NoScript Sightings

General discussion about the NoScript extension for Firefox

Re: NoScript Sightings

Postby Tom T. » Thu May 03, 2012 7:44 am

Thrawn wrote:Several people may be interested/amused by the fact that the author suggests it as a replacement for Adblock Plus..

I'm not amused at all. Been doing that for years. :D

I used the original AdBlock, which was totally self-contained and had easy ways to add things to your blocklist from a context menu, on Fx 2. But they chose not to extend support to F3.

I found that with NS and RequestPolicy, plus Fx's own internal image-blocking, I've had no need for ABP. IMHO. YMMV.
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Postby Giorgio Maone » Sun May 06, 2012 8:16 pm

ClearClick on track to be standardized by the W3C as a built-in browser anti-Clickjacking protection:
[webappsec] Summary of anticlickjacking proposals, May 3 2012
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8176
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: NoScript Sightings

Postby Tom T. » Mon May 07, 2012 12:13 am

Giorgio Maone wrote:ClearClick on track to be standardized by the W3C as a built-in browser anti-Clickjacking protection:
[webappsec] Summary of anticlickjacking proposals, May 3 2012

Awesome. Congrats on having your baby become the role model. :ugeek: :D

IMHO, much of what's there is a bit TMI for non-tech users, and I'm a bit squeamish about
...implementing user-agents to also collect telemetry data on all sites, not only those that opt-in.

-- privacy issue.

It should initially be opt-in by resource owners.

IIUC, any site that gets reported merely opts out on the server side (still wouldn't pass NS CC, right?), and of course all evil sites opt out -- which defeats the purpose.

In general, for sites (resources) to tell the client how that site should be policed is like asking the fox to guard the chicken coop.

Still a step in the right direction. But NS still rules, and if these are implemented, IE's "XSS protection" will have to eat it. :mrgreen:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Postby Thrawn » Mon May 07, 2012 12:47 am

Tom T. wrote:
It should initially be opt-in by resource owners.

IIUC, any site that gets reported merely opts out on the server side (still wouldn't pass NS CC, right?), and of course all evil sites opt out -- which defeats the purpose.

In general, for sites (resources) to tell the client how that site should be policed is like asking the fox to guard the chicken coop.


If the sensitive site opted in, this would still work, wouldn't it? The evil Facebook likejacking app may opt out of ClearClick protection, but if the Facebook Like button opts in, then ClearClick should still fire when the user clicks on the concealed Like button.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
Thrawn
Senior Member
 
Posts: 3088
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: NoScript Sightings

Postby Tom T. » Mon May 07, 2012 1:15 am

Thrawn wrote:If the sensitive site opted in, this would still work, wouldn't it?

That's a big "IF".

IE's claimed "XSS Protection" was not only a failure that introduced new XSS vulns, but also allowed web sites to disable the feature:
MSDN wrote:Web developers may wish to disable the filter for their content. They can do so by setting a HTTP header:
X-XSS-Protection: 0

I have a vague memory that originally, IE"s "filter" required web sites to add some extra code to activate the filter, but can't seem to locate a source immediately. But if so, what % of the planet's billion web sites do you suppose did so? ;)

IMHO, many sites would choose to opt out, such as those cited in the links in previous posts. Perhaps after the damage is done, with bad publicity, they'd reconsider...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Postby Thrawn » Mon Oct 08, 2012 2:14 am

A recent Open Security Research article highlighted a flaw in the Chrome XSSAuditor, and NoScript was one of the filters that didn't suffer from the problem. Not surprising, really, given that the hole looks fairly basic.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
User avatar
Thrawn
Senior Member
 
Posts: 3088
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: NoScript Sightings

Postby Thrawn » Mon Oct 08, 2012 2:17 am

Tom T. wrote:I have a vague memory that originally, IE"s "filter" required web sites to add some extra code to activate the filter, but can't seem to locate a source immediately. But if so, what % of the planet's billion web sites do you suppose did so? ;)

Maybe you're thinking of the X-Frame-Options header designed to protect against (some forms of) clickjacking?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
User avatar
Thrawn
Senior Member
 
Posts: 3088
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: NoScript Sightings

Postby magneticnorth » Sun Nov 18, 2012 3:23 pm

Active XSS flaw discovered on ebay
By Dancho Danchev for Zero Day

According to XSSed, Indian security researcher Shubham Upadhyay has discoverd an active XSS flaw affecting Ebay.com

Mozilla Firefox's NoScript proactively detects the XSS attempt and blocks it.


