Page 1 of 1

Place higher trust on surrogates?

Posted: Fri Dec 25, 2015 7:39 am
by blowtorch
Hello there.

More and more I find myself writing surrogates scripts [1] that replicate part of the JavaScript functionality in untrusted sites [2]. Recently I found a case in which I need to make XHR requests from the surrogate and discovered that they don't work: NoScript blocks them.

I looked a bit into the code and so far my rough understanding is that this behaviour depends on:

  • the value of the "forbidXHR" preference;
  • whether the code making the XHR comes from a "special" scheme (such as "chrome:");
  • whether the relevant locations (e.g. source and target) are whitelisted by the user.
I'm using the default value for "forbidXHR" (1), and I want to keep it that way. Though I haven't yet checked in the debugger, it seems that the XHR requests I make in the surrogate are given the same scheme as the current location (?). Finally, I do not want to whitelist neither source nor target.

Is there any way to have surrogate XHRs succeed in this situation?

Generally speaking, I want NoScript to distinguish "my" code from that of other people, and be able to place different levels of trust on them (some degree of trust for my code and complete distrust for other people's code). [3]


[1] All my surrogates are of the "no-script" kind (that is, "sources" is prefixed with "!").

[2] By "untrusted" I just mean not whitelisted by NoScript. I'm not talking about the "Mark as untrusted" feature of NoScript.

[3] If you are wondering now why don't I use something like Greasemonkey instead of NoScript surrogates, well, is because some of these scripts are supposed to run in an environment where NoScript is already part of the trusted code base, while Greasemonkey is not.

Re: Place higher trust on surrogates?

Posted: Fri Dec 25, 2015 3:52 pm
by barbaz
+1 to your request, if there is a way to implement it safely.

Moving to NoScript Development because this is a RFE.

EDIT In implementing this RFE, if it is done I think it would be best if there is an ability to create a per-surrogate boolean about:config boolean pref and set to true (defaults to false if unset) to control whether specific surrogate has the ability to fire XHR regardless, etc. - like, say, noscript.surrogate.<surrogate_name>.privileged
Then this stuff won't be available where it's not needed
EDIT2 I also think that this should *not* ever be available to surrogates that run on script-allowed pages, otherwise there is potential for a poorly-coded surrogate to become a gaping security hole. Your use case anyway involves only ! surrogates, and limiting the ability to allow extra privileges to only ! surrogates seems reasonable and smart to me.

Re: Place higher trust on surrogates?

Posted: Sat Dec 26, 2015 12:18 am
by blowtorch
Hi barbaz.

barbaz wrote:this is a RFE

I guess your answer to my question is "currently not possible", then?

Re: Place higher trust on surrogates?

Posted: Sat Dec 26, 2015 3:18 am
by barbaz
Right, I don't think it's currently exists for surrogates. I don't know whether it'd currently work in bookmarklets though, but even if so, it's pretty hard (if even possible) to click a bookmarklet with timing such that it'll run exactly on DOMContentLoaded... Image