Page 1 of 1

HowTo stop resource leak with NoScript

Posted: Fri Sep 02, 2016 11:09 pm
by yes_noscript
A Pale Moon user show how we can use the same feature like the "No Resource URI Leak" addon with NoScript: https://forum.palemoon.org/viewtopic.php?p=89945#p89945

Code: Select all

go to about:config
remove resource: from noscript.mandatory
add resource:// and resource://gre to noscript.untrusted
And don't forget to remove the equal preferences under noscript.mandatory
Both, resource:// and resource://gre are necessary to block all stuff from browserleak test site.

Finish. No browser restart, just test it:
https://www.browserleaks.com/firefox
http://cs1.ca/ttest/dump.html

I wonder what the other stuff he postet, make.
blob:
chrome:
irc:
ircs:
mediasource:
mediastream:
/favicon.ico
file://

Re: HowTo stop resource leak with NoScript

Posted: Sat Sep 03, 2016 12:03 am
by barbaz
yes_noscript wrote:

Code: Select all

go to about:config
remove resource: from noscript.mandatory
add resource:// and resource://gre to noscript.untrusted
And don't forget to remove the equal preferences under noscript.mandatory
... And enjoy your broken browser. Don't do this "fix", those things are required to be whitelisted in NoScript for the browser work properly. FAQ 1.5

Thanks for the link though, I'm going to look into that resource: URI addon and what it's doing. https://addons.mozilla.org/addon/no-resource-uri-leak/
EDIT I've installed it now, it works with SeaMonkey. There is also a Pale Moon version, it's linked in the description on AMO.

Re: HowTo stop resource leak with NoScript

Posted: Sat Sep 03, 2016 9:16 am
by yes_noscript
Oh okay.
I wonder because the addon do the same thing, or not?

Re: HowTo stop resource leak with NoScript

Posted: Sat Sep 03, 2016 4:54 pm
by barbaz
The NoScript procedure will indeterminately block active content from resource: URIs regardless of origin, and does nothing about non-active-content (like images and such). It's basically only useful against the one specific PoC.

No Resource URI Leak blocks ANY access to resource: URIs not from specified location (by default this list is chrome:, resource:, view-source:, and various about: URIs). Safe and effective.

Re: HowTo stop resource leak with NoScript

Posted: Sat Sep 03, 2016 5:27 pm
by yes_noscript
Thanks for that clarification :)

Re: HowTo stop resource leak with NoScript

Posted: Sat Sep 03, 2016 5:29 pm
by barbaz
I've just realised that the No Resource URI Leak addon blocks NoScript's placeholder icons. Since that addon is patching a bug that could be fixed in the browser, this doesn't look good for the future of placeholder icons in the current state...
Can the placeholder icon problem please be fixed in NoScript?

Re: HowTo stop resource leak with NoScript

Posted: Mon Sep 05, 2016 5:01 pm
by barbaz
It blocks much more stuff in Gecko 49... even including dropdown markers, and, it also makes NoScript's placeholders a completely blank yellow box.

The dropdown markers can be fixed by adding "gre-resources" to the debug whitelist, but as NoScript's resource: URIs are random it is impossible to fix that problem without patching the addon code.

Re: HowTo stop resource leak with NoScript

Posted: Sun Sep 11, 2016 12:51 pm
by yes_noscript
Also Moonchild say that blocking that ressource isn't recommend and no user data are in danger: https://github.com/MoonchildProductions ... -246103708

Re: HowTo stop resource leak with NoScript

Posted: Sun Sep 11, 2016 5:33 pm
by barbaz
What he says is that it's only information about the browser itself that's being revealed this way. As far as whether that counts as exposing user data, unlikely for typical users but across the board is another game. See, 'Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20160905 SeaMonkey/2.46pre' is a whole lot more unique than e.g. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7' isn't it?