Help! Password Tools and NoScript

General discussion about the NoScript extension for Firefox
Post Reply
slap_happy
Posts: 4
Joined: Sat Aug 22, 2009 4:06 pm

Help! Password Tools and NoScript

Post by slap_happy »

I use password protection software that is generally Host-Proof hosting and a site that I know to be safe and trusted. This site recently upgraded its 1-click log-in features. The new features rely heavily on iFrames and scripts which are trusted and secure.

Can anyone give me some ideas on how to implement these features into a whitelist inside NoScript so that these new features are available on a selectable basis?

I'm not a big code guy and have very limited experience in programming or anti-XSS features. I enjoy the security that NS provides (this feature being one that I like too) but at this point for me personally, the NS software is preventing a couple of scripts that I trust. I'd like to be able to keep NS and use the features available in the password protection software.

Here's a link to part of the problem:

http://blog.passpack.com/2009/08/auto-l ... -versions/

Edit by Tom T.: Merged similar requests within two days. My answer to this post is at the bottom of the merged replies.
Last edited by Tom T. on Wed Oct 21, 2009 5:31 am, edited 1 time in total.
Reason: merge
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
slap_happy
Posts: 4
Joined: Sat Aug 22, 2009 4:06 pm

How to whitelist scripts in iFrames?

Post by slap_happy »

I use password protection software that is generally Host-Proof hosting and a site that I know to be safe and trusted. This site recently upgraded its 1-click log-in features. The new features rely heavily on iFrames and scripts which are trusted and secure.

Can anyone give me some ideas on how to implement these features into a whitelist inside NoScript so that these new features are available on a selectable basis?

I'm not a big code guy and have very limited experience in programming or anti-XSS features. I enjoy the security that NS provides (this feature being one that I like too) but at this point for me personally, the NS software is preventing a couple of scripts that I trust. I'd like to be able to keep NS and use the features available in the password protection software.

Here's a link to a better explanation to the problem:
http://blog.passpack.com/2009/08/auto-l ... -versions/
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: How to whitelist scripts in iFrames?

Post by Giorgio Maone »

NoScript doesn't block frames in its default configuration.
Doesn't just allowing passpack.com and the site you're using their button on work?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
slap_happy
Posts: 4
Joined: Sat Aug 22, 2009 4:06 pm

Re: How to whitelist scripts in iFrames?

Post by slap_happy »

Hi,

Thanks for the reply. I'm not sure what scripts are involved in how the button works. When they upgraded to Version 2.0, most of the functions of the new release are blocked by NoScript. Version 1.0 of the button always worked fine with NS right out of the box. Some sites at times have needed to be marked as trusted or allowed, but usually have not been problematic.

The new upgrades have caused problems. I'd really like to be able to take advantage of the new upgrades and still keep NS, but NS blocks all the scripts inside the pop-ups from passpack when trying to use the button.

Passpack reports that they cannot find a solution, so I thought maybe the originators of NS might be able to help me out on this. I'm not sure if a regular expression would help (I don't know how to write them) or if there are particular settings that I could change inside NS to allow just the passpack scripts to execute. The problem does not seem to be with the actual sites that are being logged into, rather with the process/ execution of the button to do so.

THe blog entry from Passpack states that they do not know of a work-around. I have NS script at the default setup, no changes other than whitelisted sites.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: How to whitelist scripts in iFrames?

