A How to block prettyLoader by site and global.

[NSuser2013]

Edit:
Original Subject Title: surrogate script to eliminate cursor manipulation?
--
Updated Title: A How to block prettyLoader by site and global.
Blocking

/Edit:

This quote is from a post in my previous thread.

If you want to allow the site, but block specific JavaScript, then you'll need to write a surrogate script

liveleak makes my mouse cursor disappear, and replaces it with a progress icon for a second or two when clicking comment red button.




Is there any possible way to block this kind of behavior with a surrogate script and if so, may someone guide me in the right direction on how to do so?

[barbaz]

Example URL where this happens?

[NSuser2013]

Example URL where this happens?

http://www.liveleak.com/view?i=aac_1392197830

scroll down to "view comments" button, click.

[barbaz]

No need for a surrogate (I think).
If you use Adblock Plus, just add the filter

Code: Select all

||liveleak.com^*/jquery.prettyLoader.js^

If not, try adding to USER ruleset under NoScript Options -> Advanced -> ABE

Code: Select all

Site ^https?://(?:[^/]+\.)?liveleak\.com.+/jquery.prettyLoader.js
Deny INCLUSION

[NSuser2013]

Omg Thank you!

It never ceases to amaze me about the possibilities with NoScript & ABP..

They both work. I will use noscript to control it, that way its blocked at noscript and not bypassing noscript to be blocked my ABP.

Thanks a bunch .

[NSuser2013]

Hey, barbaz.

This is now making me wonder on how much control all websites have over your cursor.

Is there a way to make a wild card, so this cmd blocks all cursor manipulations on all sites?

Like

Code: Select all

Site ^https?://(?:[^/]+\.)?*\.com.+/jquery.prettyLoader.js
Deny INCLUSION

* replacing liveleak

[barbaz]

Hey, barbaz.

This is now making me wonder on how much control all websites have over your cursor.

Is there a way to make a wild card, so this cmd blocks all cursor manipulations on all sites?

No. The rules I suggested only block that specific jQuery script.
If you want to block that script across all sites, the correct ABE rule should be

Code: Select all

Site .+/jquery\.prettyLoader\.js
Deny INCLUSION

(And actually, if a request is hitting ABE then it's bypassing Adblock Plus, not the other way around.)

[NSuser2013]

NoScript ABE is spitting out an error with

Code: Select all

Site .+/jquery\.prettyLoader\.js
Deny INCLUSION

line 1:6 no viable alternative at character '+'

[barbaz]

???
I see it too...
Bug in AddressMatcher?

Try this instead (means the same thing)

Code: Select all

Site ^.+/jquery\.prettyLoader\.js
Deny INCLUSION

[NSuser2013]

???
I see it too...
Bug in AddressMatcher?

Try this instead (means the same thing)

Code: Select all

Site ^.+/jquery\.prettyLoader\.js
Deny INCLUSION

Awesome. It works.

Since we have by site blocking and global blocking for noscript, and block by site for AdBlock Plus, do you have global block filter for AdBlock Plus?

[NSuser2013]

I really don't like where this is going. What I mean is, why does the Firefox end user not have the power to disable mouse manipulations through about:config globally?

It is starting to look like any website may inject anything to your cursor. < Which I am not fond of at all.

http://webscripts.softpedia.com/downloadTag/spinner

Who would I go to, to get this kind of power to the end user through the browser, Mozilla?

And I am surprised I am the only one worried about this security flaw?

[barbaz]

Since we have by site blocking and global blocking for noscript, and block by site for AdBlock Plus, do you have global block filter for AdBlock Plus?

easy, that's just

Code: Select all

/jquery.prettyLoader.js^

[barbaz]

I believe NS has some protection against cursor manipulations that are a security threat, including but not limited to ClearClick, but I don't know the details, sorry.

[NSuser2013]

I believe NS has some protection against cursor manipulations that are a security threat, including but not limited to ClearClick, but I don't know the details, sorry.

No biggie, you helped out a ton.

I am now over at mozillazine forums posting in the bug section, and see how it goes, once the post is approved, I will link it here so anyone interested may stay updated.

I find this as a huge security threat, wondering how it got bypassed Mozilla's security team "headbangingonwall".

Thanks a bunch .

[Thrawn]

The threat you're worried about is basically Cursorjacking. Yes, NoScript protects against cursorjacking attacks via ClearClick - at least, attacks that involve making you think your cursor is somewhere other than where it really is.
If you can think of other ways in which manipulating the cursor is dangerous, then please feel free to post in the NoScript Development forum.

???
I see it too...
Bug in AddressMatcher?

Nope, not a bug. ABE just didn't know you wanted a regex, that's all. You started the string with a leading dot, which is a valid wildcard in ABE. Adding the carat fixes that.

I really don't like where this is going. What I mean is, why does the Firefox end user not have the power to disable mouse manipulations through about:config globally?

If someone wants to identify the exact functions that allow cursor control, then Controle de Scripts may help. Assuming that it doesn't rely on CAPS, which is dead.

And I am surprised I am the only one worried about this security flaw?

You're in a forum full of people who are worried about the security risks inherent in JavaScript, run by a guy who built the best tool in the world to fix the situation.