NoScript and blocked XSLT

Bug reports and enhancement requests
Post Reply
eulex
Posts: 1
Joined: Tue Apr 07, 2009 2:05 pm

NoScript and blocked XSLT

Post by eulex »

Hello,

I've noticed and read that XSLT is blocked on untrusted sites with newer NoScript versions. I've understood that you consider it 'active content', which I do not understand why you do, as it is run once when the page loads. I've also read that this was done mainly because of (now fixed) security problems in the XSLT processor in Firefox, and that it is there to prevent future security problems in it from wreaking havoc. But with the same argument, couldn't you block all HTML from untrusted sites because "it has had problems in the past, thus it probably has more of them?".

Also, NoScript blocking XSLT processing almost always leads to that the page you want to view is completely unusable and unviewable. It would thus make sense to get a popup dialog asking you if you want to enable XSLT for the site (or not), or at least be able to _just_ enable XSLT processing for a site (but not other types of content).

(Another minor gripe is that with blocked javascript, usually the blue bar above the status bar is shown. Sometimes it isn't, and I haven't been able to find any pattern in this. When XSLT is blocked, it never is shown.)

Anyway, to summarize: I'd either want to see XSLT allowed for untrusted sites by default, or an easy way to enable just XSLT for a site. Or both.

Regards, Alexander Toresson
Mozilla/5.0 (X11; U; Linux i686; sv-SE; rv:1.9.0.7) Gecko/2009030814 Iceweasel/3.0.7 (Debian-3.0.7-1)
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript and blocked XSLT

Post by therube »

If you want it allowed for untrusted sites, uncheck the XSLT menu item.

Though if it were allowed for all, how would you know that you would want it to block a particular site prior to you visiting the site? You wouldn't till after the fact. So in that respect you have given away any protections that may be afford.

NoScript already blocks, might you say, the most dangerous HTML from untrusted sites. If you want to look at it that the (often) easiest way to effect an HTML exploit is through the use of JavaScript, so if JavaScript is blocked from untrusted sites (as it is by default), then in a round about way (very roundabout way ;-)), you might say that you are blocking HTML from untrusted sites. (Obviously that is not what you are doing, but you are at least blocking one potential method that an untrusted site may be able to exploit you.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript and blocked XSLT

Post by Giorgio Maone »

eulex wrote:I've understood that you consider it 'active content', which I do not understand why you do
Because after some discussion inside the Mozilla Security Group everybody agreed it deserved to be labeled as "active content" and blocked by default in by a no-active-content policy like NoScript's.
eulex wrote: I've also read that this was done mainly because of (now fixed) security problems in the XSLT processor in Firefox, and that it is there to prevent future security problems in it from wreaking havoc. But with the same argument, couldn't you block all HTML from untrusted sites because "it has had problems in the past, thus it probably has more of them?".
The main difference is that HTML (or most image formats, or current CSS implementation) are not Turing complete languages, while XSLT is and therefore has a much higher exploitation potential.
eulex wrote:Anyway, to summarize: I'd either want to see XSLT allowed for untrusted sites by default
Just uncheck NoScript Options|Untrusted|Forbid XSLT.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript and blocked XSLT

Post by therube »

PS, what is the "blue bar"?

PPS, Giorgio, could you put "Turing" into English? Even with the links it's still Greek to me.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript and blocked XSLT

Post by Giorgio Maone »

therube wrote:PPS, Giorgio, could you put "Turing" into English? Even with the links it's still Greek to me.
It means more or less that it can perform any kind of computation.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: NoScript and blocked XSLT

Post by GµårÐïåñ »

Personally I think its great that XSLT is blocked as active content and glad it was included so quickly in the NS release.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 NoScript/1.9.1.7 FlashGot/1.1.8.5 FirePHP/0.2.4
Post Reply