External extension modifies NoScript Whitelist

[Xunshin]

Hey,

An extension of mine is adding entry in NoScript Whitelist without asking https://addons.mozilla.org/en-US/firefo ... sions/2.12
Google scripts are working without my permission. Can you recommend?

Xunshin

[barbaz]

While it's not intended badly, IMO such behavior is malware-like. Unfortunately there's nothing you can do about it on your end other than downgrading to version 2.11 forever, uninstalling the extension, or modifying the XPI.

Otherwise, you should contact the extension developer to ask that they prompt the user for the addition to the NoScript whitelist rather than just doing it behind user's back. Explain why it is not OK to tamper with user's NoScript whitelist without explicitly and clearly asking first. If the developer refuses or does not change this next release, you should report the addon to AMO staff.

[Thrawn]

It's also skating the edge of Mozilla policy. The developer could reasonably argue that allowing Google Translate is related to the addon's primary function, but they're still sailing close to the wind by tampering with NoScript this way. There should really be a clear opt-in on this.

[jjjguest]

Hi, I was reading this thread and am surprised that noscript can be overridden by that addon. If an addon can do that, then can't malware do that as well? Isn't there a way to protect noscript so that things like this don't occur?

Thanks!

[Thrawn]

Hi, I was reading this thread and am surprised that noscript can be overridden by that addon.

It's just a matter of changing Firefox preferences, which any addon can do.

If an addon can do that, then can't malware do that as well?

If it gains privileges, then yes. Ordinary JavaScript can't (and with NoScript active, it won't normally get a chance to try). But as soon as something is installed on your system, including as a browser extension, then it has enough privileges to attack another addon.

Isn't there a way to protect noscript so that things like this don't occur?

Not really, no. To protect one piece of code from another, you have to give the protected code more privileges than the attacker. NoScript has the privileges of a browser addon - no more and no less. That puts it above web pages, but not much else.

[jjjguest]

Hi Thrawn and thank you for your reply!

While I don't fully grasp what is meant by,

NoScript has the privileges of a browser addon - no more and no less. That puts it above web pages, but not much else.

I do think I understand the above in part. So, with my limited knowledge as to what that entails, I have a few more questions. I don't know how often external changes to noscript permissions occur in either a bad or neutral way, but wouldn't it be okay to have a setting in noscript that a user can allow or disallow external overrides?

Is the reason such would not work be because noscript would not be able to identify if it was coming from a malware program or user input?

If noscript could tell the difference but couldn't prevent it, couldn't noscript flash a paused notice that an external occurrence just took place?

Thanks!

[Hecuba's daughter]

nvm

[Thrawn]

Do you think this post should be flagged to Giorgio?

We don't flag things; he just keeps an eye on them .

It's going to the heart of the Mozilla Addons regulation - and why addons need to be reviewed by AMO etc etc. It's central to our trust of the whole Fx ecology.

Yes, which is one point where Mozilla claims an edge over Google Chrome.

The point is that all extensions have equal power. And in Firefox, that power includes changing pretty much whatever you want - which is why we have addons as powerful as NoScript. But it means that what NoScript can do, another extension can undo.

For it to be otherwise, NoScript would have to have some kind of privileged position, able to change things that other addons can't change. And since addons can do pretty much whatever they want, that's not really feasible.

Remember, installing an extension is basically the same as installing any other software. Anything you install may be used against you. Caveat downloader.

[Giorgio Maone]

Nothing malicious, albeit wrong and about to be "fixed".

[Hecuba's daughter]

nvm

[jjjguest]

Hi Hecuba's daughter,

In my post I wasn't doubting Giorgio's abilities or concerned over extensions, though due to the fact that I am a very literal person, and not very technically savvy I see now how you have perceived such. I simply wasn't aware that something could do as the op post said nor that malware could do the same. It is hard for me to grasp that malware can mess with noscript, and is why I posted the questions I did.

I just wanted to respond to your post. All kinds of people out here posting; and we all have different abilities and understandings. I am very thankful for Giorgio and noscript and this forum, and read here nearly every day to try to learn what I can to be a better user of noscript and the net.

take care!