NoScript Sightings

General discussion about the NoScript extension for Firefox
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Post by Tom T. »

Thrawn wrote:Several people may be interested/amused by the fact that the author suggests it as a replacement for Adblock Plus..
I'm not amused at all. Been doing that for years. :D

I used the original AdBlock, which was totally self-contained and had easy ways to add things to your blocklist from a context menu, on Fx 2. But they chose not to extend support to F3.

I found that with NS and RequestPolicy, plus Fx's own internal image-blocking, I've had no need for ABP. IMHO. YMMV.
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript Sightings

Post by Giorgio Maone »

ClearClick on track to be standardized by the W3C as a built-in browser anti-Clickjacking protection:
[webappsec] Summary of anticlickjacking proposals, May 3 2012
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Post by Tom T. »

Giorgio Maone wrote:ClearClick on track to be standardized by the W3C as a built-in browser anti-Clickjacking protection:
[webappsec] Summary of anticlickjacking proposals, May 3 2012
Awesome. Congrats on having your baby become the role model. :ugeek: :D

IMHO, much of what's there is a bit TMI for non-tech users, and I'm a bit squeamish about
...implementing user-agents to also collect telemetry data on all sites, not only those that opt-in.
-- privacy issue.
It should initially be opt-in by resource owners.
IIUC, any site that gets reported merely opts out on the server side (still wouldn't pass NS CC, right?), and of course all evil sites opt out -- which defeats the purpose.

In general, for sites (resources) to tell the client how that site should be policed is like asking the fox to guard the chicken coop.

Still a step in the right direction. But NS still rules, and if these are implemented, IE's "XSS protection" will have to eat it. :mrgreen:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: NoScript Sightings

Post by Thrawn »

Tom T. wrote:
It should initially be opt-in by resource owners.
IIUC, any site that gets reported merely opts out on the server side (still wouldn't pass NS CC, right?), and of course all evil sites opt out -- which defeats the purpose.

In general, for sites (resources) to tell the client how that site should be policed is like asking the fox to guard the chicken coop.
If the sensitive site opted in, this would still work, wouldn't it? The evil Facebook likejacking app may opt out of ClearClick protection, but if the Facebook Like button opts in, then ClearClick should still fire when the user clicks on the concealed Like button.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Post by Tom T. »

Thrawn wrote:If the sensitive site opted in, this would still work, wouldn't it?
That's a big "IF".

IE's claimed "XSS Protection" was not only a failure that introduced new XSS vulns, but also allowed web sites to disable the feature:
MSDN wrote:Web developers may wish to disable the filter for their content. They can do so by setting a HTTP header:
X-XSS-Protection: 0
I have a vague memory that originally, IE"s "filter" required web sites to add some extra code to activate the filter, but can't seem to locate a source immediately. But if so, what % of the planet's billion web sites do you suppose did so? ;)

IMHO, many sites would choose to opt out, such as those cited in the links in previous posts. Perhaps after the damage is done, with bad publicity, they'd reconsider...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: NoScript Sightings

Post by Thrawn »

A recent Open Security Research article highlighted a flaw in the Chrome XSSAuditor, and NoScript was one of the filters that didn't suffer from the problem. Not surprising, really, given that the hole looks fairly basic.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: NoScript Sightings

Post by Thrawn »

Tom T. wrote:I have a vague memory that originally, IE"s "filter" required web sites to add some extra code to activate the filter, but can't seem to locate a source immediately. But if so, what % of the planet's billion web sites do you suppose did so? ;)
Maybe you're thinking of the X-Frame-Options header designed to protect against (some forms of) clickjacking?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
magneticnorth
Posts: 2
Joined: Sat Nov 17, 2012 2:20 pm

Re: NoScript Sightings

Post by magneticnorth »

Active XSS flaw discovered on ebay
By Dancho Danchev for Zero Day
According to XSSed, Indian security researcher Shubham Upadhyay has discoverd an active XSS flaw affecting Ebay.com

Mozilla Firefox's NoScript proactively detects the XSS attempt and blocks it.
Source for excerpts above: http://www.zdnet.com/active-xss-flaw-discovered-on-ebay-7000007539/

p.s. I had problems making this post. When I copied and pasted portions of article and hit preview, it said it triggered spam filter, so I wound up typing the lines in. The spam filter was also triggered when I typed the link, so I had to split it.
Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20100101 Firefox/16.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Post by Tom T. »

Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0
timbugzilla
Posts: 6
Joined: Wed Jul 11, 2012 10:51 am

Re: NoScript Sightings

Post by timbugzilla »

An XSS vulnerability in the Chrome browser was used to gain access to Facebook accounts:

http://homakov.blogspot.com/2013/02/hac ... hrome.html
Mozilla/5.0 (Windows NT 6.2; rv:21.0) Gecko/20130219 Firefox/21.0
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: NoScript Sightings

Post by dhouwn »

NoScript mentioned as not being entirely being reliable against tracking by GA per default:
http://work.erikvold.com/addons/2013/02/16/no-google-analytics.html wrote:Often this __utm.gif image is referred to as “the invisible gif” because it is only 1 transparent pixel, and it can be used to track users even without ga.js which many users of NoScript already block thinking that does something, and webdevs have long ago worked around.
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: NoScript Sightings

Post by Thrawn »

dhouwn wrote:NoScript mentioned as not being entirely being reliable against tracking by GA per default:
http://work.erikvold.com/addons/2013/02/16/no-google-analytics.html wrote:Often this __utm.gif image is referred to as “the invisible gif” because it is only 1 transparent pixel, and it can be used to track users even without ga.js which many users of NoScript already block thinking that does something, and webdevs have long ago worked around.
Not surprising, really, since NoScript is primarily about security. The web bug feature was killed a while ago when Mozilla added speculative parsing. If you really care about privacy, you need eg RequestPolicy, Ghostery, Adblock Plus, etc.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript Sightings

Post by Giorgio Maone »

Thrawn wrote:
dhouwn wrote:NoScript mentioned as not being entirely being reliable against tracking by GA per default:
http://work.erikvold.com/addons/2013/02/16/no-google-analytics.html wrote:Often this __utm.gif image is referred to as “the invisible gif” because it is only 1 transparent pixel, and it can be used to track users even without ga.js which many users of NoScript already block thinking that does something, and webdevs have long ago worked around.
Not surprising, really, since NoScript is primarily about security. The web bug feature was killed a while ago when Mozilla added speculative parsing. If you really care about privacy, you need eg RequestPolicy, Ghostery, Adblock Plus, etc.
... or use ABE,

Code: Select all

Site .tracker1.com .tracker2.com .tracker3.com # ... and so on
Accept from SELF++
Deny INCLUSION
... or just install latest development build 2.6.5.8rc2 if you specifically care about Google Analytics and nothing else ;)

P.S.: if you use Request Policy or ABP or Ghostery to block Google Analytics, you'll probably get in trouble on many sites which are otherwise made compatible by NoScript's Script Surrogates.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript Sightings

Post by therube »

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 SeaMonkey/2.21a2
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: NoScript Sightings

Post by dhouwn »

Somewhere where NoScript should have been mentioned IMHO but wasn't: https://lists.torproject.org/pipermail/ ... 00089.html
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Post Reply