[CLOSED] Mozz caps (security policies)

[seleko]

Hello!
Really noscript is better than nothing, but, imo, its not flexible enough.

In fact ns allows to block things than its authors consider as unsafe. But if you look at Mozilla CAPS http://www.mozilla.org/projects/securit ... olicy.html you can see that it has flexible mechanism to filter things YOU need.

The only disadvantage is completely no any ui to configure.

Authors can say that ABE is what we need, nut its not correct. We cant define policies we need.

May we suggest NS (in near future) to transform to GUI for Mozz CAPS with set of template to block XSS, ckickfool etc ?

thanx in advanceop

[Tom T.]

Hello!
Really noscript is better than nothing, but, imo, its not flexible enough.

In fact ns allows to block things than its authors consider as unsafe.

Hello! No, NoScript allows *You* to block things that *You* consider unsafe.

But if you look at Mozilla CAPS http://www.mozilla.org/projects/securit ... olicy.html you can see that it has flexible mechanism to filter things YOU need.
The only disadvantage is completely no any ui to configure.

Which means a considerable amount of knowledge of coding by the user, who must write a considerable amount of code. Note:

"Caveat: Some Properties Have Multiple Access Paths", "Figuring out the correct object name to use is sometimes tricky"

and the extensive and varied examples, from which you must write your own lines for each site and element and policy.

User Interface

We still have no user interface for configuring security policies. In the future, we hope to have a panel in preferences that allows the user to set policies without having to manually edit user.js or know JavaScript. This may be the hardest part of the feature to implement.

(emphasis mine).
Giorgio Maone has already done that "hardest part to implement", by providing a User Interface that requires *no* knowledge of JavaScript code or editing of .js files. Many very satisfied users of NoScript have no idea how to write, or even to read, JavaScript. Even so, we get complaints that NoScript is "too complicated", and novice users tend to give up on it at a rate that we would very much like to reduce.

Authors can say that ABE is what we need, nut its not correct. We cant define policies we need.

ABE is still a work in progress, and does not have an official stable release yet. It will, when Giorgio and the beta testers feel that it is mature and stable. Do you care to experiment with it in defining your own policies, or were you not aware that you could do that? We can point you to the directions for writing your own ABE rules if you are interested.

May we suggest NS (in near future) to transform to GUI for Mozz CAPS with set of template to block XSS, ckickfool etc ?

NoScript already provides substantial XSS and Clickjack protection, *even if scripting is allowed globally*. For the discussion on site-specific policies, a feature that has been requested and discussed extensively, please see http://forums.informaction.com/viewtopic.php?f=10&t=415.

I think you will find that NoScript with the stable release of ABE, and perhaps with separate site-specific policies, will meet your needs, and permit all the flexibility you require. It is being developed actively. You can help by beta-testing ABE, or, of course, you are free to write all of your own coding under the CAPS procedure.

thanx in advance

You're very welcome. Thanks for taking the time to share your thoughts.

[seleko]

Thanks. I will continue in http://forums.informaction.com/viewtopic.php?f=10&t=415