NoScript vulnerability: ctrl-T inadvertently allows sites!
NoScript vulnerability: ctrl-T inadvertently allows sites!
For some time I've been noticing that sites had been added to the whitelist without me doing it. Today I finally figured it out. Control-T is a keyboard shortcut that I use all the time to open a new tab in Firefox. Problem is, if the Noscript submenu is open, it interprets Control-T to mean allow the current website!! This is very unfortunate, as it's something that I bet has happened to many of us, without realising, resulting in a major and irreversible vulnerability. Is there a way to disable the keyboard shortcuts in Noscript? Or can you remove Ctrl-T in the next upgrade? Thanks for any help!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.22) Gecko/20110902 Firefox/3.6.22 (.NET CLR 3.5.30729)
Re: NoScript vulnerability: ctrl-T inadvertently allows site
True.
Though I would think it not a typical or easy action to perform?
The site is only Temporarily Allowed.
3.11 Q: One of the NoScript keyboard shortcuts overrides a shortcut used by another important extension of mine (e.g. Web Developer). What can I do?
Though I would think it not a typical or easy action to perform?
The site is only Temporarily Allowed.
3.11 Q: One of the NoScript keyboard shortcuts overrides a shortcut used by another important extension of mine (e.g. Web Developer). What can I do?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20110905 Firefox/7.0 SeaMonkey/2.4
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: NoScript vulnerability: ctrl-T inadvertently allows site
Actually, it's worse than you think: the Control key isn't even necessary: just pressing the "T" is sufficient. This isn't one of the keyboard shortcuts that therube is referencing in his response. His suggestion doesn't seem to address the problem. If you look carefully, you can see that it's caused by the keyboard accelerators underlined in the NoScript menu (just like any popup context menu, by the way). In fact, if you inadvertently pressed "A" or "M" while the right NoScript menu is popped up, you can cause sites to be permanently whitelisted. Sorry, but I don't know how you can disable that.Peter, a fan of NoScript wrote:For some time I've been noticing that sites had been added to the whitelist without me doing it. Today I finally figured it out. Control-T is a keyboard shortcut that I use all the time to open a new tab in Firefox. Problem is, if the Noscript submenu is open, it interprets Control-T to mean allow the current website!! This is very unfortunate, as it's something that I bet has happened to many of us, without realising, resulting in a major and irreversible vulnerability. Is there a way to disable the keyboard shortcuts in Noscript? Or can you remove Ctrl-T in the next upgrade? Thanks for any help!
Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Re: NoScript vulnerability: ctrl-T inadvertently allows site
Welcome to the world of unintended keyboard acceleration effects
Interesting definition of major vulnerability. Permanent whitelisting of a current top-level site that is presumably going to be revisited (because having it in the whitelist isn't going to be a problem if it's never revisited...unless it's a site that other sites invite to run third-party scripts) is kind of not high on my own definition list of vulnerabilities - else I would mostly be whitelisting a top level site I was regularly revisiting - for functionality - or toggling Temporarily Allow at each visit - at which point I would straight away discover the inadvertent Permanent Allow. The alternative of having a regularly visited site running scripts without a user's knowledge? Not in my opinion a "major" vulnerability - more an inconvenience because scripts take resources.
I'd be interested to find out how the original poster discovered the unintended additions to the permanent whitelist if not in the course of the usual alert NS user's activities.
Nothing above is to dispute the original poster's own findings, but I'd be very interested to see examples of their unintended vulnerable whitelistings.
This user had the devil's own fun getting used to the extra keyboard accelerators in .NET applications. Dismissing windows holding focus, sudden changes of font etc etc. Fun and games until the clashes were worked out.
