[RESOLVED] Chrome, NoScript, and WebRequest API

General discussion about the NoScript extension for Firefox
Post Reply
Hungry Man
Junior Member
Posts: 43
Joined: Wed Oct 19, 2011 9:42 pm

[RESOLVED] Chrome, NoScript, and WebRequest API

Post by Hungry Man » Wed Oct 19, 2011 9:46 pm

Having a discussion over on wilderssecurity forum and we were wondering if there's anything holding back a NoScript/NoScriptLike extension from working properly in Chrome considering the new WebRequest API.

One user was suggesting that if it were possible you would be already on it - implementing NoScript right now.

ScriptNo was also brought up.

Last edited by Tom T. on Thu Nov 24, 2011 12:28 pm, edited 1 time in total.
Reason: mark as resolved (OP 2 Q; O/T discussion split to new topic
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.0 Safari/535.7

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Chrome, NoScript, and WebRequest API

Post by Tom T. » Sat Nov 19, 2011 6:18 am

Sorry that there was not an answer to this for so long. I took a quick peek @ Wilders thread.

Originally, (around 2009), Giorgio hoped that Chrome would give him an adequate API, as they had promised to do. But it didn't happen.

I know of no present plans to port NoScript to Chrome, unless Giorgio hasn't told us.

PERSONAL OPINION ONLY: Why would a huge corporation that makes its living selling advertising (mostly targeted) and user data ever want its users to install an add-on that would block advertising scripts and data-mining scripts, including Google's bread-and-butter, google-analytics.com? ... which NoScript blocks *by default*, and runs a Surrogate Script in its place. This makes the page happy that the script ran, but sends no actual data to Google. Yeah, they'll really let that happen on *their* browser. :roll:

ScriptNo: http://code.google.com/p/scriptno/wiki/ ... dQuestions

"You’re so mysterious. Who are you?

I’m a recent honors graduate from a business technology program from a university in Toronto, Canada, graduating with over 20 months of full-time work experience due to my co-op terms with world-class organizations such as CIBC and Canada Pension Plan Investment Board. If it’s any relevancy, I’m Chinese and I’m 23

Whereas Giorgio Maone has 20 years, not months, in developing, and freely gives his real name, e-mail address, company address and telephone number. You would trust an anonymous person to take complete control of your browser? What is he so afraid of?

(I prefer to keep my privacy because I'm not responsible for the coding or behavior of NoScript, and like the rest of the support team, am an unpaid volunteer. It's Giorgio's name and reputation on the line, and he's willing to put it there for the whole world. Why doesn't this recent college grad do the same? ... just a thought.)

"A 'NoScript-like' extension"... Really? Aside from the name rip-off, does it have NoScript's level of:

XSS protection?
Clickjacking protecton?
CSRF protection and WAN-LAN boundary protection?
Ability to force HTTPS security on sites that should have it (your bank), but may carelessly send insecure cookies?

Note that all of the above work even if you allow scripting globally.

Plus many other protections, like "Forbid WebGL", a technology that has already been expoloited), and more to come, in a product that is constantly evolving and improving, thanks in part to suggestions from users through this forum, which ATM has more than 20,000 registered members + guest posting allowed, and almost 30,000 posts on almost 5,000 topics. And which was once a part of Mozilla support, but when the user base and the feature list demanded more than *ONE* thread at Mozilla, Mr. Maone chose to host this forum on his own servers, *at his own expense*.

it still slipped up in letting your post go unanswered for so long, but genuine bugs, user support, and enhancements get first priority -- I'm sure you understand.

I could be mistaken, but I don't see Google letting NS rob them of the revenue from their Chrome users, nor do I see their "NoScript-like" add-on ever coming close to this one. But please browse the NoScript "Features" Page and the NoScript FAQ, and decide for yourself.

Regarding browser sandboxing, it might be nice for Firefox and SeaMonkey to implement this. But IMHO, letting the browser sandbox itself is like trying to lift yourself up by your bootstraps. If the browser is compromised, how can it protect its own sandbox? Much better is to let your sandboxing solution run on your operating system, *independently of the browser*. Then, if the browser is compromised, the malware cannot escape through to the hard drive. After all, much of MS' security issues with IE were based on, or worsened by, the fact that IE *is an integral part of the Windows OS*.

Nope. Let the sandboxer run on the OS, and then let the browser run in the *independent* sandbox thus created. (I have been satisfied with Sandboxie, but that's just personal experience and opinion only, not an endorsement. But it meets the above criterion of being outside the browser instead of inside it.)

As for the topic there, "Safest browser?" Firefox and SeaMonkey, in their default states, ... wouldn't know. Always using NoScript. Fx and SM + NoScript (properly configured): I defy anyone to show another readily-available, mass-market browser suitable for both home and enterprise use that is equally protected from such a wide range of Web exploits, *and whose developer responds so rapidly to emergent threats*.

Toss in RequestPolicy, another fine and complementary add-on to NoScript, and you have the best user control of permissions anywhere in this marketplace.

If you have any other questions, please feel free to ask, and we'll try to make sure to get to them more promptly next time. :)

And please feel free to link to this post, or to quote it in its entirety, including links. (But not quoted out of context in any misleading manner. That's not playing nicely. ;) )

Tom T.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20111103 Firefox/3.6.24

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Chrome, NoScript, and WebRequest API

Post by Tom T. » Thu Nov 24, 2011 8:33 am

NOTE: There followed a long discussion comparing Chrome's security to that of Firefox/SeaMonkey with NoScript. That topic has been moved to Forum Extras > Security, here.

The two questions in the OP have been resolved:

Does Chrome's newer API support NoSCript? Not yet.
Is ScriptNo equal to, or an effective substitute for, NoScript? - The OP and I agreed that it was not.

Therefore, this topic is marked as resolved.

There are a lot of interesting insights into the under-the-hood details at the new thread. Recommended reading for present or potential Chrome users -- or for anyone interested in general browser security.

Thanks to Hungry Man for raising these two very pertinent questions, and for the interesting discussion that followed.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20111103 Firefox/3.6.24

Post Reply