Page 1 of 1

Feature request to enable/disable PP0 protection.

Posted: Wed Mar 31, 2021 10:51 am
by skriptimaahinen
Feature request:

Advanced-tab checkbox to enable/disable PP0 protection, similarly as with XSS sanitation.


Bonus typo: (too lazy to make separate post)

nscl/content/prefetchCSSResources.js:37 "rarget"

Though I have hard time figuring out what is the use case for wrapCssAccess...

Re: Feature request to enable/disable PP0 protection.

Posted: Wed Mar 31, 2021 12:28 pm
by barbaz
+1 for this as a troubleshooting tool.

Re: Feature request to enable/disable PP0 protection.

Posted: Wed Mar 31, 2021 4:42 pm
by Giorgio Maone
skriptimaahinen wrote: Wed Mar 31, 2021 10:51 am nscl/content/prefetchCSSResources.js:37 "rarget"
Fixed, thanks.
skriptimaahinen wrote: Wed Mar 31, 2021 10:51 am Though I have hard time figuring out what is the use case for wrapCssAccess...
The use case is not (currently) NoScript, since we assume JavaScript-enabled pages have plenty and more accurate ways to accomplish the same thing, but other tools which do not disable scripting but rely on NSCL for selected features, such as JS Shield (refactoring in very early stages).

Re: Feature request to enable/disable PP0 protection.

Posted: Thu Apr 01, 2021 10:36 pm
by Giorgio Maone
Please check latest development build:
v 11.2.5rc1
============================================================
x Configurable "csspp0" capability to for sites where the
CSS PP0 mitigation should be disabled (e.g TRUSTED)

x [nscl] Fix CSS PP0 mitigation still interfering with some
WebExtensions (thanks barbaz for report)
x [XSS] Increased sensitivity and specificity of risky
operator pre-checks

Re: Feature request to enable/disable PP0 protection.

Posted: Fri Apr 02, 2021 12:37 am
by barbaz
On update this capability is un-checked for DEFAULT/UNTRUSTED but checked for TRUSTED. Does the box being checked mean (somewhat confusingly) that CSS PP0 is NOT mitigated?

Does this capability control whether the mitigation is active when visiting the site? Or does it control whether the mitigation is applied to cross-origin stylesheets served by the site, when included by a script-disabled page?

Re: Feature request to enable/disable PP0 protection.

Posted: Fri Apr 02, 2021 5:56 am
by Giorgio Maone
barbaz wrote: Fri Apr 02, 2021 12:37 am On update this capability is un-checked for DEFAULT/UNTRUSTED but checked for TRUSTED. Does the box being checked mean (somewhat confusingly) that CSS PP0 is NOT mitigated?
As a capability, it means the site "can do" CSS PP0, i.e. when it's checked the mitigation is off, like any other capability: if checked, NoScript doesn't block it.
barbaz wrote: Fri Apr 02, 2021 12:37 am Does this capability control whether the mitigation is active when visiting the site? Or does it control whether the mitigation is applied to cross-origin stylesheets served by the site, when included by a script-disabled page?
It controls whether the site can perform CSS PP0: when disabled, NoScript checks any stylesheet (either inline, same-site or cross-site) applied to the page.
Notice that the potential delays are due only to cross-site checks, but all the stylessheets are checked.

Re: Feature request to enable/disable PP0 protection.

Posted: Fri Apr 02, 2021 5:24 pm
by barbaz
Thanks Giorgio for the explanation. I've updated the sticky.

Two things:

1) "csspp0" is not the best name for this capability IMO. No one who knows what CSS PP0 is would want to explicitly allow it. And every other capability controls what's served by the site, while this one is aimed at what can be done on that site.

All of this could be resolved by just renaming it to something like no-mitigate-csspp0. Because as you said, it is whether CSS PP0 is mitigated on pages served by that site, not actually whether that site itself can perform CSS PP0. This new name would make this capability's meaning semantically consistent with every other capability and more accurately describe its purpose.

What do you think?

2) If this capability is disabled for a site that has scripts enabled, does the script-enabled status still override it as in previous NoScript?

Re: Feature request to enable/disable PP0 protection.