Interesting definition of major vulnerability. Permanent whitelisting of a current top-level site that is presumably going to be revisited (because having it in the whitelist isn't going to be a problem if it's never revisited...unless it's a site that other sites invite to run third-party scripts) is kind of not high on my own definition list of vulnerabilities - else I would mostly be whitelisting a top level site I was regularly revisiting - for functionality - or toggling Temporarily Allow at each visit - at which point I would straight away discover the inadvertent Permanent Allow. The alternative of having a regularly visited site running scripts without a user's knowledge? Not in my opinion a "major" vulnerability - more an inconvenience because scripts take resources.
I'd be interested to find out how the original poster discovered the unintended additions to the permanent whitelist if not in the course of the usual alert NS user's activities.
Nothing above is to dispute the original poster's own findings, but I'd be very interested to see examples of their unintended vulnerable whitelistings.
This user had the devil's own fun getting used to the extra keyboard accelerators in .NET applications. Dismissing windows holding focus, sudden changes of font etc etc. Fun and games until the clashes were worked out.
NS AMO Beta channel subscription.
Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Re: NoScript vulnerability: ctrl-T inadvertently allows site
> just pressing the "T" is sufficient ...
You're right. Neat.
You're right. Neat.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20110910 Firefox/7.0 SeaMonkey/2.4
Re: NoScript vulnerability: ctrl-T inadvertently allows site
Just curious, how would the NoScript menu inadvertently be open? Perhaps try disabling the following on the General tab of NoScript Options.Peter, a fan of NoScript wrote:Problem is, if the Noscript submenu is open...
Open permissions menu when mouse hovers over NoScript's icon
Yes, there is. Remove the string values for the following preferences in about:config.Peter, a fan of NoScript wrote:Is there a way to disable the keyboard shortcuts in Noscript?
noscript.keys.toggle
noscript.keys.ui
Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Re: NoScript vulnerability: ctrl-T inadvertently allows site
Weird doesn't seem to work for me. Press T or Ctrl+T only causes it highlight the "Temporarily allow" option but doesn't actually select it until press enter.therube wrote:> just pressing the "T" is sufficient ...
You're right. Neat.
Mozilla/5.0 (Windows NT 6.0; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Re: NoScript vulnerability: ctrl-T inadvertently allows site
This functionality was removed with v 2.1.3rc4 because it was deemed problematic for some reason.Guest wrote:Press T or Ctrl+T only causes it highlight the "Temporarily allow" option but doesn't actually select it until press enter.
I have the following post requesting this feature (menu accelerator) be added back.
"(Temporarily) Allow all on this page" access keys
Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Re: NoScript vulnerability: ctrl-T inadvertently allows site
Darn. So this is why keyboard shortcuts are missing from this version of NS? That is most unfortunate. I reassigned the shortcut combo to open the menu using Ctrl+Shift+S, because I have limited mobility in my arms and hands, using the mouse alone is very limiting. When I used the Ease of Access Sticky Keys feature where I can press each key of the combo one at a time, and the arrow keys, it works so much better for me.
I'm sorry for the Ctrl+T guy but I hope the NS brainiacs will reconsider and put the feature back in the Options. Perhaps just not allow that combo. Thanks so much. I'm a long, long time fan and think NS is amazing and I really hope Mozilla is kicking NS some big donations.
I'm sorry for the Ctrl+T guy but I hope the NS brainiacs will reconsider and put the feature back in the Options. Perhaps just not allow that combo. Thanks so much. I'm a long, long time fan and think NS is amazing and I really hope Mozilla is kicking NS some big donations.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Re: NoScript vulnerability: ctrl-T inadvertently allows site
@ Keyboardist: if
https://noscript.net/faq#qa3_11
about:config -> noscript.keys.tempAllowPage
isn't the feature you would like, can you please explain in more detail what exactly you would like a NoScript keyboard shortcut for? Thanks.
https://noscript.net/faq#qa3_11
about:config -> noscript.keys.tempAllowPage
isn't the feature you would like, can you please explain in more detail what exactly you would like a NoScript keyboard shortcut for? Thanks.
*Always* check the changelogs BEFORE updating that important software!
-