[Resolved] NoScript and colbertnation?

[kukla]

Have tried everything I can think of. Temporarily allowed all this page and disabled AdBlock but still can't get this video to play. I get a spinning gear as if it's loading, but it disappears after a few seconds and the frame where the video should play just remains black. Running the latest Flash (and the latest NS) and I'm allowing Flash from the placeholder. I have forbid iframe checked in NS. I have Ghostsery, but all it's finding on the page are trackers and I even temporarily whitelisted colbertnation in Ghostery. Don't know if this is a NoScript thing or not, but any ideas would be welcome. Thanks.

http://www.colbertnation.com/the-colber ... ul-krugman

[therube]

WFM.
Allowed colbertnation.com.
An ad played, then the expected clip (Flash format).

[kukla]

I allowed colbernation and mtvnservices. Disabled ABP on colbernation. And already tried temporarily allowing all. As before, I get the spinning gear then nothing.

I am seeing this message, however:

[ERROR: Ad not created, please check your config to enable CODA ads]

You said an ad played first. Maybe that's the key? But I have disabled ABP on colbert. Have no idea how to change my config to enable CODA ads, or even what that is.

[Tom T.]

Using Fx 3.6.22, this played fine after temp-allowing scripting from:

colbernation
comedycentral
mtvnservices

RequestPolicy: Temp-allow requests from colbernation to comedycentral and mtvnservices.

Are you allowing comedycentral.com?

No ads playing, despite no adblock software. Flash block-logo appears (I have Flash and all other plug-ins blocked by default). Click, allow, video loads and plays.

FWIW, for ad blocking, I use Fx's built-in image-blocking (Tools > Options > Content > Check "Load Images Automatically" > Exceptions) and add sites (like ad agencies) that you don't want loading still images.

NoScript will stop those delivered with scripting, plug-ins, and/or iFrames, which is 99%+ of them.

Using a HOSTS file service also blocks many ads and annoyances, as well as malicious sites as reported by users. These types of solutions do not require additional software and remain under your own control.

If this is a Fx 6 problem, there's a good reason to go back to 3.6.x.

[GµårÐïåñ]

I got the same results as @Tom T. and I have the same configuration with NS+RP+ABP and all I did was temp allow the main, RP allowed to the resources, and all was fine after that. You might have something else at play possibly, have you tried with a clean profile? (not sure if already suggested or not)

[kukla]

I discovered what it was. I had the Macromedia folder completely locked up in my OS X 10.6 to prevent any LSOs or anything else being stored. I had done this years before the new Preference Pane arrived with Flash 10.3. After temporarily trashing that folder, I was able to play the clip. Seems mtvn services (which I think was the culprit) although denied any storage from settings in the new Preference Pane, was happy if it could at least be listed there, which it could now with the old MM folder in the trash. A new, unlocked MM folder got created in its place.

Nothing to do with NoScript.

Thanks for all the replies and the help.

[Tom T.]

Glad it was resolved. As for Flash cookies/LSO etc., here is a small, lightweight tool that I wrote a while back to clean all such junk with two clicks. It's Windows-only, and I'm not Mac-friendly, but if you can substitute the appropriate file paths and commands in Mac-speak, you can let these sites run, then clean them afterward.

Another way is to use a virtualizing solution. My personal choice, Sandboxie, doesn't support Mac, unfortunately. But there are many others out there, and some surely do. Check , e. g., VMware Workstation. The idea is, these things are stored in a cloned, "virtual" folder, and when you close the browser, the cloned hard drive, registry, user and app folders, etc. are all deleted. Great safety measure too, because any malware picked up also goes away. Nothing can be written to the hard drive. Hope that helps.

[kukla]

Thanks Tom. Just came back and saw your post. My solution is to go back to the locked folder. From what I understand, what I encountered is a very rare situation with 1395 streaming video content in Flash. If I need to see something from Comedy Central or if it happens again, I'll know what to do, but for now I'll just keep the Macromedia folder empty and locked up from top to bottom. This was also the first time I ever saw the Firefox plug-in container (from Little Snitch.) I'd probably be OK just relying on the Flash 10.3 Preference Pane, as long as I don't allow any storage to begin with (once you do and allow any LSOs, at that point deleting all data doesn't remove them), but I don't completely trust that. With the locked empty folder, I've never gotten any LSOs, or anything else, for that matter, and Flash, except for this situation, works just fine everywhere else.

[Tom T.]

OK, if it works for you, very good.
Have you checked out the add-on, RequestPolicy, which gives you instant visible notice and control of such cross-site resource or contact requests? Strongly recommended for all Fx users.
I don't trust Adobe either (or anyone else, for that matter), don't allow contact with them, don't store preferences at their site. I let them put their one-time LSO and preference files inside the sandbox, then dump them - gone, until the next time.

Side note: As you may know, Adobe has become quite the target for evil-doers, with frequent vulnerabilities found in Flash and Acrobat. I don't use Adobe Reader (Foxit is 1/100 the footprint, free, and easy to disable support for executable content in pdfs), and the sandboxing or virtualizing is another defense-in-depth against the next zero-day vuln in Flash and possibly watching a corrupted or malicious video. How do we know which of the millions of vids at YouTube are safe, or not?

Just food for thought. Glad the issue was resolved; if you're happy, we're happy.

[kukla]

Thanks for the tip on RequestPolicy. I'll check it out, but I have the feeling I'm heading for a divorce if I try to add another "obstacle" to my wife's browsing experience. We share this computer and, with some occasional grumbling, she's now putting up with NoScript. She accepts it because she understands the need for safety, but I don't know if she'll be able to put up with another layer. In addition to AdBlock, RefreshBlocker, Ghostery, and Redirect Remover, it may prove to be the last straw. And, I guess at a certain point you just have to throw up your hands and accept that some tracking or incursions on privacy -- which, from reading the reviews, appears to be one of RP's main functions -- are inevitable. Otherwise, it just becomes too much work. But I will install it and see for myself just how crazy/PITA it makes things if I do. I didn't realize that NoScript wasn't completely effective in dealing with Cross Site requests. Little Snitch for OS X seems to have caught this particular one from viacom.

As for some kind of PDF reader, the native Preview Application in OS X works for 99% of PDFs. I have it set as the default. I only use Reader for some specific printing tasks. I know Flash and Reader are under relentless attack, and Adobe can't roll out the patches fast enough.

As for the YT videos, it was my understanding -- which may need correcting -- that malicious code can't easily make it through YT. Do you know of any specific exploits that have occurred via YT videos?

I don't think YouTube allows uploading arbitrary files directly. I've never tried posting something to YouTube, but my vague impression is that you send YouTube a video file, and then if YouTube can parse and process it, that file gets wrapped up in YouTube's Flash player wrapper for delivery. It would probably be difficult to get a Flash exploit attached to a video in such a manner that it would survive the whole process, although I can't prove it would be impossible.

[kukla]

I played with RequestPolicy a bit. Too bad there's no way to toggle it on/off. That way, I could use it on a per site basis when I think a site might be kind of dicey.

[Tom T.]

... I have the feeling I'm heading for a divorce if I try to add another "obstacle" to my wife's browsing experience. We share this computer and, with some occasional grumbling, she's now putting up with NoScript. ...

You can probably imagine how many times we read that here: "I love NoScript, but my (spouse, parents, children, Grandma, Significant Other... ) can't handle it..."
I sympathize!

I didn't realize that NoScript wasn't completely effective in dealing with Cross Site requests. Little Snitch for OS X seems to have caught this particular one from viacom.

I think the developers can explain the differences better than I can. First, please review this NS FAQ, then please review the Request Policy FAQ, especially where he compares RP to NS, though I believe he understates NS's protection against CSRF, probably by not being fully familiar with ABE.

As I type this, script from informaction.com, where this site is hosted, is allowed, but requests to tinypic.com are blocked by RP, not because I don't trust timypic, but because I don't need it at this time. Principle of Least Privilege, and why use the bandwidth? Tinypic is not trying to run script here, and so doesn't show in NS menu.

I hope those answers will explain the difference. Note that RP's dev strongly urges users to use NS:

NoScript is an amazing extension and is absolutely essential (like RequestPolicy) to using Firefox securely. It is best to use both RequestPolicy and NoScript.

while RP was first recommended to me by NS dev Giorgio Maone himself. I'm guessing that Giorgio doesn't return the favor on his page because, as said above, too many novices panic at first seeing NS, so asking them to install yet another "need-a-user-decision" add-on is liable to make them throw up their hands and walk away. Most who use RP are tech-savvy enough to consider NS a piece of cake, and *probably* already have NS. Firefox Add-ons shows 30x as many NS users as RP users.

btw, I didn't realize that Firefox Add-ons now shows "users" vs. "downloads", as I haven't added any new add-ons in a while. I think NS d/ls are probably about 90 million by now, and not sure where Moz. gets the stats on unique users, or how they know. If my large family or fraternity house has 20 users all using one computer, and all actively using NS... If I own two computers (which I do, bought three years apart) and d/l NS twice, it means I liked it on the first one enough to put it on the second one.

As for the YT videos, it was my understanding -- which may need correcting -- that malicious code can't easily make it through YT. Do you know of any specific exploits that have occurred via YT videos?

I don't actually visit YT that often, have never uploaded anything, and don't know the mechanics behind it. It was just an example - there are lots of other sites where a Flash vuln could be exploited, such as an ad on a legit page, though most often, through the old link-in-e-mail trick. "Paris Hilton video here!" -- OK, that's probably not going to snag your wife, but the very same low-tech users who find NS intimidating are the ones most likely to fall for some kind of social engineering, no?

I don't think YouTube allows uploading arbitrary files directly. I've never tried posting something to YouTube, but my vague impression is that you send YouTube a video file, and then if YouTube can parse and process it, that file gets wrapped up in YouTube's Flash player wrapper for delivery. It would probably be difficult to get a Flash exploit attached to a video in such a manner that it would survive the whole process, although I can't prove it would be impossible.

If YT does any selectivity at all, how do all those copyrighted songs and records get through? Seriously, I've wondered. Every once in a while, a song I like gets taken down for copyright violation, but there are ten other versions of it - original CD or vinyl record, live performances, etc. Only when the copyright owner complains does something happen. So it didn't seem like there was much vetting. Given the number uploaded every day, seems impossible - and look at the amateur street vids from Libya, Syria, Egypt, etc.

I'm guessing one could insert a bit of malicious code into an otherwise-legit video, but I've never tried it and don't intend to.

Does anyone else have more info on whether this is possible, and what safeguards YT uses, if any?

I played with RequestPolicy a bit. Too bad there's no way to toggle it on/off. That way, I could use it on a per site basis when I think a site might be kind of dicey.

We close this post with good news! If your wife can do one right-click and one left-click, she can toggle it off for her session, and you get the machine back with the full protection in place, or can toggle it off the same way.

Wife: R-click RP red flag logo. L-click "Temporarily allow all requests". She'll browse as if it weren't there.

You either start a new session (close browser and restart), or just do what she did - R-click the now-yellow logo, and L-click the same "Temp' permission, which removes the checkmark.

Anything that can be done or undone in two clicks is a toggle in my book.
- Tom

[kukla]

We close this post with good news! If your wife can do one right-click and one left-click, she can toggle it off for her session, and you get the machine back with the full protection in place, or can toggle it off the same way.

Wife: R-click RP red flag logo. L-click "Temporarily allow all requests". She'll browse as if it weren't there.

You either start a new session (close browser and restart), or just do what she did - R-click the now-yellow logo, and L-click the same "Temp' permission, which removes the checkmark.

Anything that can be done or undone in two clicks is a toggle in my book.

Duh, yes that's a toggle alright. (And no need to right click. Can be done directly from icon also.) Thanks.

[Tom T.]

Duh, yes that's a toggle alright. (And no need to right click. Can be done directly from icon also.)

My turn to Duh: r-click is just force of habit, from the many context menus that *do* require it. Sometimes, that's easier than trying to remember which require r-c and which don't.

Thanks.

You're very welcome.

[kukla]

I've been trying out RequestPolicy. A follow up question about the similarities and differences in using NoScript with RequestPolicy: I'm seeing that NS and RP are often blocking the same sites. For example, for the NY Times, both NoScript and RP are blocking krxd, eyewonder and checkm8, all of which WOT, by the way, reviews very negatively. First, am I correct in assuming that both NoScript and RP are blocking the same scripts from loading? NoScript is blocking them from loading directly from the Times, while RP is blocking requests for these same scripts to these third party sites ?

Besides blocking scripts from these same sites, krxd, eyewonder and checkm8, is RP, possibly, also blocking something other than scripts from these sites and if so, what might that be? In other words, in addition to blocking scripts, what else might RP be blocking from these site that NS isn't that would affect privacy? Are there differences or, in this case at least, is there complete redundancy? (I understand requests may be for a number of other things besides scripts.)

I'm trying to understand -- besides providing more granularity for control over scripts when used with NoScript, which I understand -- if in this particular scenario with these particular sites from the Times, RP might be providing some distinct, additional benefit? Would RP, since it is not only blocking JS from these sites, at least hypothetically, be blocking some way other than by JavaScript these sites might have of tracking or infringing on privacy? (I'm thinking Cookies, but I don't allow cookies from third party sites.)