Posted: Fri Apr 02, 2021 7:03 pm
by Giorgio Maone
barbaz wrote: Fri Apr 02, 2021 5:24 pm 1) "csspp0" is not the best name for this capability IMO. No one who knows what CSS PP0 is would want to explicitly allow it. And every other capability controls what's served by the site, while this one is aimed at what can be done on that site.
Not sure about this: "webgl", for instance, is something "can be done" on the page (creating a webgl or webgl2 canvas context).
On the other hand, I'm tempted to use a less cryptic label for those who don't bother to loop up the details of this specific attack, and also to coalesce in this capability other kind of potential future CSS-related mitigations which require the same kind of pre-emptive analysis and/or patching (with the same trade-offs). What about "unmitigated-css" or "unrestricted-css" or "unchecked-css" or "unsafe-css"?
barbaz wrote: Fri Apr 02, 2021 5:24 pm 2) If this capability is disabled for a site that has scripts enabled, does the script-enabled status still override it as in previous NoScript?
If you mean the "disable restrictions" (either globally or per tab) modes, yes: they just enable all the capabilities for the desired context.

Re: Feature request to enable/disable PP0 protection.

Posted: Fri Apr 02, 2021 7:55 pm
by barbaz
I like "unchecked-css" :) It's the most descriptive and technically accurate. I would still suggest formulating it more like "no-check-css" or "skip-check-css", because this is not about an inherent property of the CSS in general, it's about whether NoScript should not run its mitigation.

(alternately, unscanned-css / no-scan-css / skip-scan-css, if the use of the word "check" is confusing for people looking at a "check"box. I don't know if it would be or not.)
Giorgio Maone wrote: Fri Apr 02, 2021 7:03 pm
barbaz wrote: Fri Apr 02, 2021 5:24 pm 2) If this capability is disabled for a site that has scripts enabled, does the script-enabled status still override it as in previous NoScript?
If you mean the "disable restrictions" (either globally or per tab) modes, yes: they just enable all the capabilities for the desired context.
I meant the "script" capability (which is why I referenced previous NoScript). Sorry for not being clear.

Re: Feature request to enable/disable PP0 protection.

Posted: Fri Apr 02, 2021 8:15 pm
by Giorgio Maone
barbaz wrote: Fri Apr 02, 2021 5:24 pm 2) If this capability is disabled for a site that has scripts enabled, does the script-enabled status still override it as in previous NoScript?
No, it doesn't. They're independent now (even though on upgrade from <= 11.2.4 any preset, including CUSTOM ones, which have "script", automatically get the new capability).

Re: Feature request to enable/disable PP0 protection.

Posted: Sat Apr 03, 2021 10:58 am
by skriptimaahinen
Seems fine to have the protection as permission.

However, none of the suggested renames make it any more clear whether one should check or uncheck the option to prevent this mysterious threat (not that the original tells anything either). So I assume there will be lot of questions about this in any case.

Do keep the name short though. The permissions list is getting long. The popup already resizes considerably when opening and closing the custom tab.

Re: Feature request to enable/disable PP0 protection.

Posted: Tue Apr 27, 2021 11:51 am
by fatboy
Maybe change in Settings the tooltip for "unchecked CSS" to "CSS PP0"?
The user will be able to find the CSS PP0 using a search engine.
 
UDP: Because there are checkboxes in Settings, the word "unchecked" may be misunderstood:
"When another box is checked, the previous box is automatically unchecked."
(Horstmann, Cay S.,Cornell, Gary / Core Java™ 2, Volume I - Fundamentals)

Re: Feature request to enable/disable PP0 protection.

Posted: Tue Apr 27, 2021 12:59 pm
by barbaz
fatboy wrote: Tue Apr 27, 2021 11:51 am Maybe change in Settings the tooltip for "unchecked CSS" to "CSS PP0"?
The user will be able to find the CSS PP0 using a search engine.
No, it's better to leave it as-is. Again, no one who knows what CSS PP0 is would want to explicitly allow it, and Giorgio wants to keep the door open to in future add other mitigations for other pure-CSS vulnerabilities to this capability.

Re: Feature request to enable/disable PP0 protection.

Posted: Wed Apr 28, 2021 7:22 pm
by barbaz
barbaz wrote: Fri Apr 02, 2021 7:55 pm (alternately, unscanned-css / no-scan-css / skip-scan-css, if the use of the word "check" is confusing for people looking at a "check"box. I don't know if it would be or not.)
Apparently it is -
fatboy wrote: Tue Apr 27, 2021 11:51 am UDP: Because there are checkboxes in Settings, the word "unchecked" may be misunderstood:
"When another box is checked, the previous box is automatically unchecked."
(Horstmann, Cay S.,Cornell, Gary / Core Java™ 2, Volume I - Fundamentals)
Guest wrote: Wed Apr 28, 2021 4:09 am Checking "unchecked_css" makes it unchecked and unchecking it makes it checked? :roll:
Let's continue this discussion in viewtopic.php?f=7&t=26310 .