Page 8 of 11

Re: NoScript Sightings

Posted: Thu May 03, 2012 7:44 am
by Tom T.
Thrawn wrote:Several people may be interested/amused by the fact that the author suggests it as a replacement for Adblock Plus..

I'm not amused at all. Been doing that for years. :D

I used the original AdBlock, which was totally self-contained and had easy ways to add things to your blocklist from a context menu, on Fx 2. But they chose not to extend support to F3.

I found that with NS and RequestPolicy, plus Fx's own internal image-blocking, I've had no need for ABP. IMHO. YMMV.

Re: NoScript Sightings

Posted: Sun May 06, 2012 8:16 pm
by Giorgio Maone
ClearClick on track to be standardized by the W3C as a built-in browser anti-Clickjacking protection:
[webappsec] Summary of anticlickjacking proposals, May 3 2012

Re: NoScript Sightings

Posted: Mon May 07, 2012 12:13 am
by Tom T.
Giorgio Maone wrote:ClearClick on track to be standardized by the W3C as a built-in browser anti-Clickjacking protection:
[webappsec] Summary of anticlickjacking proposals, May 3 2012

Awesome. Congrats on having your baby become the role model. :ugeek: :D

IMHO, much of what's there is a bit TMI for non-tech users, and I'm a bit squeamish about
...implementing user-agents to also collect telemetry data on all sites, not only those that opt-in.

-- privacy issue.

It should initially be opt-in by resource owners.

IIUC, any site that gets reported merely opts out on the server side (still wouldn't pass NS CC, right?), and of course all evil sites opt out -- which defeats the purpose.

In general, for sites (resources) to tell the client how that site should be policed is like asking the fox to guard the chicken coop.

Still a step in the right direction. But NS still rules, and if these are implemented, IE's "XSS protection" will have to eat it. :mrgreen:

Re: NoScript Sightings

Posted: Mon May 07, 2012 12:47 am
by Thrawn
Tom T. wrote:
It should initially be opt-in by resource owners.

IIUC, any site that gets reported merely opts out on the server side (still wouldn't pass NS CC, right?), and of course all evil sites opt out -- which defeats the purpose.

In general, for sites (resources) to tell the client how that site should be policed is like asking the fox to guard the chicken coop.


If the sensitive site opted in, this would still work, wouldn't it? The evil Facebook likejacking app may opt out of ClearClick protection, but if the Facebook Like button opts in, then ClearClick should still fire when the user clicks on the concealed Like button.

Re: NoScript Sightings

Posted: Mon May 07, 2012 1:15 am
by Tom T.
Thrawn wrote:If the sensitive site opted in, this would still work, wouldn't it?

That's a big "IF".

IE's claimed "XSS Protection" was not only a failure that introduced new XSS vulns, but also allowed web sites to disable the feature:
MSDN wrote:Web developers may wish to disable the filter for their content. They can do so by setting a HTTP header:
X-XSS-Protection: 0

I have a vague memory that originally, IE"s "filter" required web sites to add some extra code to activate the filter, but can't seem to locate a source immediately. But if so, what % of the planet's billion web sites do you suppose did so? ;)

IMHO, many sites would choose to opt out, such as those cited in the links in previous posts. Perhaps after the damage is done, with bad publicity, they'd reconsider...

Re: NoScript Sightings

Posted: Mon Oct 08, 2012 2:14 am
by Thrawn
A recent Open Security Research article highlighted a flaw in the Chrome XSSAuditor, and NoScript was one of the filters that didn't suffer from the problem. Not surprising, really, given that the hole looks fairly basic.

Re: NoScript Sightings

Posted: Mon Oct 08, 2012 2:17 am
by Thrawn
Tom T. wrote:I have a vague memory that originally, IE"s "filter" required web sites to add some extra code to activate the filter, but can't seem to locate a source immediately. But if so, what % of the planet's billion web sites do you suppose did so? ;)

Maybe you're thinking of the X-Frame-Options header designed to protect against (some forms of) clickjacking?

Re: NoScript Sightings

Posted: Sun Nov 18, 2012 3:23 pm
by magneticnorth
Active XSS flaw discovered on ebay
By Dancho Danchev for Zero Day

According to XSSed, Indian security researcher Shubham Upadhyay has discoverd an active XSS flaw affecting Ebay.com

Mozilla Firefox's NoScript proactively detects the XSS attempt and blocks it.


Source for excerpts above: http://www.zdnet.com/active-xss-flaw-discovered-on-ebay-7000007539/

p.s. I had problems making this post. When I copied and pasted portions of article and hit preview, it said it triggered spam filter, so I wound up typing the lines in. The spam filter was also triggered when I typed the link, so I had to split it.

Re: NoScript Sightings

Posted: Wed Jan 16, 2013 7:58 am
by Tom T.

Re: NoScript Sightings

Posted: Wed Feb 20, 2013 8:50 am
by timbugzilla
An XSS vulnerability in the Chrome browser was used to gain access to Facebook accounts:

http://homakov.blogspot.com/2013/02/hac ... hrome.html

Re: NoScript Sightings

Posted: Wed Feb 20, 2013 8:58 pm
by dhouwn
NoScript mentioned as not being entirely being reliable against tracking by GA per default:
http://work.erikvold.com/addons/2013/02/16/no-google-analytics.html wrote:Often this __utm.gif image is referred to as “the invisible gif” because it is only 1 transparent pixel, and it can be used to track users even without ga.js which many users of NoScript already block thinking that does something, and webdevs have long ago worked around.

Re: NoScript Sightings

Posted: Wed Feb 20, 2013 10:25 pm
by Thrawn
dhouwn wrote:NoScript mentioned as not being entirely being reliable against tracking by GA per default:
http://work.erikvold.com/addons/2013/02/16/no-google-analytics.html wrote:Often this __utm.gif image is referred to as “the invisible gif” because it is only 1 transparent pixel, and it can be used to track users even without ga.js which many users of NoScript already block thinking that does something, and webdevs have long ago worked around.

Not surprising, really, since NoScript is primarily about security. The web bug feature was killed a while ago when Mozilla added speculative parsing. If you really care about privacy, you need eg RequestPolicy, Ghostery, Adblock Plus, etc.

Re: NoScript Sightings

Posted: Wed Feb 20, 2013 11:44 pm
by Giorgio Maone
Thrawn wrote:
dhouwn wrote:NoScript mentioned as not being entirely being reliable against tracking by GA per default:
http://work.erikvold.com/addons/2013/02/16/no-google-analytics.html wrote:Often this __utm.gif image is referred to as “the invisible gif” because it is only 1 transparent pixel, and it can be used to track users even without ga.js which many users of NoScript already block thinking that does something, and webdevs have long ago worked around.

Not surprising, really, since NoScript is primarily about security. The web bug feature was killed a while ago when Mozilla added speculative parsing. If you really care about privacy, you need eg RequestPolicy, Ghostery, Adblock Plus, etc.

... or use ABE,

Code: Select all

Site .tracker1.com .tracker2.com .tracker3.com # ... and so on
Accept from SELF++
Deny INCLUSION


... or just install latest development build 2.6.5.8rc2 if you specifically care about Google Analytics and nothing else ;)

P.S.: if you use Request Policy or ABP or Ghostery to block Google Analytics, you'll probably get in trouble on many sites which are otherwise made compatible by NoScript's Script Surrogates.

Re: NoScript Sightings

Posted: Mon Jul 15, 2013 3:13 pm
by therube

Re: NoScript Sightings

Posted: Tue Aug 06, 2013 6:50 am
by dhouwn
Somewhere where NoScript should have been mentioned IMHO but wasn't: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html