XSS examples not blocked by Noscript?

Ask for help about NoScript, no registration needed to post
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: XSS examples not blocked by Noscript?

Post by al_9x » Sun Oct 23, 2011 5:26 am

Giorgio Maone wrote:Please check latest development build 2.1.8rc1


  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs
  4. logs when script domain is not whitelisted
Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: XSS examples not blocked by Noscript?

Post by tlu » Sun Oct 23, 2011 11:07 am

Giorgio Maone wrote:Please check latest development build 2.1.8rc1


Thanks again! Those examples are indeed successfully blocked! (Somehow I was pretty sure that you would come up with a solution - you're really incredible :D )
Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

saywot
Junior Member
Posts: 20
Joined: Wed Aug 03, 2011 4:36 am

Re: XSS examples not blocked by Noscript?

Post by saywot » Tue Oct 25, 2011 4:46 pm

Giorgio Maone wrote:Please check latest development build 2.1.8rc1


Confirmed. After AMO caught up with the version ;-)
NS AMO Beta channel subscription.
Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

User avatar
Giorgio Maone
Site Admin
Posts: 8715
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS examples not blocked by Noscript?

Post by Giorgio Maone » Thu Oct 27, 2011 11:04 am

al_9x wrote:
  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs

Done/fixed in latest development build 2.1.8rc2

al_9x wrote:4. logs when script domain is not whitelisted

By design. You may want to know in advance if a site wants to engage in potentially hostile activities.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: XSS examples not blocked by Noscript?

Post by al_9x » Thu Oct 27, 2011 10:30 pm

Giorgio Maone wrote:
al_9x wrote:
  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs

Done/fixed in latest development build 2.1.8rc2


This may not be very important, but I noticed in at least couple of places (rapidFireCheck, checkInclusions) that you check the pref at the last minute having done all the preparatory work for the feature in question. In general, I think it's a good idea for a toggle pref to completely bypass the codepath of the functionality it disables, since that could be the reason for and the benefit of disabling it.
Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0

User avatar
Giorgio Maone
Site Admin
Posts: 8715
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS examples not blocked by Noscript?

Post by Giorgio Maone » Thu Oct 27, 2011 10:38 pm

al_9x wrote:I think it's a good idea for a toggle pref to completely bypass the codepath of the functionality it disables, since that could be the reason for and the benefit of disabling it.

It's an optimization for the common case, since preference access (through XPCOM) is relatively expensive and these features are very unlikely to be turned off (hence it makes little sense to observe & cache yet another pref value).
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

Post Reply