InformAction Forums

And now???

http://lifehacker.com/5615739/notscript ... -to-chrome

NotScripts Brings Real Script Blocking to Chrome

You must be joking
This uses the same method (onbeforeload) of recent adblock versions, and does not integrate with Chrome's internal script blocking (which was the API I was and still am waiting for).
In other words, it's too clunky and disconnected (it can't block inline scripts, for instance) to provide enough security value for the hassle.
Furthermore, it doesn't provide any of the security features offered by NoScript beyond 3rd party script blocking, and it can be bypassed in many ways. Therefore it cannot be relied upon as a security protection.

That's exactly what I though, felt and said, and now we have confirmation, thanks Giorgio.

Giorgio Maone wrote:You must be joking
This uses the same method (onbeforeload) of recent adblock versions, and does not integrate with Chrome's internal script blocking (which was the API I was and still am waiting for).
In other words, it's too clunky and disconnected (it can't block inline scripts, for instance) to provide enough security value for the hassle.
Furthermore, it doesn't provide any of the security features offered by NoScript beyond 3rd party script blocking, and it can be bypassed in many ways. Therefore it cannot be relied upon as a security protection.

Yes, it would be nice if Chrome allowed access to more of its internal security APIs but I don't think that will happen anytime soon because I believe they want people to just run javascript by default.

Also, I believe I have a solution for "indirectly" blocking inline scripts. Since inline scripts don't fire onbeforeload events, I will simply remove the references to the core javascript functions, ie, I will inject code like document.write=null;eval=null;unescape=null;..... This will essentially disable inline scripts because they will not be able to do anything expect simple arithmetic and comparisons.

optimalcycling wrote: Also, I believe I have a solution for "indirectly" blocking inline scripts. Since inline scripts don't fire onbeforeload events, I will simply remove the references to the core javascript functions, ie, I will inject code like document.write=null;eval=null;unescape=null;..... This will essentially disable inline scripts because they will not be able to do anything expect simple arithmetic and comparisons.

Been there, done that. You'll discover it's much difficult than you think, if you want this to be reasonably hard to bypass

Giorgio Maone wrote:

optimalcycling wrote: Also, I believe I have a solution for "indirectly" blocking inline scripts. Since inline scripts don't fire onbeforeload events, I will simply remove the references to the core javascript functions, ie, I will inject code like document.write=null;eval=null;unescape=null;..... This will essentially disable inline scripts because they will not be able to do anything expect simple arithmetic and comparisons.

Been there, done that. You'll discover it's much difficult than you think, if you want this to be reasonably hard to bypass

What was the problem you encountered? Since I'm using an content script that gets run before the real webpage runs and can get an opportunity to reference anything, I have first control and can remove the references to the core javascript functions. Did you find ways to recover references to the core javascript functions after they are nulled?

In case anyone is wondering, the current NotScripts code is a bit messy because there's quite a bit of commented out code and some preliminary code for the Safari version. For the next version of NotScripts due out mid next week, I've cleaned out the code by removing all the commented out stuff and the Safari specific code. I've also fixed a number of bugs.

optimalcycling wrote: Did you find ways to recover references to the core javascript functions after they are nulled?

Some objects just can't be nulled or made inaccessible (e.g. window, document, location), functions can be retrieved by creating a parent object of the same kind or accessing a prototype, and so on.
Believe me, without adequate support from the browser it's a lost battle.
I've been months trying to come up with something half decent, but I gave up because it was not possible releasing something and calling it "NoScript" without deceiving people.

Giorgio Maone wrote:I've been months trying to come up with something half decent, but I gave up because it was not possible releasing something and calling it "NoScript" without deceiving people.

<emphasis is mine>

This is why I had objection to the product being named as it is and making people think that its the same product when it isn't, see here: http://forums.informaction.com/viewtopi ... 085#p21071