Does NoScript block JScript in local files

[Grumpy Old Lady]

Code: Select all

 * Temporarily adds the URL of the Fire.fm flash player to the whitelist of
   * Noscript to allow it to load.
   [ ...]

   * Reverts the changes that were made in the _overrideNoscript method to
   * return the NoScript rules to their original state.

AMO: Fire.fm 1.2.4

:facehand: Say it ain't so!

[Alan Baxter]

@Giorgio:
Was this done with your help and approval? Does NoScript provide an API to facilitate this action for problematic extensions like Fire.fm? Does this use by Fire.fm compromise our security at all? Is there any way to prevent this being abused by other extensions?

Just some code fragments & just to point out.
This is probably more prevalent then one might imagine?

fmPlayerInitializer.js:

Code: Select all

const NOSCRIPT_UUID = "{73a6fe31-595d-460b-a920-fcc0f8843232}";

// NoScript revert timeout
const NOSCRIPT_TIMEOUT = 10000;

if (this._isExtensionInstalled(NOSCRIPT_UUID)) {
          this._overrideNoscript(flashURL);

   * Temporarily adds the URL of the Fire.fm flash player to the whitelist of
   * Noscript to allow it to load.
   * @param aFlashURL The URL of the flash player.

  _overrideNoscript : function(aFlashURL) {
    this._logger.trace("overrideNoscript");

    try {
      // the extension could be disabled.
      if (Cc["@maone.net/noscript-service;1"]) {

   * Reverts the changes that were made in the _overrideNoscript method to
   * return the NoScript rules to their original state.
   * @param aFlashURL The URL of the Fire.fm flash player.
   */
  _revertNoscript : function(aFlashURL) {
    this._logger.trace("_revertNoscript");

AMO: Fire.fm 1.2.4

[Giorgio Maone]

@Giorgio:
Was this done with your help and approval?

No it did not. I do remember someone developing an extension (don't remember which, though) once asked me how to grant the necessary permissions, and I told them how (anybody can find anyway, since the source is open), but told them also that users would have been quite pissed off if the change wasn't asked for in advance.

No we've got at least two AMO-recommended commercial add-ons we're aware of so far (the other being StumbleUpon) which apparently work-around NoScript without asking. However one can imagine that by installing their add-on, you somehow authorize them to do whatever they deem necessary on the technical plan to provide their service (after all, they could as easily format your hard drive).
But my recent past seem to suggest that add-ons users (at least those who are also Slashdot and Reddit users) consider this kind of behavior worth the capital punishment, even when their security is not at stake at all

Does NoScript provide an API to facilitate this action for problematic extensions like Fire.fm?

No, it doesn't. But it's not difficult either (and it couldn't be made harder, however).
Notice that Fire.fm also works around the FlashBlock and Autoplay extensions for the same purpose.

Does this use by Fire.fm compromise our security at all?

Yes it does. At least lowers the default NoScript security level, because by default NoScript does not allow JavaScript loaded from your local filesystem to run.
However, reading Fire.fm code, their good-will attempt to limit this adverse effect on security is apparent.
But their code is buggy, therefore they grant overkill permissions and they fail to revoke them (against their apparent will).
If they just contacted me asking for help, I would have suggested a simpler, more effective and side-effect free way to allow their player to run.

StumbleUpon's case is even more problematic. By granting an unconditional and overly broad XSS exception to their whole site (which they add to NoScript whitelist as well), they're putting their users at risk of having malicious Javascript code injected and executed on stumbleupon.com through any XSS vulnerability of their website (are they 100% sure they're invulnerable?)

Is there any way to prevent this being abused by other extensions?

Not at the technical level, because Firefox extensions are omnipotent.

[Alan Baxter]

Thank you for the info, Giorgio. I have to run off to work now, but I'll file a complaint with AMO tomorrow, if necessary.

Or would that just start another shit-storm? I'm not a StumbleUpon or Fire.fm user, and I certainly don't plan to become one now. Would you be willing to drop their developers a line letting them know they appear to be violating AMO requirements by changing the settings of another extension?

[therube]

(Though lets not forget that at one point the shoe was on the other foot. Given that the way things are now with FF extensions, there really isn't a whole lot that can be done. Make yourself aware, try to be vigilante, try to realize that it is going to happen, try to help other developers in the "right" way to do things, so that you hopefully nip problems in the butt.)

[GµårÐïåñ]

Where are the self anointed crusaders like Vladimir Palant who made such a stink before letting crap like this slide? Shouldn't there be a more publicly and overt outrage over screwing with another extension, I mean by their definition isn't this "Malware" behavior? I don't mean to start anything but given the ignorant and one sided barrage of *bleep* that we endured, you'd think there would be more than "you install it you give them permission to do what they want", really? Where was that logic for us?

[SeanM]

The "fire.FM" extension is disabled, and Fx behaviour is well. I have belayed installing (actually, re-installing) "StumbleUpon" for the same problematic reasons noted earlier. I still run "StumbleUpon" in my test PC, probably the safest box here!

Now that the existence of an "API" to edit the whitelist is known, and "we now know of at least two" add-on's that do so, is there a possibility of some feature in NS to (at least) issue a warning or error console logging that the NS whitelist has been tinkered with by extensions ? I am not knowledgeable in the internals here, but is it possible that a JS in an allowed site may issue this API call ?

[jorge.villalobos]

Hello,

My name is Jorge Villalobos and I'm one of the 2 developers of Fire.fm. Somebody brought this discussion to my attention, and I'm eager to solve this problem as quickly as possible.

