Hello,
I've noticed and read that XSLT is blocked on untrusted sites with newer NoScript versions. I've understood that you consider it 'active content', which I do not understand why you do, as it is run once when the page loads. I've also read that this was done mainly because of (now fixed) security problems in the XSLT processor in Firefox, and that it is there to prevent future security problems in it from wreaking havoc. But with the same argument, couldn't you block all HTML from untrusted sites because "it has had problems in the past, thus it probably has more of them?".
Also, NoScript blocking XSLT processing almost always leads to that the page you want to view is completely unusable and unviewable. It would thus make sense to get a popup dialog asking you if you want to enable XSLT for the site (or not), or at least be able to _just_ enable XSLT processing for a site (but not other types of content).
(Another minor gripe is that with blocked javascript, usually the blue bar above the status bar is shown. Sometimes it isn't, and I haven't been able to find any pattern in this. When XSLT is blocked, it never is shown.)
Anyway, to summarize: I'd either want to see XSLT allowed for untrusted sites by default, or an easy way to enable just XSLT for a site. Or both.
Regards, Alexander Toresson
NoScript and blocked XSLT
NoScript and blocked XSLT
Mozilla/5.0 (X11; U; Linux i686; sv-SE; rv:1.9.0.7) Gecko/2009030814 Iceweasel/3.0.7 (Debian-3.0.7-1)
Re: NoScript and blocked XSLT
If you want it allowed for untrusted sites, uncheck the XSLT menu item.
Though if it were allowed for all, how would you know that you would want it to block a particular site prior to you visiting the site? You wouldn't till after the fact. So in that respect you have given away any protections that may be afford.
NoScript already blocks, might you say, the most dangerous HTML from untrusted sites. If you want to look at it that the (often) easiest way to effect an HTML exploit is through the use of JavaScript, so if JavaScript is blocked from untrusted sites (as it is by default), then in a round about way (very roundabout way ), you might say that you are blocking HTML from untrusted sites. (Obviously that is not what you are doing, but you are at least blocking one potential method that an untrusted site may be able to exploit you.)
Though if it were allowed for all, how would you know that you would want it to block a particular site prior to you visiting the site? You wouldn't till after the fact. So in that respect you have given away any protections that may be afford.
NoScript already blocks, might you say, the most dangerous HTML from untrusted sites. If you want to look at it that the (often) easiest way to effect an HTML exploit is through the use of JavaScript, so if JavaScript is blocked from untrusted sites (as it is by default), then in a round about way (very roundabout way ), you might say that you are blocking HTML from untrusted sites. (Obviously that is not what you are doing, but you are at least blocking one potential method that an untrusted site may be able to exploit you.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript and blocked XSLT
Because after some discussion inside the Mozilla Security Group everybody agreed it deserved to be labeled as "active content" and blocked by default in by a no-active-content policy like NoScript's.eulex wrote:I've understood that you consider it 'active content', which I do not understand why you do
The main difference is that HTML (or most image formats, or current CSS implementation) are not Turing complete languages, while XSLT is and therefore has a much higher exploitation potential.eulex wrote: I've also read that this was done mainly because of (now fixed) security problems in the XSLT processor in Firefox, and that it is there to prevent future security problems in it from wreaking havoc. But with the same argument, couldn't you block all HTML from untrusted sites because "it has had problems in the past, thus it probably has more of them?".
Just uncheck NoScript Options|Untrusted|Forbid XSLT.eulex wrote:Anyway, to summarize: I'd either want to see XSLT allowed for untrusted sites by default
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)
Re: NoScript and blocked XSLT
PS, what is the "blue bar"?
PPS, Giorgio, could you put "Turing" into English? Even with the links it's still Greek to me.
PPS, Giorgio, could you put "Turing" into English? Even with the links it's still Greek to me.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript and blocked XSLT
It means more or less that it can perform any kind of computation.therube wrote:PPS, Giorgio, could you put "Turing" into English? Even with the links it's still Greek to me.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: NoScript and blocked XSLT
Personally I think its great that XSLT is blocked as active content and glad it was included so quickly in the NS release.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 NoScript/1.9.1.7 FlashGot/1.1.8.5 FirePHP/0.2.4