit URL’s

Of course noscript will prevent these kind of attacks ...

nickr wrote: I'd add a #3 to this:
3. FF does not free up memory when closed (that is, when the application itself is closed it continues to hold onto memory for some time)

Really? I've never observed that on my machine regardless which FF version I was using.

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ This sounds really horrible. BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection.. The detail...

> Memory consumption is dramatically lower A lower "number" is not necessarily "better". Agreed. But most complaints in the past were referring to the fact that 1. FF did not free up memory when tabs were closed, and 2. memory consumption steadily increased over several hours pa...

Yeah, the memory leak problems in Firefox are what finally did it in for me too. It's significant to note though that Firefox has suffered from this memory leak (it has gotten worse recently though) for quite some time. Mozilla Developers just ignored the issue for a long time despite user complain...

Giorgio Maone wrote:Fixed in rc3.

Wow, that was fast Thanks, Giorgio!

After installing the newest development version in FF 5.0 under Kubuntu 11.04 and restarting the browser I was able to click and load any links in the open website previously loaded. New websites from bookmarklets or from the address bar are not loaded anymore. The problem disappears after disabling...

Giorgio Maone wrote:

tlu wrote: EDIT: It's blocked with the $object rule, though.

Look again

Ha - you beat me again

Well, I hope that you're making good progress with NSA then - obviously the only suitable solution for our problem

As long as Noscript 3 isn't available yet, there is a workaround using AdblockPlus. If you want to block flash by default just add this custom filter: swf| Hmm, no . Oops - I didn't know that. Although I knew that Flashblock can be defeated. Thanks for that hint, Giorgio. EDIT: It's blocked with th...