InformAction Forums

I suppose you can use Time Machine to restore the previous state of your profile, [Export] the NoScript settings and then go back to current and [Import]?

On such page (if the link is still valid) is https://attcx.sjc1.qualtrics.com/jfe/form/SV_3WUYNSRjrHWzTVA?Q_DL=39xSVYXraE1ys8I_3WUYNSRjrHWzTVA_CGC_7byD3oYQwuWkO5p&Q_CHL=email It's a survey page for AT&T. This page works for me, I just had to set qualtrics.com to temp. TRUSTED. Howev...

barbaz wrote: ↑Sun Jul 02, 2023 4:32 pm 11.4.25rc1 is not offered as available update, and trying to get it manually from noscript.net returns 404?

Sorry, there was a glitch in the file syncrhonization process. Fixed now, thank you.

Should be fixed in latest development build, thanks.

v 11.4.25rc1
============================================================
x Fixed UI inconsistencies when finer-grained contextual
policies are created/imported by other means (thanks barbaz
for reporting)

It's the latest, quieter iteration of TabGuard (Cross-site identity leak protection).

Does this not mean that by having selected "Load normally" a.com from b.com, that a.com is already then able to attack b.com using that same tab pair? That's correct theoretically, but at this stage a.com has no way (yet) to choose which content is opened in b.com, something which is inte...

So I didn't understand correctly? - v 11.4.24rc1 ============================================================ x [TabGuard] Stop exempting domains bidirectionally by default This change just means that now if you chose to "Load normally" a.com from b.com, you will still get asked what to d...

Fixed in latest dev build , thanks: v 11.4.24rc1 ============================================================ x [TabGuard] Stop exempting domains bidirectionally by default x [TabGuard] Fix destination domain being reported as the trigger of a warning prompt when all the other tab-tied domains have ...

Interesting. Investigating, thanks.

Thanks Giorgio for the info & fixes! https://i.psyche.me/thumbsup_left.gif But in 11.4.23rc4 I no longer get the warning following STR in https://forums.informaction.com/viewtopic.php?p=106035#p106035 , but you're saying it was correct for the warning to happen there? 11.4.23rc3 and above takes...

1) So cookies are the only thing that needs to be anonymized to fully stop this attack, and the use of Containers for the anonymous load would be overkill? Cookies and the Authorization header. Basically we don't want the user to be logged in on a site loaded in a tab which can be monitored by anot...

Also, another case I wonder about? - Firefox 109.0.1 NoScript 11.4.15rc1 new profile STR: 1) NoScript Options > Advanced, set Cross-tab identity leak protection Enabled everywhere 2) NoScript Options > Per-site Permissions, set github.com and flathub.org to Trusted 3) go to https://flathub.org/ 4) ...

At (5), the cross-tab identity leak protection claims that informaction.com can obtain github.com login data at that load, even though the opener tab is github.com. Does the exploit also work through "chaining" opener tabs like this? Yes, it can. As long as there's one tab in control of t...

The changes between 11.4.21 and 11.4.22 are very unlikely to affect tab loading, unless your pinned tabs are data: or file:// URLs (and cannot have anything to do with Youtube). Is that the case? Does downgrading to 11.4.21 actually help (and upgrading again break those tabs again)? Also, Firefox 88...

And if the current wording of NoScript Options is the correct one, could the aforementioned issues with this please be addressed before this gets to NoScript stable channel? Otherwise it's just asking for a deluge of difficult support requests, if many people use Cross-tab identity leak protection....