A quick summary of the situation: Fire.fm loads a small Flash component in the hidden DOM window in order to play the MP3 files served by last.fm. NoScript blocks this file (by default) and users won't know because it happens on the hidden window. Our quick and dirty solution to this is to temporarily disable the file:// block, load the file, and then enable the block again. We made a dumb mistake here because we don't check the existence of the block first, and we end up blocking people who had already chosen to unblock. This is something we'll fix as soon as possible.

The other problem is - I guess - the most serious one, which is the fact that we have to change the blocking settings at all, even if only temporarily. If there is an alternative, as Giorgio suggested, I'd love to hear it. I know we did a little research at the time (a long time ago, when we implemented it) and didn't find anything better than this. We should have asked Giorgio but didn't.

As I said before, our problem happens for running code in the hidden DOM window. This window is meant to be used by add-ons, and it is completely inaccessible to web content. That's why I think we should be free to override these add-ons for the content we load in it. Flahsblock, Noscript, etc are meant to work on web content, right? NoScript obviously doesn't (or shouldn't) block extension code unless it affects the content of a web page. At least that's my take on it. Not to be defensive, I just want to clear of where we're coming from.

We appreciate any and all help you can give us to improve Fire.fm. I await for your response.

Thank you,

Jorge - Fire.fm Team

[GµårÐïåñ]

My position is that regardless of where you are coming from and what the scope of your modification, it shouldn't happen especially that your modification is affecting the users of that extension adversely on a wider scope than you are operating. So at the very least, you should have asked for permission so the author can work with you to setup a proper way to do it. Now, thanks after the fact it has come to light you are owning up to it but yeah being defensive using ANY logic is not the way to go here, you messed up pure and simple regardless of the reasoning. Now that you brought it up, I am sure Giorgio will respond and as he is a nice guy, he will probably a bit more diplomatic in hiding his distaste on this matter. But luckily as a user, I don't have to afford that consideration and can be blunt.

[Grumpy Old Lady]

Hi Jorge
Any relation to the great composer?
Your post here is a good introduction to the Wild West - oops - Firefox community.
Be welcome and now go and work with Giorgio to keep us safer :-) You can PM him from here if you can't find his email on his site.
maone.net

[jorge.villalobos]

Hello GOL ,

Any relation to the great composer?

You mean Heitor Villa-Lobos? Nope. At least that's the best result Wikipedia gave me, and I'm pretty sure I don't have world-famous musicians in my family .
Thank you for your help, I've followed your advice and sent Giorgio a PM. Hopefully we'll have a new update posted to AMO this week.

Jorge - Fire.fm Team

[Giorgio Maone]

Hi Jorge,

here's a patch against Fire.fm 1.2.4:

Code: Select all

--- resources/fmPlayerInitializer.old	2009-06-04 13:11:48.000000000 +0200
+++ resources/fmPlayerInitializer.js	2009-08-26 13:17:17.359375000 +0200
@@ -65,6 +65,4 @@ const STOPAUTOPLAY_UUID = "{2e61e246-e64
 const MEDIAWRAP_UUID = "{dd68c513-9296-4b63-8d8b-8f1c991c8a48}";
 
-// NoScript revert timeout
-const NOSCRIPT_TIMEOUT = 10000;
 // Flashblock and similar extensions timeout.
 const FLASHBLOCK_TIMEOUT = 100;
@@ -400,47 +398,12 @@ FireFM.PlayerInitializer = {
     try {
       // the extension could be disabled.
-      if (Cc["@maone.net/noscript-service;1"]) {
+      if ("@maone.net/noscript-service;1" in Cc) {
         let noscriptService =
           Cc["@maone.net/noscript-service;1"].getService().wrappedJSObject;
-        let trustedSites = noscriptService.jsPolicySites.clone();
-
-        if ("" == trustedSites.matches(aFlashURL)) {
-          trustedSites.add(aFlashURL);
-          noscriptService.setJSEnabled(trustedSites.sitesList, true, true);
-          this._logger.info("Noscript overridden");
-
-          // Revert the changes after the window loads
-          let timer = Cc["@mozilla.org/timer;1"].createInstance(Ci.nsITimer);
-          timer.initWithCallback(
-            { notify : function(aTimer) {
-              FireFM.PlayerInitializer._revertNoscript(aFlashURL); }},
-            NOSCRIPT_TIMEOUT, Ci.nsITimer.TYPE_ONE_SHOT);
-        }
+        noscriptService.setAllowedObject(aFlashURL, "application/x-shockwave-flash");               
       }
     } catch (e) {
       this._logger.warn("Error overriding Noscript: " + e);
     }
-  },
-
-  /**
-   * Reverts the changes that were made in the _overrideNoscript method to
-   * return the NoScript rules to their original state.
-   * @param aFlashURL The URL of the Fire.fm flash player.
-   */
-  _revertNoscript : function(aFlashURL) {
-    this._logger.trace("_revertNoscript");
-
-    try {
-      let noscriptService =
-        Cc["@maone.net/noscript-service;1"].getService().wrappedJSObject;
-      let trustedSites = noscriptService.jsPolicySites.clone();
-
-      trustedSites.remove([aFlashURL], true);
-      noscriptService.setJSEnabled(trustedSites.sitesList, true, true);
-      this._logger.info("Noscript reverted");
-
-    } catch (e) {
-      this._logger.warn("Error reverting Noscript changes: " + e);
-    }
   }
 };

As you can see, Fire.fm 1.2.5 will be quite lighter

[jose.bolanos]

Hi Giorgo,

My name is Jose E. Bolanos, I'm the other developer of Fire.fm. We have applied your patch and uploaded a new version, 1.2.5, to AMO; hopefully it will be approved soon.

We really appreciate your help resolving this matter. Thank you!

Best regards,
Jose E.