InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

noscript.net being able to track my browsing history?

https://forums.informaction.com/viewtopic.php?t=23710

Page 1 of 1

noscript.net being able to track my browsing history?

Posted: Wed Nov 22, 2017 5:15 pm
by salim-b
Hi there,

I'd like to know what the CSP reports to fake-domain.noscript.net are all about in the new WebExtension version of NoScript. I've noticed that they fire on every page that isn't whitelisted in NoScript (first party). Please have a look at this uBO bug report on GitHub. As gorhill (main developer of uBlock Origin) warns, those CSP reports have the potential to leak my detailed browsing history to fake-domain.noscript.net!

Re: noscript.net being able to track my browsing history?

Posted: Wed Nov 22, 2017 9:49 pm
by barbaz
https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/#comment-38450 wrote:"fake-domain.noscript.net", as the name implies, is a domain which does not resolve to anything, and since noscript.net is under my control I can make sure nobody makes it real domain. It's used as the report URI for the script-blocking CSP, in order to catch LOCALLY whatever has been blocked by NoScript and show it in the UI. As soon as the request is initiated, is processed LOCALLY by NoScript and blocked, so the information never leaves the browser. If, by accident (e.g. because you disable NoScript while a page with the CSP loaded is still active) the CSP report is fired and not caught, as I said the domain doesn't resolve and the request just times out.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited