Feature request to enable/disable PP0 protection.
-
- Master Bug Buster
- Posts: 244
- Joined: Wed Jan 10, 2018 7:37 am
Feature request to enable/disable PP0 protection.
Feature request:
Advanced-tab checkbox to enable/disable PP0 protection, similarly as with XSS sanitation.
Bonus typo: (too lazy to make separate post)
nscl/content/prefetchCSSResources.js:37 "rarget"
Though I have hard time figuring out what is the use case for wrapCssAccess...
Advanced-tab checkbox to enable/disable PP0 protection, similarly as with XSS sanitation.
Bonus typo: (too lazy to make separate post)
nscl/content/prefetchCSSResources.js:37 "rarget"
Though I have hard time figuring out what is the use case for wrapCssAccess...
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Re: Feature request to enable/disable PP0 protection.
+1 for this as a troubleshooting tool.
*Always* check the changelogs BEFORE updating that important software!
-
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Feature request to enable/disable PP0 protection.
Fixed, thanks.
The use case is not (currently) NoScript, since we assume JavaScript-enabled pages have plenty and more accurate ways to accomplish the same thing, but other tools which do not disable scripting but rely on NSCL for selected features, such as JS Shield (refactoring in very early stages).skriptimaahinen wrote: ↑Wed Mar 31, 2021 10:51 am Though I have hard time figuring out what is the use case for wrapCssAccess...
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Feature request to enable/disable PP0 protection.
Please check latest development build:
v 11.2.5rc1
============================================================
x Configurable "csspp0" capability to for sites where the
CSS PP0 mitigation should be disabled (e.g TRUSTED)
x [nscl] Fix CSS PP0 mitigation still interfering with some
WebExtensions (thanks barbaz for report)
x [XSS] Increased sensitivity and specificity of risky
operator pre-checks
v 11.2.5rc1
============================================================
x Configurable "csspp0" capability to for sites where the
CSS PP0 mitigation should be disabled (e.g TRUSTED)
x [nscl] Fix CSS PP0 mitigation still interfering with some
WebExtensions (thanks barbaz for report)
x [XSS] Increased sensitivity and specificity of risky
operator pre-checks
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
Re: Feature request to enable/disable PP0 protection.
On update this capability is un-checked for DEFAULT/UNTRUSTED but checked for TRUSTED. Does the box being checked mean (somewhat confusingly) that CSS PP0 is NOT mitigated?
Does this capability control whether the mitigation is active when visiting the site? Or does it control whether the mitigation is applied to cross-origin stylesheets served by the site, when included by a script-disabled page?
Does this capability control whether the mitigation is active when visiting the site? Or does it control whether the mitigation is applied to cross-origin stylesheets served by the site, when included by a script-disabled page?
*Always* check the changelogs BEFORE updating that important software!
-
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Feature request to enable/disable PP0 protection.
As a capability, it means the site "can do" CSS PP0, i.e. when it's checked the mitigation is off, like any other capability: if checked, NoScript doesn't block it.
It controls whether the site can perform CSS PP0: when disabled, NoScript checks any stylesheet (either inline, same-site or cross-site) applied to the page.
Notice that the potential delays are due only to cross-site checks, but all the stylessheets are checked.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
Re: Feature request to enable/disable PP0 protection.
Thanks Giorgio for the explanation. I've updated the sticky.
Two things:
1) "csspp0" is not the best name for this capability IMO. No one who knows what CSS PP0 is would want to explicitly allow it. And every other capability controls what's served by the site, while this one is aimed at what can be done on that site.
All of this could be resolved by just renaming it to something like no-mitigate-csspp0. Because as you said, it is whether CSS PP0 is mitigated on pages served by that site, not actually whether that site itself can perform CSS PP0. This new name would make this capability's meaning semantically consistent with every other capability and more accurately describe its purpose.
What do you think?
2) If this capability is disabled for a site that has scripts enabled, does the script-enabled status still override it as in previous NoScript?
Two things:
1) "csspp0" is not the best name for this capability IMO. No one who knows what CSS PP0 is would want to explicitly allow it. And every other capability controls what's served by the site, while this one is aimed at what can be done on that site.
All of this could be resolved by just renaming it to something like no-mitigate-csspp0. Because as you said, it is whether CSS PP0 is mitigated on pages served by that site, not actually whether that site itself can perform CSS PP0. This new name would make this capability's meaning semantically consistent with every other capability and more accurately describe its purpose.
