No script overrides Firefox privacy settings

[Tranas]

If Firefox privacy settings are set not to allow cookies, allowing a script to run via NoScript apparently allows cookies to be set without any warning.

Is there a way to configure NoScript to stop this type of behavior or at least warn that running a script will override/hack the configuration in Firefox?
TIA

[Giorgio Maone]

NoScript does nothing like that.

[Tranas]

Sure it does. Reproducible - set Firfox as described then open www dot geni dot com/ and temporarily allow scripts.

Geni will set cookies for itself and add itself to exceptions in Firefox with no further interaction.

[Tom T.]

Sure it does. Reproducible - set Firfox as described then open http://www.geni.com/ and temporarily allow scripts.

Geni will set cookies for itself and add itself to exceptions in Firefox with no further interaction.

No, it won't, at least, not on Fx 3.6.24.

Will try on Fx 8.01, but you may have malware on your machine.

I noticed that it also tries to run script from Facebook. Probably not relevant, but are you allowing that, and do you have a FB account?

[Tom T.]

Sorry, I temp-allowed *everything*, including not only Facebook scripting, but also their "blocked object" that showed in the Menu, and also google-analytics.com.
No cookie, no Exception in Firefox Cookie Exceptions.

Please try Standard Diagnostic, and if that does not reveal an extension conflict or some corruption -- profile, add-ons, etc., -- please consider the possibility of malware on the machine.

[Tranas]

The behavior is as described and is reproducible.

Selecting "Temporarily allow this page" in NoScript allows the GENI site to set cookies and exceptions for GENI immediately on automatic refresh without any further user interaction.

"Temporarily allow this page" will eventually allow cookies and exceptions to be set by Facebook without further user interaction since the GENI site includes Facebook.

Behavior reproducible on multiple machines with different OS's.

The are no blocked objects shown in the NoScript menu - possibly you could post a screen shot of said blocked object?

[Tom T.]

As a side note, "Temporarily allow all this page" is different from the original instructions, "temp-allow scripting".
"All this page" includes embedded objects on the page, such as Flash videos, etc., not just scripting.

Still, I TA'd the entire page, which brought up new scripts from FB and google. TA all this page again. Blocked object. Allowed it.
Now *everything* is allowed.

No cookie, no exception. No pictures, because it's irrelevant -- can't reproduce the issue.

These multiple machines and platforms - are they all on your own network? Or do you transfer data among them, by Flash drive or other means?
Seems like they're all infected.

If it will be more convincing, find a friend whose machine you've never used, install Fx if not there. If your friend doesn't like it, buy the cheapest, smallest Flash drive you can find -- older models typically go for about USD $5 here -- the important thing is that it's sealed, out of the box, in case your flash drive is carrying diseases. Install Firefox Portable, add NoScript, and try again.

Other than that, please follow the recommended advice in the previous post. As Giorgio Maone told you, there is *nothing* in NoScript that would do that. He ought to know -- he wrote every line of the code.

I think you used the right term in the OP -- "hack" -- but IMHO, it's the machines that have been hacked.
If you find this to be so, please come back and tell us what malware was found. Not because we're into I-told-you-so here, but so other users who may encounter the same issue will know what to do. if it's new malware, anti-virus companies will want to add it to their databases.

There's nothing else anyone here can tell you. Please either perform the requested diagnostics, or continue to operate with some type of defect in your systems. Repeatedly insisting that it happens, when no one else can make it happen, will not bring any further responses.

Your call. Thank you.

[Giorgio Maone]

allows the GENI site to set cookies and exceptions

How did you obseve this?
Looking at the network traffic?
Response ("Set-Cookie"), request ("Cookie") or both?
Looking at document.cookie? If so, was the value any different than "popunder=yes; popundr=yes; setover18=1"?
Does it happen on a clean profile with just NoScript installed?

[Tom T.]

allows the GENI site to set cookies and exceptions

How did you obseve this?
Looking at the network traffic?
Response ("Set-Cookie"), request ("Cookie") or both?
Looking at document.cookie? If so, was the value any different than "popunder=yes; popundr=yes; setover18=1"?

@ Giorgo: I received a clear impression from OP that there were actual cookies visible in Fx Privacy > Show Cookies, and that the Privacy > (Cookie) Exceptions has a new entry - all visible from the GUI. One would hope that the deeper-level issues you raise would have been mentioned in the OP, or in the repeated insistence.
********************

Does it happen on a clean profile with just NoScript installed?

Please note that I asked OP "Please try Standard Diagnostic,..." in my post of Sat Dec 10, 2011 10:36 am (UTC).

Rather than do so, OP merely reiterated that the issue was reproducible, and showed no interest in performing the requested diagnostic.

Thinking about it a little after my last post, IMHO there are two additional possibilities:
1) OP is a troll, seeking to waste our time. He's been successful so far, but no need to spend any more time unless he returns with the diagnostic info, etc.

2) He's spamming for the site in question. Easy: I'll sanitize the links.

If it turns out that in fact, there was a genuine issue, naturally I'll apologize for my suspicions -- after the OP apologizes for asking for help, then repeatedly refusing to do the requested diagnostic tests. But reiterating the claim while refusing even to do the Standard Diagnostic, IMHO is a bit of cause for concern. IMHO. YMMV.

[Guest]

How did you obseve this?

> I noticed that when configuring FF to accept cookies from a specific site and checking the cookies already set, there appeared to be a number of cookies which were not intentionally set. At first, it appeared that I had simply overlooked removing the prior cookies.

Looking at the network traffic?

>No

Response ("Set-Cookie"), request ("Cookie") or both?
Looking at document.cookie? If so, was the value any different than "popunder=yes; popundr=yes; setover18=1"?
Does it happen on a clean profile with just NoScript installed?

