NoScript usage on top of uBlock Origin

General discussion about the NoScript extension for Firefox
Post Reply
harsha_mic
Posts: 1
Joined: Wed Mar 09, 2016 7:47 pm

NoScript usage on top of uBlock Origin

Post by harsha_mic »

Hello All,

Good Morning! My First Post here!!

I used to be NoScript/ABP user long time ago. And switched to uBlock Origin (Medium Blocking Mode + popup/remotefonts disabled), and Firefox configured (to block 3P cookies + click to play plugin content).

I switched for one single reason, is that i can do script/frame blocking + Content Filtering with one extension. However, i have one lingering question in mind, which i am not completely satisfied with the answers over the web. Henceforth, i am asking your input/advice on what i would loss interms of security by not having NSS. Anything i can configure natively in Firefox itself.

There is one i know, which is if i have site whitelisted in uBO, and if that site is compromised by XSS, i might be vulnerable there. Anything else?

Thanks in Advance. I am looking your input from technical standpoint, meaning i would be happy/satisfied if you people can give real uses cases :) I just want to understand the things better and probably little deeper. So, I can better gauge myself.

Thanks, Harsha.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript usage on top of uBlock Origin

Post by barbaz »

harsha_mic wrote:Good Morning! My First Post here!!
Good evening (er, night) ;) Welcome to the InformAction forums.
harsha_mic wrote: I am looking your input from technical standpoint, meaning i would be happy/satisfied if you people can give real uses cases :) I just want to understand the things better and probably little deeper
I use NoScript + uBlock Origin + µMatrix concurrently, and here's why I don't think any one of those addons is enough on its own:
  • While NoScript's main point is script blocking, it has many "extra" security features (some hidden), such as XSS filter, ABE, ClearClick, inclusion type checking, etc. These things simply do not exist in vanilla Firefox, and I know from personal experience that this stuff is important. Saved me several times.
  • µMatrix is useful for easy (IMO) per-site permissions as well as some generic content-type filtering (the latter being partially defense-in-depth with NoScript). For example I use it to restrict which sites can load content from "generic" CDNs such as cloudfront.net. However µMatrix does not have fine-grained blocking (it is a "Internet firewall" acting only on domains).
  • uBlock Origin is useful largely for privacy protection & the like (µMatrix is cumbersome for that, and NoScript is a security tool not a privacy tool). It's also the best way to really fine-tune the other add-ons' permissions.
Yes I know you didn't mention µMatrix in your post. If you think you can handle µMatrix (gorhill says it's for advanced users only), I would definitely recommend you try it out.

Anyway, hope this helps.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: NoScript usage on top of uBlock Origin

Post by Thrawn »

I second the view that uMatrix makes per-site permissions easy. The interface was initially confusing, with so many places to click (top and bottom of rows, columns, cells, plus scope changes), and the different shades of red and green, but eventually I realised that it's simple, elegant, and very powerful. And the ability to manually edit rules via the dashboard ices the cake. For me, it makes uBlock Origin redundant.

What barbaz said about the behind-the-scenes protections is true, although if you're quite strict about cross-site permissions with uMatrix, then you'll find that you're much less vulnerable to the attacks like XSS and clickjacking (uBO won't help you there). Still, NoScript has the edge in being able to specify protocols; you can choose to whitelist only the HTTPS version of a site, for example. And don't forget surrogate scripts, which can help to un-break sites whose scripts are blocked.

uBO Medium mode doesn't give you any protection against first-party scripts, by the way. If you inadvertently browse onto an attack site of some kind (eg if it was in search results), then it will get a shot at you. uBO is designed for privacy first, security second; NoScript is the other way around.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript usage on top of uBlock Origin

Post by barbaz »

Thrawn wrote:The interface was initially confusing, with so many places to click (top and bottom of rows, columns, cells, plus scope changes), and the different shades of red and green, but eventually I realised that it's simple, elegant, and very powerful. And the ability to manually edit rules via the dashboard ices the cake.
@harsha_mic: On this subject, viewtopic.php?f=18&t=20815 might help you?
Thrawn wrote: And don't forget surrogate scripts, which can help to un-break sites whose scripts are blocked.
True, but uBlock Origin does have a similar feature its $redirect filter option. While surrogate is more flexible and more customizable (for security reasons, custom $redirect target in uBlock Origin requires building a custom XPI).

Likely, a "normal" user who doesn't care about custom JS and wants sites to "just work", won't really notice the difference between the two implementations.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: NoScript usage on top of uBlock Origin

Post by Thrawn »

So...
  • uBO alone doesn't protect against first-party attacks or special attacks like XSS/CSRF (maybe clickjacking to some extent, by blocking frames; not comprehensive)
  • NoScript alone doesn't give privacy-oriented control such as site-specific permissions (unless you want to spend a lot of time with ABE)
  • uMatrix alone doesn't provide surrogates (or similar), or protocol-specific whitelisting (ie HTTPS only), nor can it block scripts in some special cases like data: URIs, and it will miss some special attacks like tabnapping.
  • NoScript + uBO could cover everything, but the interface for third-party requests in uBO is less advanced than uMatrix.
  • uBO + uMatrix covers most things, just not some special cases.
  • NoScript + uMatrix is comprehensive, but will have a lot of double-handling unless you use something like cascading permissions.
Using all three together is probably just creating triple-handling for yourself. Although if you're really keen on adblocking, it might be worthwhile.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
yes_noscript

Re: NoScript usage on top of uBlock Origin

Post by yes_noscript »

Thrawn can you compare your "tests" with RequestPolicy Continued, please?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0) Gecko/20100101 Goanna/20160220 PaleMoon/26.1.1
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: NoScript usage on top of uBlock Origin

Post by Thrawn »

No, because a) these weren't tests, just theoretical assessments, and b) RP is a subset of what uMatrix does.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.1.1
johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: NoScript usage on top of uBlock Origin

Post by johnscript »

Thrawn wrote: uBO Medium mode doesn't give you any protection against first-party scripts, by the way. If you inadvertently browse onto an attack site of some kind (eg if it was in search results), then it will get a shot at you. uBO is designed for privacy first, security second; NoScript is the other way around.
It is worth noticing IMHO that uBO in advanced mode behaves more like uMatrix, and it will indeed blanket-block scripts as well as third-party stuff if you wish so: in fact, I think that people who can handle NoScript and/or uMatrix should only use uBlock in advanced mode, it is so much better and not that hard to figure out.
Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2
Post Reply