What do you think?
2) If this capability is disabled for a site that has scripts enabled, does the script-enabled status still override it as in previous NoScript?
*Always* check the changelogs BEFORE updating that important software!
-
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Feature request to enable/disable PP0 protection.
Not sure about this: "webgl", for instance, is something "can be done" on the page (creating a webgl or webgl2 canvas context).
On the other hand, I'm tempted to use a less cryptic label for those who don't bother to loop up the details of this specific attack, and also to coalesce in this capability other kind of potential future CSS-related mitigations which require the same kind of pre-emptive analysis and/or patching (with the same trade-offs). What about "unmitigated-css" or "unrestricted-css" or "unchecked-css" or "unsafe-css"?
If you mean the "disable restrictions" (either globally or per tab) modes, yes: they just enable all the capabilities for the desired context.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
Re: Feature request to enable/disable PP0 protection.
I like "unchecked-css" It's the most descriptive and technically accurate. I would still suggest formulating it more like "no-check-css" or "skip-check-css", because this is not about an inherent property of the CSS in general, it's about whether NoScript should not run its mitigation.
(alternately, unscanned-css / no-scan-css / skip-scan-css, if the use of the word "check" is confusing for people looking at a "check"box. I don't know if it would be or not.)
(alternately, unscanned-css / no-scan-css / skip-scan-css, if the use of the word "check" is confusing for people looking at a "check"box. I don't know if it would be or not.)
I meant the "script" capability (which is why I referenced previous NoScript). Sorry for not being clear.Giorgio Maone wrote: ↑Fri Apr 02, 2021 7:03 pmIf you mean the "disable restrictions" (either globally or per tab) modes, yes: they just enable all the capabilities for the desired context.
*Always* check the changelogs BEFORE updating that important software!
-
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Feature request to enable/disable PP0 protection.
No, it doesn't. They're independent now (even though on upgrade from <= 11.2.4 any preset, including CUSTOM ones, which have "script", automatically get the new capability).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
-
- Master Bug Buster
- Posts: 244
- Joined: Wed Jan 10, 2018 7:37 am
Re: Feature request to enable/disable PP0 protection.
Seems fine to have the protection as permission.
However, none of the suggested renames make it any more clear whether one should check or uncheck the option to prevent this mysterious threat (not that the original tells anything either). So I assume there will be lot of questions about this in any case.
Do keep the name short though. The permissions list is getting long. The popup already resizes considerably when opening and closing the custom tab.
However, none of the suggested renames make it any more clear whether one should check or uncheck the option to prevent this mysterious threat (not that the original tells anything either). So I assume there will be lot of questions about this in any case.
Do keep the name short though. The permissions list is getting long. The popup already resizes considerably when opening and closing the custom tab.
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Re: Feature request to enable/disable PP0 protection.
Maybe change in Settings the tooltip for "unchecked CSS" to "CSS PP0"?
The user will be able to find the CSS PP0 using a search engine.
UDP: Because there are checkboxes in Settings, the word "unchecked" may be misunderstood:
"When another box is checked, the previous box is automatically unchecked."
(Horstmann, Cay S.,Cornell, Gary / Core Java™ 2, Volume I - Fundamentals)
The user will be able to find the CSS PP0 using a search engine.
UDP: Because there are checkboxes in Settings, the word "unchecked" may be misunderstood:
"When another box is checked, the previous box is automatically unchecked."
(Horstmann, Cay S.,Cornell, Gary / Core Java™ 2, Volume I - Fundamentals)
Last edited by fatboy on Tue Apr 27, 2021 1:09 pm, edited 2 times in total.
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 SM/2.49.5 NS/2.9.0.14
Re: Feature request to enable/disable PP0 protection.
No, it's better to leave it as-is. Again, no one who knows what CSS PP0 is would want to explicitly allow it, and Giorgio wants to keep the door open to in future add other mitigations for other pure-CSS vulnerabilities to this capability.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Feature request to enable/disable PP0 protection.
Apparently it is -
Let's continue this discussion in viewtopic.php?f=7&t=26310 .Guest wrote: ↑Wed Apr 28, 2021 4:09 am Checking "unchecked_css" makes it unchecked and unchecking it makes it checked?
*Always* check the changelogs BEFORE updating that important software!
-