Filtering scripts by file suffix/MIME type (CSRF)

General discussion about the NoScript extension for Firefox
Post Reply
Posts: 1
Joined: Mon Nov 09, 2009 10:47 pm

Filtering scripts by file suffix/MIME type (CSRF)

Post by chris_l » Mon Nov 09, 2009 11:50 pm


this is my first post here. I just installed NoScript - and it does so exactly what I want I'm amazed :) Great work guys.

Question (I'll simplify the scenario here, I'm not as careless as the following description may sound ;) ):

Let's assume I have a file on my (firewalled) local server. URL: "http://localhost/secret.js". Content:

Code: Select all

secret="i'll never tell anyone"

This script can be embedded into evil's HTML page. URL: "". Content:

Code: Select all

...<script src="http://localhost/secret.js"></script><script>alert(secret)</script>...

That's bad of course. But what I found out is, that when I change the name of my file from "secret.js" to "secret.txt", it can't be embedded anymore, if NoScript is turned on. :) That's exactly what I hoped!

But how does that work? Does NoScript decide this based on file suffix, or rather on MIME type? What feature is responsible for this (is there an option to turn it on/off)?

(BTW, unfortunately I don't get any message, that the script has been blocked.)


I think this feature is so important, it should be integrated by default into every browser, or integrated into the HTML spec. Because it's always possible, that some file lies around on some server, which just happens to be parseable as JavaScript (think Subversion servers etc.). Then the information in the file is easy prey for a CSRF style attack (even with CSRF guards up on all JSON services etc.) This kind of protection doesn't even require complicated rules.
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de-DE; rv: Gecko/20091102 Firefox/3.5.5

User avatar
Giorgio Maone
Site Admin
Posts: 8833
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: Filtering scripts by file suffix/MIME type (CSRF)

Post by Giorgio Maone » Tue Nov 10, 2009 10:44 am

  1. Resources inside your LAN (including localhost) are protected against CSRF by ABE's SYSTEM ruleset, no matter if they're scripts or anything else.
  2. Script and CSS inclusions are checked by NoScript for temptative type-correctness with a rather complicated algorithm, involving both the Content-type header and the file extension for web-compatibility sake.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

Post Reply