>have not tried just a clean profile with just NoScript , but in essence - probably no. See below

The issue appears to describe the behavior of Firefox after version 4 thru 8.0.1
I keep monthly +- Acronis images of machineOS partitions well over a year back, so restoring a given combo ir relatively easy, even if time consuming. Profiles are not on the OS partition.

The behavior has been seen and is reproducible on multiple machines on different networks with different OS's. The behavior occurs even when the NoScript "whitelist" has all sites and temporary permissions removed [leaving only the NoScript defaults]. Taking proactive steps to *block* cookies and list page exceptions has no effect - they are removed and "allowed" upon refresh. There is NO issue if NoScript is set to block all scripts on the page. There is NO issue with the *same* profiles using Firefox v3.6.64.

However, selecting "Temporarily allow this page" in NoScript allows certain websites to set cookies and exceptions [including resetting exceptions from block to allow] immediately on automatic refresh without any further user interaction. Sites that run this type of script and which exhibit this behavior are numerous, however some examples having users in the millions are:

businessinsider<dot>com/clusterstock
zerohedge<dot>com/
geni<dot>com

The behavior is observed even when-
Tools\Options\Privacy\Accept cookies from sites is *unchecked*
View page info\Permissions\Set Cookies is configured to *block* cookies
Tools\Options\Privacy\Exceptions has the web page listed as a *blocked* page
Tools\Options\Privacy\Cookies has all cookies *removed*

What is most interesting, is that "temporarily allowing" one page will allow others to exhibit the same behavior - e.g. temporarily allowing "geni" results in modified configuration when visiting the other above mentioned sites - so the consequences of allowing one site are possibly "global".

An Avast boot scan on any of the machines shows no issues. Running kb890830 on any XP machines comes up clean.

As of now, these are the results of limited experimentation with the default whitelist -
Uninstalling NoScript does not resolve the issue
one presumes the cookie defaults are stored with the profiles
Upgrading from 8.0 to 8.0.1 does not resolve the issue
Unistalling 8.0 and installing 8.01 not resolve the issue
Restoring an image with 8.0 sometimes resolves the issue
that depends on the profile
and when not resolved,
creating a clean profile will resolve the issue
and
if the issue is resolved for a profile
and the profile is *not* changed
"allowing" no longer displays the issue
even using the same profiles which had exhibited the behavior
Uninstalling 8.0 and installing 3.6.64 always resolves the issue
even using the same profiles which had exhibited the behavior
even when those profiles did not work with a restored 8.0 image

HTH

[Tom T.]

and when not resolved,
creating a clean profile will resolve the issue
and
if the issue is resolved for a profile
and the profile is *not* changed
"allowing" no longer displays the issue

This is exactly why I, and then Giorgio, asked you to do the Standard Diagnostic, or to create a clean profile. It seems that your profile has been corrupted for quite a while, from the information given. -- and probably synched or copied across the various machines, platforms, etc.

Please either do the Standard Diagnostic on any and all machines, or just create clean profiles from scratch on all of them.
Install only NoScript.
Once you are satisfied that the issue is resolved, then try adding back your previous add-ons, one at a time, until the issue pops up again.
If it doesn't happen again, the profile was corrupt, and the issue is now fixed.
If it recurs after installing add-on X, then you know that there is an extension conflict. Tell us which extension. If it's one you can live without, problem solved.
If it's one you can't live without, we'll try to discover the cause of the conflict.

btw, what's described above is very close to what is linked at "Standard Diagnostic".

[Guest]

... additional note to Giorgio Maone -

you should consider throttling your eunuch. Attitudes like that are often bad for business.

ymmv

[Tom T.]

... additional note to Giorgio Maone -

you should consider throttling your eunuch. Attitudes like that are often bad for business.

ymmv

Aside from the fact that your quoted post is a violation of Forum Rules, which are required reading before posting (it says so, in big letters), who is the one who responded promptly, and who is the one who refused to perform the requested diagnostics -- and misstated the problem in the first place? The latter is human error, always allowable. But asking for help, then not taking the advice...

It's Giorgio's prerogative to reprimand me if he wishes. However, insults, even if from *cooperative* users, do not provide much moral high ground.

I'll bow out of this thread now, and return to helping the many who willingly do as requested, and in hundreds of cases, have been grateful for the assistance.

Cheers,
Tom (an unpaid volunteer, as are all of the Support Team.)

[Giorgio Maone]

... additional note to Giorgio Maone
you should consider throttling your eunuch. Attitudes like that are often bad for business.

Attitudes like yours (publicly insulting an unpaid support volunteer who's trying to be helpful, and is actually giving you the correct advices which you refuse to follow) surely don't help your problems to be fixed, which doesn't qualify as very smart in my book, either for business or for life in general.

Uninstalling NoScript does not resolve the issue

This suffices to tell that it's not a NoScript-specific issue, and you'd have spared a lot of time by simply using Standard Diagnostic from the beginning.
The fact allowing JavaScript lets these cookies be set, just means they're likely set client-side using document.cookie scripting.

[GµårÐïåñ]

... additional note to Giorgio Maone -

you should consider throttling your eunuch. Attitudes like that are often bad for business.

ymmv

I don't know who you think you are but usually people who hurl such insults are compensating for lack of any substance on their own end. So if you are mirroring your own characteristics by displacing it against people who are trying to help you then its you who needs to be throttled. After all doesn't take one to know one? So does that make you a eunuch? At least we have the courage to put ourselves out there and not just anonymous cowards and do what we do and stand by what we say. You are giving Lithuanians a bad name, check yourself. Specially that what was suggested ended up being your problem and your insistence to not do what was suggested only showed your ignorance.