Search found 47 matches
- Wed Feb 11, 2015 7:53 pm
- Forum: NoScript General
- Topic: Origin header: CORS and the Fetch standard
- Replies: 16
- Views: 6325
Re: Origin header: CORS and the Fetch standard
Oh thanks! I posted something over there
- Wed Feb 11, 2015 7:50 pm
- Forum: NoScript Development
- Topic: noscript.forbidXHR removal
- Replies: 10
- Views: 3254
Re: noscript.forbidXHR removal
I'm withholding NoScript's update as well. I'm uncomfortable with NoScript being stuck with the equivalent of a forbidXHR set to 0 (Allow any XHR) instead of 1 (Allow cross-site XHR across trusted sites only). An explanation would be very welcome. Why isn't cross-site XHR a security threat anymore ?...
- Wed Feb 11, 2015 7:19 pm
- Forum: NoScript General
- Topic: Origin header: CORS and the Fetch standard
- Replies: 16
- Views: 6325
Re: Origin header: CORS and the Fetch standard
Oh noes. I take it that from now on, NoScript will behave as if it had forbidXHR set to 0 (Allow any XHR) instead of 1 (Allow cross-site XHR across trusted sites only) ? I don't even know if 1 can be replicated with ABE ? Either way, I would very much like to hear the reasoning on why this feature w...
- Sun Jan 25, 2015 5:07 pm
- Forum: NoScript General
- Topic: Origin header: CORS and the Fetch standard
- Replies: 16
- Views: 6325
Re: Origin header: CORS and the Fetch standard
Nice! And the default is good if it indeed means both source and target sites must be whitelisted for XHR to be allowed. I'm going to leave it as default. Thank you! Now the fetch thing hopefully doesn't work without JavaScript or something. I really need to read more about it before Firefox enables...
- Fri Jan 23, 2015 9:38 am
- Forum: NoScript General
- Topic: Origin header: CORS and the Fetch standard
- Replies: 16
- Views: 6325
Re: Origin header: CORS and the Fetch standard
Yep.
One could want to forbid cross-origin XML Http Requests through a NoScript anti-XSS about:config option that would be turned off by default, if nothing else fits the bill.
Dunno. Thanks for the feedback anyway
One could want to forbid cross-origin XML Http Requests through a NoScript anti-XSS about:config option that would be turned off by default, if nothing else fits the bill.
Dunno. Thanks for the feedback anyway
- Thu Jan 22, 2015 5:07 am
- Forum: NoScript General
- Topic: Origin header: CORS and the Fetch standard
- Replies: 16
- Views: 6325
Re: Origin header: CORS and the Fetch standard
The security vulnerability occurs when the site assumes that it can use the header to distinguish real users from CSRF attacks, and then you forge it so that traffic from your browser always looks legitimate. Bingo, CSRF comes back. CSRF is only a nuisance for the client when it has credentials on ...
- Thu Jan 22, 2015 12:33 am
- Forum: NoScript General
- Topic: Origin header: CORS and the Fetch standard
- Replies: 16
- Views: 6325
Re: Origin header: CORS and the Fetch standard
Origin contains the host instead of the whole URL, but that's still a privacy concern IMO. I'm not comfortable with it. Maybe NoScript's normal XSS protection feature is good enough that we don't need the Origin header. I mean, NoScript goes pretty far already in tinkering with requests when it tran...
- Wed Jan 21, 2015 5:24 pm
- Forum: NoScript General
- Topic: Origin header: CORS and the Fetch standard
- Replies: 16
- Views: 6325
Re: Origin header: CORS and the Fetch standard
I think the guy actually asks for Origin *to be sent* with every POST request, as a CSRF protection measure. Because Firefox doesn't send it yet for regular POST (but Chrome apparently does). Now I could be wrong but I believe Firefox does send it with cross site XML Http Requests, and I was wonderi...
- Wed Jan 21, 2015 5:52 am
- Forum: NoScript General
- Topic: Origin header: CORS and the Fetch standard
- Replies: 16
- Views: 6325
Origin header: CORS and the Fetch standard
Hi, I'm currently digging into cross-origin requests and how they evolve as the World Wide Web Consortium and the Internet Engineering Task Force keep spawning standard after standard. It's all fine and good, but these groups are populated with a number of huge companies with direct interests in the...
- Fri Aug 01, 2014 3:31 am
- Forum: FlashGot Support
- Topic: Compatibility with Australis (as a CustomizaleUI widget)
- Replies: 5
- Views: 3411
Re: Compatibility with Australis (as a CustomizaleUI widget)
The button continually reverts to the wrong place. I move it, restart Firefox, and it goes back to the default location.
- Sat Jul 26, 2014 9:13 am
- Forum: FlashGot Support
- Topic: Compatibility with Australis (as a CustomizaleUI widget)
- Replies: 5
- Views: 3411
- Wed Jun 25, 2014 2:07 am
- Forum: FlashGot Support
- Topic: Compatibility with Australis (as a CustomizaleUI widget)
- Replies: 5
- Views: 3411
Re: Compatibility with Australis (as a CustomizaleUI widget)
Anxiously awaiting a fix for this!
- Mon May 19, 2014 11:14 pm
- Forum: NoScript Development
- Topic: [solved, false alarm] NoScript crashes Firefox on bahn.de
- Replies: 7
- Views: 3345
Re: [solved, false alarm] NoScript crashes Firefox on bahn.d
As expected, no crashes in Safe Mode. I was able to narrow it down to the option gfx.direct2d.disabled, my Firefox crashes when it is set to the default value false (and hardware acceleration is enabled). Changing gfx.direct2d.disabled to true and restarting Firefox is enough, no need to disable har...
- Sun May 18, 2014 8:08 pm
- Forum: NoScript Development
- Topic: [solved, false alarm] NoScript crashes Firefox on bahn.de
- Replies: 7
- Views: 3345
[solved, false alarm] NoScript crashes Firefox on bahn.de
Update: It looks like I have been just too impatient. While the crashes seem to come less frequent, they still happen without NoScript. Disabling hardware acceleration has helped, no more crashes since then, regardless of wether NoScript is installed/enabled. Might be related to https://bugzilla.moz...
- Mon Nov 18, 2013 1:23 pm
- Forum: NoScript Development
- Topic: Stop pages from nagging the user when closing them
- Replies: 9
- Views: 5926
Re: Stop pages from nagging the user when closing them
Try this surrogate. noscript.surrogate.noflashexit.replacement: window.addEventListener("load", function() window.onbeforeunload=function(){for(let o of document.querySelectorAll("object,embed"))o.parentNode.removeChild(o);}, false) noscript.surrogate.noflashexit.sources: @^http...