JavaScript CDNs to add to whitelist

Bug reports and enhancement requests
giancarlos
Posts: 1
Joined: Mon Jun 29, 2015 12:28 am

Re: JavaScript CDNs to add to whitelist

Post by giancarlos »

Giorgio Maone wrote:Sorry for the difference with the beta channel, but AMO's signing process is still quite buggy and among other bugs there's one which makes pushin betas for automatic updates way more difficult than doing this for stable versions (quite the opposite of what should be).
Anyway, latest development build with the whitelist-related changes is on noscript.net, and I've asked AMO admins to manually push it for automatic update, but since many are traveling from their Whistler work-week I'm not sure it's gonna happen immediately.
Thanks for your patience.
You may want to consider verifying whether a domain / subdomain on the said list is valid per:

https://news.ycombinator.com/item?id=9795103

They're referencing this topic:
http://thehackerblog.com/the-noscript-m ... ndcdn-net/

It seems someone was trying to check out the security of noscript and their timing was perfect. They found this thread, but they failed to realize that the URL on this thread and the URL now on NoScript is indeed a typo as someone else on HN noticed. The actual domain / subdomain that should of been white listed: vjs.zencdn.net what was white listed: vjs.zenDcdn.net

I highly recommend verifying domains and subdomains actually exist before adding them because if I can just buy a domain on the white list then all of a sudden I can target multiple attacks towards noscript users.

Edit:

Realized someone else reported the typo at least. Sorry for missing that post. :) But I still think it should be considered to check domains before they're added, considering how big of a flop it would be if the wrong person got a domain based on a typo.
Last edited by barbaz on Mon Jun 29, 2015 1:20 am, edited 1 time in total.
Reason: fix broken link
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: JavaScript CDNs to add to whitelist

Post by barbaz »

giancarlos wrote:It seems someone was trying to check out the security of noscript and their timing was perfect. They found this thread, but they failed to realize that the URL on this thread and the URL now on NoScript is indeed a typo as someone else on HN noticed.
Whose timing? This issue had been there for a long time.
We (NoScript users) are lucky it was caught at all...
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: JavaScript CDNs to add to whitelist

Post by therube »

I still have vjs.zend.net in my whitelist, NoScript 2.6.9.30rc1 ?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: JavaScript CDNs to add to whitelist

Post by barbaz »

therube wrote:I still have vjs.zend.net in my whitelist, NoScript 2.6.9.30rc1 ?
Because the removed domain is "vjs.zendcdn.net" ;)

(Did you accidentally type the wrong domain in your post? If so, note that it would not be removed if you whitelisted it after the upgrade to 2.6.9.27/2.6.9.28rc1 or later.)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: JavaScript CDNs to add to whitelist

Post by therube »

I'm going wacko!

Not sure if I typo'd in my post above or not?
And now I'm not seeing any "zen" except for noscript.filterXExceptions.zendesk;true, which I also saw before?

... unless ...

He caches in memory, doesn't he?
So maybe when I looked... prefs.js. hadn't written yet... but then what would about:config show? cached or what was written to disk in prefs.js? eh, still confused...


(Oh & I have no *googleapis* at all. Didn't have it before I fired up, & don't have ajax.googleapis.com [added in] either?)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: JavaScript CDNs to add to whitelist

Post by barbaz »

https://noscript.net/getit#devel wrote:v 2.6.9.30rc2
=============================================================
[...]
x Default whitelist maintenance: removed prototypejs.org,
cdnjs.cloudflare.com;
??
And they're getting retroactively removed from users' whitelists too...

I'm confused - I had thought cdnjs.cloudflare.com was a relatively "safe" site... unless it got removed because it's now one of those Cloudflare-enabled domains that bundles scripts from *everywhere* (including other domains) as one script, and serves it from its own origin? Or is it also dead now?
EDIT oh, it seems to have moved here. But why not replace it in people's whitelists, why remove it outright in this case?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: JavaScript CDNs to add to whitelist

Post by Giorgio Maone »

barbaz wrote:But why not replace it in people's whitelists, why remove it outright in this case?
Because the process used to add and update libraries is community based and doesn't seem very abuse-proof.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: JavaScript CDNs to add to whitelist

Post by barbaz »

Giorgio Maone wrote:
barbaz wrote:But why not replace it in people's whitelists, why remove it outright in this case?
Because the process used to add and update libraries is community based and doesn't seem very abuse-proof.
Thanks for that explanation (I'd assume it's something similar for prototypejs.org which still seems to be there as it was). :)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: JavaScript CDNs to add to whitelist

Post by Thrawn »

Giorgio Maone wrote:the process used to add and update libraries is community based and doesn't seem very abuse-proof.
https://github.com/cdnjs/cdnjs wrote:cdnjs will host any production version of any JavaScript/CSS library, subject to license permissions.
Eep!
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
User avatar
nimd4
Posts: 10
Joined: Tue Apr 14, 2009 9:03 am

Re: JavaScript CDNs to add to whitelist

Post by nimd4 »

giancarlos wrote:I highly recommend [..]
Yeah, you'd be able to affect two (2) people's computers - in total. xD
Z68A-G43 (G3) - i7-3770 - Vengeance 2x4GB 2133MHz - GTX 650 Gainward
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Post Reply