HTTPS forbid active web content

Ask for help about NoScript, no registration needed to post
mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

HTTPS forbid active web content

Post by mik33mik »

I have tested the new feature:
HTTPS forced on background requests (images, stylesheets,
scripts, embeddings, AJAX...)
with the PoC, images, sripts, stylesheets, in this site:
http://crypto.stanford.edu/websec/safelock/

but it doesn't work. Web content from http isn't blocked.
Why?

Thanks in advance
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: HTTPS forbid active web content

Post by Giorgio Maone »

"HTTPS forced on background requests" applies to destinations matching the NoScript Options|Advanced|HTTPS|Behavior|Force HTTPS patterns.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

Re: HTTPS forbid active web content

Post by mik33mik »

Ok, Thanks!

I have put these URL:

Code: Select all

https://crypto.stanford.edu/~collinj/research/mixed-content/images
https://crypto.stanford.edu/~collinj/research/mixed-content/stylesheets
https://crypto.stanford.edu/~collinj/research/mixed-content/scripts
in HTTPS field, but the image

Code: Select all

http://crypto.stanford.edu/~collinj/research/mixed-content/images/globe.png
the script and the css aren't blocked (like in internet explorer)

With the css test I obtain only a warning about encrypted page that contains unencrypted information, but the css is loaded, and lock icon is broken.

How can I block this behavior?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: HTTPS forbid active web content

Post by Giorgio Maone »

Please just use either
  • crypto.standanford.edu (domain) or
  • crypto.stanford.edu/~collinj/research/mixed-content/* (glob pattern) or
  • ^http://crypto\.stanford\.edu/~collinj/research/mixed-content/(?:images|stylesheets|scripts) (regular expression).
The entries you put there couldn't work because
  1. They're matching the https:// requests, but not the http:// ones (which are the ones we want to force)
  2. They're treated as literals, rather than patterns, and therefore would match the directories only
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

Re: HTTPS forbid active web content

Post by mik33mik »

Thanks! Now works with glob pattern or regular expression.

Another question, in the Stylesheets test, shouldn't the background color be white? Why is it blue?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: HTTPS forbid active web content

Post by Giorgio Maone »

mik33mik wrote:Thanks! Now works with glob pattern or regular expression.

Another question, in the Stylesheets test, shouldn't the background color be white? Why is it blue?
No. Whenever possible, NoScript turns the request from HTTP into HTTPS, instead of blocking it: since the same stylesheet is served from https://crypto.stanford.edu/%7Ecollinj/research/mixed-content/stylesheets/style.css, you got a "secured" blue over SSL ;)
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

Re: HTTPS forbid active web content

Post by mik33mik »

Thanks!

Grazie ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18
Aerik
Junior Member
Posts: 40
Joined: Fri Mar 20, 2009 5:24 pm

RequestPolicy interference!

Post by Aerik »

Whoa. Whoa, whoa, whoa whoa. Whoa. Whoa. OK.

I was going to post about this conflict in a new thread, but it seems to apply here.

There are many cases in which NoScript's force-HTTPS and RequestPolicy 0.5.3 in it's strict address mode, clash.

When I am on a page where I should have NoScript forcing a secure connection, RequestPolicy is blocking that redirect/refresh.

For example in this safelock test for stylesheets, I have to

"temporarily allow requests from https://crypto.stanford.edu... to http://crypto.stanford.edu... Just for NoScript to be able to reconfigure the stylesheet's location into HTTPS, and only then can I see the blue background.

In short, RequestPolicy's 3rd mode completely preempts noscript's force https feature.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090319 Shiretoko/3.5b4pre
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: RequestPolicy interference!

Post by Giorgio Maone »

Aerik wrote:In short, RequestPolicy's 3rd mode completely preempts noscript's force https feature.
No surprise here.
NoScript's policy runs as the last one by design (in order to gain some predictability in its interaction with other Content Policies, such as AdBlock Plus and RequestPolicy), so RequestPolicy detects a cross-site request before is turned into a same-site request by NoScript.
I guess you must live with that and/or configure site-by-site exceptions when it's needed.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
Aerik
Junior Member
Posts: 40
Joined: Fri Mar 20, 2009 5:24 pm

Re: HTTPS forbid active web content

Post by Aerik »

Oh yeah, the last content policy rule, I forgot about that. Hmm. Would this kind of thing go better with ABE?

And with or without ABE, do you see any version in the future that employs the force https feature as first-policy and everything else last?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090320 Shiretoko/3.5b4pre
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: HTTPS forbid active web content

Post by GµårÐïåñ »

I know this has been a while, but Giorgio do you know of an easy way to create or specify action order. Say you have 4 extensions and you want them to exert authority in a certain order rather than the defaults built-in, is there a gui or non-gui way to modify this order? Almost like tab order in a form gui but for policy processing instead. This way a person can choose which order they want it and can say choose to have NoScript go first or etc. In the meantime until future developments are completed and RequestPolicy and stuff is updated to maybe allow it by options, can this order be modified manually to override?
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 NoScript/1.9.1.7 FlashGot/1.1.8.5 FirePHP/0.2.4
Post Reply