NoScript features

Ask for help about NoScript, no registration needed to post
XxMayhemxx

NoScript features

Post by XxMayhemxx »

i wish we could get more info about any of the scripts... like a malicious script database or something... so we can identify bad ones

is about:blank a malicious script? cuz i had a microsoft explorer about:blank browser hijack in the past...
Are bidsystem.com, slashkey.com, or cubics.com malicious scripts???
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: NoScript features

Post by Alan Baxter »

XxMayhemxx wrote:is about:blank a malicious script?
No. That's why it's whitelisted by default.
Are bidsystem.com, slashkey.com, or cubics.com malicious scripts???
I don't know. That's the beauty of NoScript. It doesn't rely on protecting us from known bad sites. A malicious script database would be huge, incomplete, always obsolete, and not include good, non-malicious sites that have been compromised. Please read the NOSCRIPT QUICK START GUIDE FOR BEGINNERS sticky at the top of the Support forum.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: NoScript features

Post by GµårÐïåñ »

I believe that by the time ABE is completed, it will provide something to this effect but not sure exactly in what incarnation.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 AdblockPlus/1.0.1 NoScript/1.9.1.91 RequestPolicy/0.5.4 FirePHP/0.2.4
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript features

Post by Tom T. »

@ XxMayhemxx: My personal policy is to deny, or rather, leave denied, *everthing*, except that which is absolutely necessary for the specific function you want (even if the rest of the page stays broken). Then, and only then, is there a decision about whether those particular items are trustworthy. Cuts the decision-making tremendously, by cutting the universe of scripts etc. tremendously.

Everyone's usage and system are different. This is a personal opinion and does not represent the forum, developer, or product, and conveys no rights or warranties.

@ GµårÐïåñ: Giorgio himself would be the one to answer that, but from the announcement:
Many of the threats NoScript is currently capable of handling, such as XSS, CSRF or ClickJacking, have one common evil root: lack of proper isolation at the web application level. Since the web has not been originally conceived as an application platform, it misses some key features required for ensuring application security. Actually, it cannot even define what a “web application” is, or declare its boundaries especially if they span across multiple domains, a scenario becoming more common and common in these “mashups” and “social media” days.

The idea behind the Application Boundaries Enforcer (ABE) module is hardening the web application oriented protections already provided by NoScript, by developing a firewall-like component running inside the browser. It will be specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. webmail, online banking and so on), according to policies defined either by the user himself, or by the web developer/administrator, or by a trusted 3rd party.

Rules for the most popular web applications will be made downloadable and/or available via automatic updates for opt-in subscribers, and UI front-ends will be provided to edit them manually or through a transparent auto-learning process, while browsing. Additionally, web developers or administrator will be able to declare policies for their own web applications: ABE will honor them, unless they conflict with more restrictive user-defined rules.
Sounds like you could ask a trusted third party to provide *rules*, but that still doesn't tell you anything about the particular script/object itself. Rules aren't a database of individuals, and as Alan pointed out, the number of executable objects out there changes by the thousands every second. But yes, ABE might assist the OP and others who wish to use the opt-in subscription or implement rules of a third party that they trust.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: NoScript features

Post by GµårÐïåñ »

Yes I have spoken to him in the past and that's why I said not sure in what incarnation because its a work in progress.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 AdblockPlus/1.0.1 NoScript/1.9.1.91 RequestPolicy/0.5.4 FirePHP/0.2.4
Post Reply