inclusionTypeChecking pref seems to have no effect

Bug reports and enhancement requests
Post Reply
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

inclusionTypeChecking pref seems to have no effect

Post by al_9x » Mon Jun 21, 2010 6:14 am

Verizon wireless homepage, when flash is blocked, attempts to replace the flash navigation header with javascript but is blocked by NS.

Code: Select all

[NoScript] Blocking cross site Javascript served from https://scache.vzw.com/globalnav/globalnavmenu.txt with wrong type info text/plain and included by http://www.verizonwireless.com/b2c/index.html


  1. Is this described in detail somewhere?
  2. noscript.inclusionTypeChecking = false has no effect
  3. what is noscript.inclusionTypeChecking.checkDynamic for
  4. noscript.inclusionTypeChecking.exceptions works
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

User avatar
Giorgio Maone
Site Admin
Posts: 8659
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: inclusionTypeChecking pref seems to have no effect

Post by Giorgio Maone » Mon Jun 21, 2010 9:25 am

al_9x wrote:Is this described in detail somewhere?

http://noscript.net/changelog#1.9.6.5
al_9x wrote:noscript.inclusionTypeChecking = false has no effect

Fixed, thanks
al_9x wrote:what is noscript.inclusionTypeChecking.checkDynamic

Enables/disables check for URLs which appear to be server-side scripts (i.e. "application/unknown" or textual content type).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: inclusionTypeChecking pref seems to have no effect

Post by al_9x » Mon Jun 21, 2010 3:13 pm

Giorgio Maone wrote:
al_9x wrote:Is this described in detail somewhere?

http://noscript.net/changelog#1.9.6.5

Yes, I saw that, but I am looking for a detailed description of the attack scenario this protects against.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

User avatar
Giorgio Maone
Site Admin
Posts: 8659
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: inclusionTypeChecking pref seems to have no effect

Post by Giorgio Maone » Mon Jun 21, 2010 3:42 pm

al_9x wrote:Yes, I saw that, but I am looking for a detailed description of the attack scenario this protects against.

Trusted site allows public uploads of some kinds of files (usually text, images, PDF documents and so on), but not JS/CSS/HTML for obvious security reasons (some Google properties do, for instance).
An attacker manages to inject a short HTML fragment in another trusted site, like

Code: Select all

<script src="http://trusted_uploads.com/some_upload.txt"></script>

where some_upload.txt is a file he previously uploaded to the public, popular and trusted by many trusted_uploads.com web site.
The upload had been allowed by the site because it was of the "innocuous" txt type (and it's served with the proper text/plain content type, which makes everybody feel safe), but in reality it contains a malicious script which now is much more likely to run than if it was sourced by an obscure and temporary Chinese domain. The inclusionType checks will prevent it from running anyway.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Post Reply