HowTo stop resource leak with NoScript

General discussion about the NoScript extension for Firefox
Post Reply
yes_noscript

HowTo stop resource leak with NoScript

Post by yes_noscript » Fri Sep 02, 2016 11:09 pm

A Pale Moon user show how we can use the same feature like the "No Resource URI Leak" addon with NoScript: https://forum.palemoon.org/viewtopic.php?p=89945#p89945

Code: Select all

go to about:config
remove resource: from noscript.mandatory
add resource:// and resource://gre to noscript.untrusted
And don't forget to remove the equal preferences under noscript.mandatory

Both, resource:// and resource://gre are necessary to block all stuff from browserleak test site.

Finish. No browser restart, just test it:
https://www.browserleaks.com/firefox
http://cs1.ca/ttest/dump.html

I wonder what the other stuff he postet, make.
blob:
chrome:
irc:
ircs:
mediasource:
mediastream:
/favicon.ico
file://
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20160728 PaleMoon/27.0.0a2

barbaz
Senior Member
Posts: 9281
Joined: Sat Aug 03, 2013 5:45 pm

Re: HowTo stop resource leak with NoScript

Post by barbaz » Sat Sep 03, 2016 12:03 am

yes_noscript wrote:

Code: Select all

go to about:config
remove resource: from noscript.mandatory
add resource:// and resource://gre to noscript.untrusted
And don't forget to remove the equal preferences under noscript.mandatory

... And enjoy your broken browser. Don't do this "fix", those things are required to be whitelisted in NoScript for the browser work properly. FAQ 1.5

Thanks for the link though, I'm going to look into that resource: URI addon and what it's doing. https://addons.mozilla.org/addon/no-resource-uri-leak/
EDIT I've installed it now, it works with SeaMonkey. There is also a Pale Moon version, it's linked in the description on AMO.
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: HowTo stop resource leak with NoScript

Post by yes_noscript » Sat Sep 03, 2016 9:16 am

Oh okay.
I wonder because the addon do the same thing, or not?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20160728 PaleMoon/27.0.0a2

barbaz
Senior Member
Posts: 9281
Joined: Sat Aug 03, 2013 5:45 pm

Re: HowTo stop resource leak with NoScript

Post by barbaz » Sat Sep 03, 2016 4:54 pm

The NoScript procedure will indeterminately block active content from resource: URIs regardless of origin, and does nothing about non-active-content (like images and such). It's basically only useful against the one specific PoC.

No Resource URI Leak blocks ANY access to resource: URIs not from specified location (by default this list is chrome:, resource:, view-source:, and various about: URIs). Safe and effective.
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: HowTo stop resource leak with NoScript

Post by yes_noscript » Sat Sep 03, 2016 5:27 pm

Thanks for that clarification :)
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20160728 PaleMoon/27.0.0a2

barbaz
Senior Member
Posts: 9281
Joined: Sat Aug 03, 2013 5:45 pm

Re: HowTo stop resource leak with NoScript

Post by barbaz » Sat Sep 03, 2016 5:29 pm

I've just realised that the No Resource URI Leak addon blocks NoScript's placeholder icons. Since that addon is patching a bug that could be fixed in the browser, this doesn't look good for the future of placeholder icons in the current state...
Can the placeholder icon problem please be fixed in NoScript?
*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9281
Joined: Sat Aug 03, 2013 5:45 pm

Re: HowTo stop resource leak with NoScript

Post by barbaz » Mon Sep 05, 2016 5:01 pm

It blocks much more stuff in Gecko 49... even including dropdown markers, and, it also makes NoScript's placeholders a completely blank yellow box.

The dropdown markers can be fixed by adding "gre-resources" to the debug whitelist, but as NoScript's resource: URIs are random it is impossible to fix that problem without patching the addon code.
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: HowTo stop resource leak with NoScript

Post by yes_noscript » Sun Sep 11, 2016 12:51 pm

Also Moonchild say that blocking that ressource isn't recommend and no user data are in danger: https://github.com/MoonchildProductions/Pale-Moon/issues/445#issuecomment-246103708
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20160728 PaleMoon/27.0.0a2

barbaz
Senior Member
Posts: 9281
Joined: Sat Aug 03, 2013 5:45 pm

Re: HowTo stop resource leak with NoScript

Post by barbaz » Sun Sep 11, 2016 5:33 pm

What he says is that it's only information about the browser itself that's being revealed this way. As far as whether that counts as exposing user data, unlikely for typical users but across the board is another game. See, 'Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20160905 SeaMonkey/2.46pre' is a whole lot more unique than e.g. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7' isn't it?
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply