XSS examples not blocked by Noscript?

Ask for help about NoScript, no registration needed to post
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: XSS examples not blocked by Noscript?

Post by al_9x »

Giorgio Maone wrote:Please check latest development build 2.1.8rc1
  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs
  4. logs when script domain is not whitelisted
Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0
tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: XSS examples not blocked by Noscript?

Post by tlu »

Giorgio Maone wrote:Please check latest development build 2.1.8rc1
Thanks again! Those examples are indeed successfully blocked! (Somehow I was pretty sure that you would come up with a solution - you're really incredible :D )
Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
saywot
Junior Member
Posts: 20
Joined: Wed Aug 03, 2011 4:36 am

Re: XSS examples not blocked by Noscript?

Post by saywot »

Giorgio Maone wrote:Please check latest development build 2.1.8rc1
Confirmed. After AMO caught up with the version ;-)
NS AMO Beta channel subscription.
Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS examples not blocked by Noscript?

Post by Giorgio Maone »

al_9x wrote:
  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs
Done/fixed in latest development build 2.1.8rc2
al_9x wrote:4. logs when script domain is not whitelisted
By design. You may want to know in advance if a site wants to engage in potentially hostile activities.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: XSS examples not blocked by Noscript?

Post by al_9x »

Giorgio Maone wrote:
al_9x wrote:
  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs
Done/fixed in latest development build 2.1.8rc2
This may not be very important, but I noticed in at least couple of places (rapidFireCheck, checkInclusions) that you check the pref at the last minute having done all the preparatory work for the feature in question. In general, I think it's a good idea for a toggle pref to completely bypass the codepath of the functionality it disables, since that could be the reason for and the benefit of disabling it.
Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS examples not blocked by Noscript?

Post by Giorgio Maone »

al_9x wrote:I think it's a good idea for a toggle pref to completely bypass the codepath of the functionality it disables, since that could be the reason for and the benefit of disabling it.
It's an optimization for the common case, since preference access (through XPCOM) is relatively expensive and these features are very unlikely to be turned off (hence it makes little sense to observe & cache yet another pref value).
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Post Reply