Post by therube »

URL: https://www.passpack.com/
Signon: https://www.passpack.com/online/


Passpack It! Personal Login Button <bookmarklet> (version 2):

Code: Select all

javascript:{var D=document,o=(new Date()).getTime(),s;if(typeof _P!='object'||!_P.k){_P={k:'6ec57565cdeeae8e7fcc8188ff6.....',h:D.getElementsByTagName('head')[0],u:'https://www.passpack.com/',a:0,c:'6659b4'}}if(_P.o){if(o-_P.o<350)_P.a=1}else setTimeout(function(){s=_P.s=D.createElement('script');s.src=_P.u+'?t=1&g=1&u='+encodeURIComponent(location.href)+'&v=2&r='+o+'&a='+_P.a+'&c='+_P.c;_P.h.appendChild(s);_P.a=_P.o=0},400);if(!_P.o)_P.o=o}void(0)
Passpack It! Personal Login Button (version 1):

Code: Select all

javascript:(function(){/*Passpack It! 1.6,(c)2007-09 Passpack*/_PP_={k:'6ec57565cdeeae8e7fcc8188ff6.....',u:'https://www.passpack.com/',l:location.href,h:document.getElementsByTagName('head')[0],s:document.createElement('script')};if(!_PP_.h)_PP_.h=document.getElementsByTagName('body')[0];_PP_.s.src=_PP_.u+'autologin/?t=1&g=1&u='+escape(_PP_.l)+'&v=1.1&r='+Math.random();_PP_.h.appendChild(_PP_.s);})()
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17
slap_happy
Posts: 4
Joined: Sat Aug 22, 2009 4:06 pm

Re: How to whitelist scripts in iFrames?

Post by slap_happy »

Is this the code that is attempting to execute and make the buttons work? It appears that way to me. Can anyone explain why the Version 1.0 is allowed by NS and not Version 2.0? I change nothing in NS and the log-in version 2.0 will not execute - even if all sites are trusted and allowed or whitelisted?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Help! Password Tools and NoScript

Post by Tom T. »

Example 1: The new Passpack It! button works well on Firefox 3+. However certain plugins, for example NoScript, may cause it to fail. Auto-login 2.0 release uses iframes as a sandbox to avoid Cross-Site Scripting (XSS), yet NoScript blocks all code running in iframes. There’s no fix for this. So, if you are a Firefox-NoScript user, you will need to switch back to the older version. Other plugins or settings may cause similar problems
From their commenters:
  • #
    Erik
    Disabling NoScript is not a real option for me. Please post a new blog entry when there is some sort of workaround.
    #
    Francesco @Erik
    There is a work around, you need to use the older version of the button. Please read the second paragraph under “Example 2″ for instructions.
    #
    Paul
    There’s no fix for the noscript interoperability? Can’t it be addressed in the Anti-XSS Protection Exceptions? Will the 1.0 button remain indefinitely?
    #
    Paul
    The 1.0 button doesn’t work with my bank. I was hopeful that the 2.0 button would work.

    I would think that most Passpack users are security conscious. Therefor, some significant percentage of them are probably NoScript users as well. If the 1.0 button has an uncertain future and there is no interoperability with NoScript moving forward, this is starting to look like a deal killer. :(

    And I had such high hopes for Passpack. It solves the problem of keeping multiple machines in sync that is present with KeepassX.
    #
    Francesco
    Posted Aug. 27, 2009 at 8:51 pm
    Hi Paul.
    There is actually a way to make the Auto-login 2.0 release compatible with NoScript. But there would be some issues in implementing it. If possible, I prefer to mantain the double-iframe structure.

    However I understand. I have already contacted Giorgio Maone of NoScript. He is Italian like me so… that makes it easy! I’m sure we will find some sort of solution.
Hmmm.... Francesco said that almost two months ago. I don't know if he ever did actually contact Giorgio, but it looks like the incompatibility was never fixed, and that his program has a lot of problems and a possibly-unsafe model.

May I suggest that you look at Password Safe, with cryptography by world-class cryptographer Bruce Schneier? I've been using it for a long time, and it has no problems with NoScript whatsoever, in my experience.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Help! Password Tools and NoScript

Post by GµårÐïåñ »

I have looked into PasswordSafe several times but the lack of information up front makes it a bit unattractive to me. Can you simply answer me the question, can it also attach itself to the browser and fill the information, login + bank stuff, for you into the places you ask, like RoboForm, or is it just a db for keeping stuff recorded somewhere?
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Post Reply