Source for excerpts above: http://www.zdnet.com/active-xss-flaw-discovered-on-ebay-7000007539/

p.s. I had problems making this post. When I copied and pasted portions of article and hit preview, it said it triggered spam filter, so I wound up typing the lines in. The spam filter was also triggered when I typed the link, so I had to split it.
Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20100101 Firefox/16.0
magneticnorth
 
Posts: 2
Joined: Sat Nov 17, 2012 2:20 pm

Re: NoScript Sightings

Postby Tom T. » Wed Jan 16, 2013 7:58 am

Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Postby timbugzilla » Wed Feb 20, 2013 8:50 am

An XSS vulnerability in the Chrome browser was used to gain access to Facebook accounts:

http://homakov.blogspot.com/2013/02/hac ... hrome.html
Mozilla/5.0 (Windows NT 6.2; rv:21.0) Gecko/20130219 Firefox/21.0
timbugzilla
 
Posts: 6
Joined: Wed Jul 11, 2012 10:51 am

Re: NoScript Sightings

Postby dhouwn » Wed Feb 20, 2013 8:58 pm

NoScript mentioned as not being entirely being reliable against tracking by GA per default:
http://work.erikvold.com/addons/2013/02/16/no-google-analytics.html wrote:Often this __utm.gif image is referred to as “the invisible gif” because it is only 1 transparent pixel, and it can be used to track users even without ga.js which many users of NoScript already block thinking that does something, and webdevs have long ago worked around.
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
dhouwn
Bug Buster
 
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: NoScript Sightings

Postby Thrawn » Wed Feb 20, 2013 10:25 pm

dhouwn wrote:NoScript mentioned as not being entirely being reliable against tracking by GA per default:
http://work.erikvold.com/addons/2013/02/16/no-google-analytics.html wrote:Often this __utm.gif image is referred to as “the invisible gif” because it is only 1 transparent pixel, and it can be used to track users even without ga.js which many users of NoScript already block thinking that does something, and webdevs have long ago worked around.

Not surprising, really, since NoScript is primarily about security. The web bug feature was killed a while ago when Mozilla added speculative parsing. If you really care about privacy, you need eg RequestPolicy, Ghostery, Adblock Plus, etc.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
User avatar
Thrawn
Senior Member
 
Posts: 3088
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: NoScript Sightings

Postby Giorgio Maone » Wed Feb 20, 2013 11:44 pm

Thrawn wrote:
dhouwn wrote:NoScript mentioned as not being entirely being reliable against tracking by GA per default:
http://work.erikvold.com/addons/2013/02/16/no-google-analytics.html wrote:Often this __utm.gif image is referred to as “the invisible gif” because it is only 1 transparent pixel, and it can be used to track users even without ga.js which many users of NoScript already block thinking that does something, and webdevs have long ago worked around.

Not surprising, really, since NoScript is primarily about security. The web bug feature was killed a while ago when Mozilla added speculative parsing. If you really care about privacy, you need eg RequestPolicy, Ghostery, Adblock Plus, etc.

... or use ABE,
Code: Select all
Site .tracker1.com .tracker2.com .tracker3.com # ... and so on
Accept from SELF++
Deny INCLUSION


... or just install latest development build 2.6.5.8rc2 if you specifically care about Google Analytics and nothing else ;)

P.S.: if you use Request Policy or ABP or Ghostery to block Google Analytics, you'll probably get in trouble on many sites which are otherwise made compatible by NoScript's Script Surrogates.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8176
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: NoScript Sightings

Postby therube » Mon Jul 15, 2013 3:13 pm

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 SeaMonkey/2.21a2
User avatar
therube
Ambassador
 
Posts: 6769
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript Sightings

Postby dhouwn » Tue Aug 06, 2013 6:50 am

Somewhere where NoScript should have been mentioned IMHO but wasn't: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
dhouwn
Bug Buster
 
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

PreviousNext

Return to NoScript General

Who is online

Users browsing this forum: No registered users and 2 guests