Script alert box despite us NS with paranoid settings

[gellerist]

Hi,

Perhaps I'm misunderstanding NoScript but on some, ahem, adult sites I get a script-type pop-up box telling me that a script either isn't working or is taking too long to respond (can't remember the exact message). Clicking either 'cancel' or 'continue' causes the box to vanish for an instant, only to reappear straight away, leaving the window inoperative. I have NoScript configured to block everything (all ad ons etc.)

Are these error messages initiated by scripting on the page (and thus something NoScript should stop) or are they something that browsers produce themselves?

Thanks for your time.

[Giorgio Maone]

The popup comes from the browser, and almost surely is caused by some extension misbehaving.
Could you copy and paste the exact message you get?

[gellerist]

Thanks for the swift reply.

Unfortunately (or fortunately) these were not sites that I visit regularly - just stumbled across whilst browsing. Under the plugins tab in NoScript nothing is enabled except 'Frames'. Here's a list of the plugins if it helps:

• Acrobat
  eMusic remote plugin
  Google update
  Java Platform
  Mozilla Default
  RealJukebox
  RealPlayer
  RealPlayer LiveConnect
  Shockwave Flash
  Shockwave for Director
  VLC multimedia

Can I turn off such script warnings via about:config or is there another way around this?

[Giorgio Maone]

The popup means that a script is taking 100% of the CPU resources assigned to Firefox, so there's no point in disabling it (it's useful to interrupt the offending script, which as I said probably comes from a misbehaving extension).

Anyway the two relevant about:config entries are

• dom.max_chrome_script_run_time for browser/extension scripts
• dom.max_script_run_time for content (web page) scripts

[gellerist]

Thanks again.

Forgive the ignorance but how does a script use up such resources if it's blocked from running by NoScript? (The only other extensions apart from the ones listed previously are: AdBlock Plus, AdBlock Element Hiding Helper & RealPlayer Record Plugin (disabled since it's not compatible with FF current version).

Re: dom.max_script_run_time - I did increase the timeout to 45 the other day in the hope of having more time to close any page that misbehaved in future. I wasn't aware of dom.max_chrome_script_run_time - any known pitfalls of increasing this value?

[Giorgio Maone]

Forgive the ignorance but how does a script use up such resources if it's blocked from running by NoScript?

If it's a script from the browser or from an extension, it is privileged and doesn't get blocked by NoScript.
Notice that the timeout could even come from NoScript itself: most of the browser and practically all the extensions, included NoScript, are written in JavaScript
The only pitfall of increasing the max_run_time value is that if the problem if an infinite loop, you will get warned and have a chance to interrupt later.
Now, if you could show us the actual message...

[gellerist]

Are extensions (NoScript, AdBlock etc.) different from plugins? (Flash etc.) or could either be the problem?

If I should encounter this again I'll try to save a copy of the source code & post it here.

[Giorgio Maone]

Extensions are different from plugins. The former can originate this problem, the latter can originate different (and worse) problems

[gellerist]

Well, not being able to reproduce the problem to order I guess the only option is to wait until it happens again (assuming it does). Thanks for the clarification re extensions and plugins.

Incidentally, a number of the xss exploits from 'Team Elite' (nemesis.te-home.net/) bypass Noscript even with xss protection enabled. This probably deserves a separate thread and you might be aware of these yourself but I thought it worth mentioning. I should perhaps add that the exploits that do work don't seem to actually allow the running of scripts, but rather the insertion of text & images on target sites. Perhaps not a huge risk.

[Giorgio Maone]

I should perhaps add that the exploits that do work don't seem to actually allow the running of scripts, but rather the insertion of text & images on target sites. Perhaps not a huge risk.

Well, then calling them XSS (which means Cross Site Scripting) is wrong, and saying that they "bypass" NoScript is misleading at least.
Feel free to open another thread if you wish, but be careful with the title

[nagan]

Just to mention that Noscript finds a mention in XSS article at WIKIPEDIA herehttp://en.wikipedia.org/wiki/Cross-site_scripting.

Also clicking on NoScript link in the article brings the detailing on NS. Wondering if any of the board members have contributed there..

[Tom T.]

Wondering if any of the board members have contributed there..

It's possible that I might have added a bit to the NS article, though under a pseudonym to avoid conflict-of-interest accusations. Which would be silly, because I don't make any money off the product or supporting it, but Wikipedia can be very strange.

If anyone thinks that either article needs corrections or additions that are *neutral* (not advertising-sounding) and *well-sourced* (no personal opinions, experiences, or research, only that which has been published in an independent, respected, and, preferably, unbiased source), my "friend" can probably do that.

[gellerist]

Giorgio, you're right. The 'Team Elite' POC's don't merit being called XSS. However they are intriguing in that they do allow the insertion of images and text into a third party website via a specially crafted link (actually a button using 'post' method). Surprising to me is the fact that the url in the address bar looks and is normal. The inserted text or etc. goes right over the top of the legitimate page. Is this something that NoScript could filter in principle, perhaps in a future version?

[Giorgio Maone]

The inserted text or etc. goes right over the top of the legitimate page. Is this something that NoScript could filter in principle, perhaps in a future version?

There's no compelling need for that. Even in the "blocked script" case (when there's no need to filter script injections), NoScript still prevents injection of certain HTML elements (such as <form>) which could be used to leak user's sensitive info (e.g. authentication credentials), albeit with user cooperation (a very insidious phishing technique, since the address shown is "legit").