http://lifehacker.com/5483611/chrome-be ... t-controls
As for cookies, images, JavaScript, plug-ins, and pop-ups, you can now set Chrome up in each case to always block them, always allow them, or accept them only from sites you add to a list. For hardcore fans of NoScript, FlashBlock, and other such web streamlining tools, that's a pretty nice addition.
NoScript now embedded into Chrome??
NoScript now embedded into Chrome??
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Re: NoScript now embedded into Chrome??
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
- Giorgio Maone
- Site Admin
- Posts: 9455
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript now embedded into Chrome??
It's a first step, but quite different yet.
If you enable JavaScript on a certain site, you're automatically enabling all the 3rd party scripts loaded by pages on that site, even though you didn't whitelist them.
Furthermore, you have not even an easy way to see them.
This is a great weakness if you want to use this feature for security/privacy purposes, because if a site in your whitelist gets compromised with an iframe or script injection, or it includes tracking scripts, you've got no defense.
If you enable JavaScript on a certain site, you're automatically enabling all the 3rd party scripts loaded by pages on that site, even though you didn't whitelist them.
Furthermore, you have not even an easy way to see them.
This is a great weakness if you want to use this feature for security/privacy purposes, because if a site in your whitelist gets compromised with an iframe or script injection, or it includes tracking scripts, you've got no defense.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Re: NoScript now embedded into Chrome??
FYI: I have had to disable this option as it totally messes up Extensions. There seems to be no way to make sure Extension operate correctly when Java Security is initiated in the current approach.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Chrome/5.0.322.2 Safari/533.1
Re: NoScript now embedded into Chrome??
http://lifehacker.com/5177709/chrome-th ... wn-contest
Wow at Chrome being the only unhacked browser. Amazing.
I wonder what's more secure: Firefox with NoScript or Chrome with its superior sandboxing and security features?
If FF + NoScript, just how much more vulnerable is Chrome? I love Chrome but not sure if I feel secure enough with just using Chrome's blanket Allow All or Disallow All javascript blocking.
Wow at Chrome being the only unhacked browser. Amazing.
I wonder what's more secure: Firefox with NoScript or Chrome with its superior sandboxing and security features?
If FF + NoScript, just how much more vulnerable is Chrome? I love Chrome but not sure if I feel secure enough with just using Chrome's blanket Allow All or Disallow All javascript blocking.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.8 Safari/533.2
- Giorgio Maone
- Site Admin
- Posts: 9455
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript now embedded into Chrome??
Chrome as no "superior" security features over Firefox+NoScript, sandboxing aside (Firefox will get some in 3.7, probably).Vux wrote:I wonder what's more secure: Firefox with NoScript or Chrome with its superior sandboxing and security features?
To say it all, NoScript as many more security features than Chrome (e.g. ClearClick or ABE), and the Google crew had even to disable their "XSS Auditor" filter (which already was quite easy to bypass) because of serious performance problems, so serious XSS protection is again a bullet point for NoScript (IE8's competition on that side is a gun aimed at your feet )
Most important, sandboxing is definitely overrated (yes, SandboxIE, I'm looking at you).
In this Web 2.0+ age, the ability to touch your hard disk and other system resources (which is what sandboxes try to impair) is not very important anymore: your in-browser password store and the services you access online (e.g. credit card transactions) are the most valuable targets, and an attacker can "own" them even without the need of a browser exploit (a web application vulnerability is enough). Of course, a browser vulnerability is a bonus, but manipulating to the browser process is more than enough, and no sandboxing can help you with that.
Notice that I've been talking about this stuff already more than two years ago
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: NoScript now embedded into Chrome??
Well, my point is that if you go to a malicious website, is Chome with JavaScript disabled just as safe as going to a malicious website with NoScript and everything disabled?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.8 Safari/533.2
- Giorgio Maone
- Site Admin
- Posts: 9455
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript now embedded into Chrome??
Nope, Chrome is much less safe because it lacks defenses against several kind of non-Javascript attacks, including plugin-based ones, XSS, CSRF and Clickjacking.Vux wrote:Well, my point is that if you go to a malicious website, is Chome with JavaScript disabled just as safe as going to a malicious website with NoScript and everything disabled?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: NoScript now embedded into Chrome??
Hi Giorgio,
I am just wondering if there have been any developments that you are involved in or know of that continues to improve security for Chrome?
I am just wondering if there have been any developments that you are involved in or know of that continues to improve security for Chrome?
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.8 (KHTML, like Gecko) Chrome/5.0.396.0 Safari/533.8
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: NoScript now embedded into Chrome??
What chrome is offering is nothing more than an all or nothing band-aid. It is no different than what is built-in for Firefox by default. If anything, they should be ashamed that it took them this long to provide it. It gives no granular control over individual sites, partial sites, or as Giorgio stated the myriad of other benefits that NoScript provides. At least with Fx there is a REAL API to provide someone like Giorgio the ability to provide that granular control over more aspects of security than saying "let's block everything or nothing", even if it can be done on a per site basis. To top it off, they are taking it out of the hands of the people and trying to do it themselves, which has many other implications that no one ever considers. The question people should be asking is why doesn't google provide the API for developers to use instead of locking it in the code without any way to actually use it in any meaningful way?
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: NoScript now embedded into Chrome??
Hello Fionaavr,Fionaavr wrote:FYI: I have had to disable this option as it totally messes up Extensions. There seems to be no way to make sure Extension operate correctly when Java Security is initiated in the current approach.
If you don't mind me asking, which extensions did it affect?
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: NoScript now embedded into Chrome??
Hi Davezilla,
It was Forecastfox Weather - it seems no longer to be an issue with 6.XX. I still am not using Chrome as the default browser owing the to the other (i.e. ABE) ongoing security deficiencies, fwiiw.
It was Forecastfox Weather - it seems no longer to be an issue with 6.XX. I still am not using Chrome as the default browser owing the to the other (i.e. ABE) ongoing security deficiencies, fwiiw.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 GTB7.0
Re: NoScript now embedded into Chrome??
OK thanks for the reply.Fionavar wrote:Hi Davezilla,
It was Forecastfox Weather - it seems no longer to be an issue with 6.XX. I still am not using Chrome as the default browser owing the to the other (i.e. ABE) ongoing security deficiencies, fwiiw.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: NoScript now embedded into Chrome??
Does this finally make Chrome as safe as using NoScript?Google Chrome Now Has Resource-Blocking Adblock
http://apple.slashdot.org/story/10/07/2 ... ng-Adblock
"It seems to have slipped under the radar, but Google Chrome now has resource-blocking abilities, and may have had the ability for some time. Using the 'beforeload' event on the document, an extension can now intercept resources from loading. Adblock for Chrome has already added it, and I expect the other 'ad-blocking' extensions have as well. Before you start praising Google, however, it's the WebKit team that deserves your credit; one Chromium developer responded to praise by stating '... thank Apple — they added it to WebKit, we just inherited it.' Firefox vs. Chrome just got a bit more exciting."
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: NoScript now embedded into Chrome??
Not by a long shot. That false sense of security is what will destroy many and if they fall for it, they have no one to blame but themselves.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/Gecko