[Fixed] 11.2.4rc1 DoS's some sites

Ask for help about NoScript, no registration needed to post
barbaz
Senior Member
Posts: 9870
Joined: Sat Aug 03, 2013 5:45 pm

[Fixed] 11.2.4rc1 DoS's some sites

Post by barbaz » Mon Mar 15, 2021 12:55 am

Trying to visit e.g. https://web.archive.org/web/20160115151 ... uthor/John with NoScript 11.2.4rc1 spams so many requests to archive.org that they temporarily banned my IP. These request are to their archived versions of twemoji.maxcdn.com SVGs.

These requests do not happen with NoScript 11.2.3.

How to stop this?

EDIT Downgrading to 11.2.3 has made *all* my browsing MUCH faster. I suspect this is not the only site that 11.2.4rc1 is DoSing.
*Always* check the changelogs BEFORE updating that important software!
-

skriptimaahinen
Senior Member
Posts: 220
Joined: Wed Jan 10, 2018 7:37 am

Re: 11.2.4rc1 DoS's some sites

Post by skriptimaahinen » Mon Mar 15, 2021 8:26 am

Get the same problem. Though, there are lots of pages where I see no prefetching even when I would expect it. Are all CSS resources supposed to be prefetched or what are the conditions?
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

User avatar
Giorgio Maone
Site Admin
Posts: 9063
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.2.4rc1 DoS's some sites

Post by Giorgio Maone » Mon Mar 15, 2021 10:56 am

  1. It's supposed to fetch all the resources referenced by all the stylesheets in the page at once (causing this problem in situations when the resources are many more than those actually supposed to be used by the site): the work around is prefetching just one for each subdomain, the way I had originally implemented but discarded in RC1, hoping to avoid this "odd" behavior which can reveal site owners you're using NoScript. On the other hand, there are plenty ways to tell already, so I'm reverting to my first idea.
  2. The missing resources are from cross-site stylesheets, which cannot be easily parsed because of security restrictions. I'm working around this as well, by limiting this mitigation to scriptless pages only (where it makes sense, because JavaScript is much more easy and accurate at doing the same job) and overriding CORS there for stylesheets, which anyway then could be accessed only by privileged code such as NoScript.
I'm on both the issues, hoping to release RC2 in a few hours.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0

User avatar
Giorgio Maone
Site Admin
Posts: 9063
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.2.4rc1 DoS's some sites

Post by Giorgio Maone » Tue Mar 16, 2021 12:28 am

Please check [ldb], thanks.
v 11.2.4rc2
============================================================
x [nscl] Switch to NSCL for messaging
x [nscl] Rollback unneded window.opener patching (thanks
skriptimaahinen for insight)
x CSS PP0 mitigation: cross-site stylesheets on scriptless
pages, one resource per host
x Limit CSS PP0 mitigation to scriptless pages and prefetch
only cross-site resources
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0

barbaz
Senior Member
Posts: 9870
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.2.4rc1 DoS's some sites

Post by barbaz » Tue Mar 16, 2021 1:25 am

Fixed in 11.2.4rc2, thanks Image
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply