Page 1 of 1

HTTPS forbid active web content

Posted: Fri Mar 20, 2009 12:09 pm
by mik33mik
I have tested the new feature:
HTTPS forced on background requests (images, stylesheets,
scripts, embeddings, AJAX...)


with the PoC, images, sripts, stylesheets, in this site:
http://crypto.stanford.edu/websec/safelock/

but it doesn't work. Web content from http isn't blocked.
Why?

Thanks in advance

Re: HTTPS forbid active web content

Posted: Fri Mar 20, 2009 1:17 pm
by Giorgio Maone
"HTTPS forced on background requests" applies to destinations matching the NoScript Options|Advanced|HTTPS|Behavior|Force HTTPS patterns.

Re: HTTPS forbid active web content

Posted: Fri Mar 20, 2009 2:40 pm
by mik33mik
Ok, Thanks!

I have put these URL:

Code: Select all

https://crypto.stanford.edu/~collinj/research/mixed-content/images
https://crypto.stanford.edu/~collinj/research/mixed-content/stylesheets
https://crypto.stanford.edu/~collinj/research/mixed-content/scripts

in HTTPS field, but the image

Code: Select all

http://crypto.stanford.edu/~collinj/research/mixed-content/images/globe.png


the script and the css aren't blocked (like in internet explorer)

With the css test I obtain only a warning about encrypted page that contains unencrypted information, but the css is loaded, and lock icon is broken.

How can I block this behavior?

Re: HTTPS forbid active web content

Posted: Fri Mar 20, 2009 2:52 pm
by Giorgio Maone
Please just use either
  • crypto.standanford.edu (domain) or
  • crypto.stanford.edu/~collinj/research/mixed-content/* (glob pattern) or
  • ^http://crypto\.stanford\.edu/~collinj/research/mixed-content/(?:images|stylesheets|scripts) (regular expression).

The entries you put there couldn't work because
  1. They're matching the https:// requests, but not the http:// ones (which are the ones we want to force)
  2. They're treated as literals, rather than patterns, and therefore would match the directories only

Re: HTTPS forbid active web content

Posted: Fri Mar 20, 2009 3:18 pm
by mik33mik
Thanks! Now works with glob pattern or regular expression.

Another question, in the Stylesheets test, shouldn't the background color be white? Why is it blue?

Re: HTTPS forbid active web content

Posted: Fri Mar 20, 2009 3:30 pm
by Giorgio Maone
mik33mik wrote:Thanks! Now works with glob pattern or regular expression.

Another question, in the Stylesheets test, shouldn't the background color be white? Why is it blue?

No. Whenever possible, NoScript turns the request from HTTP into HTTPS, instead of blocking it: since the same stylesheet is served from https://crypto.stanford.edu/%7Ecollinj/research/mixed-content/stylesheets/style.css, you got a "secured" blue over SSL ;)

Re: HTTPS forbid active web content

Posted: Fri Mar 20, 2009 4:31 pm
by mik33mik
Thanks!

Grazie ;)

RequestPolicy interference!

Posted: Fri Mar 20, 2009 5:43 pm
by Aerik
Whoa. Whoa, whoa, whoa whoa. Whoa. Whoa. OK.

I was going to post about this conflict in a new thread, but it seems to apply here.

There are many cases in which NoScript's force-HTTPS and RequestPolicy 0.5.3 in it's strict address mode, clash.

When I am on a page where I should have NoScript forcing a secure connection, RequestPolicy is blocking that redirect/refresh.

For example in this safelock test for stylesheets, I have to

"temporarily allow requests from https://crypto.stanford.edu... to http://crypto.stanford.edu... Just for NoScript to be able to reconfigure the stylesheet's location into HTTPS, and only then can I see the blue background.

In short, RequestPolicy's 3rd mode completely preempts noscript's force https feature.

Re: RequestPolicy interference!

Posted: Fri Mar 20, 2009 5:53 pm
by Giorgio Maone
Aerik wrote:In short, RequestPolicy's 3rd mode completely preempts noscript's force https feature.

No surprise here.
NoScript's policy runs as the last one by design (in order to gain some predictability in its interaction with other Content Policies, such as AdBlock Plus and RequestPolicy), so RequestPolicy detects a cross-site request before is turned into a same-site request by NoScript.
I guess you must live with that and/or configure site-by-site exceptions when it's needed.

Re: HTTPS forbid active web content

Posted: Fri Mar 20, 2009 6:44 pm
by Aerik
Oh yeah, the last content policy rule, I forgot about that. Hmm. Would this kind of thing go better with ABE?

And with or without ABE, do you see any version in the future that employs the force https feature as first-policy and everything else last?

Re: HTTPS forbid active web content

Posted: Thu Apr 09, 2009 1:48 am
by GµårÐïåñ
I know this has been a while, but Giorgio do you know of an easy way to create or specify action order. Say you have 4 extensions and you want them to exert authority in a certain order rather than the defaults built-in, is there a gui or non-gui way to modify this order? Almost like tab order in a form gui but for policy processing instead. This way a person can choose which order they want it and can say choose to have NoScript go first or etc. In the meantime until future developments are completed and RequestPolicy and stuff is updated to maybe allow it by options, can this order be modified manually to override?