InformAction Forums

Thrawn wrote:I really think that Giorgio should take up the trademark issue here. Maybe taking out the fakes would spur Google to enable the real thing. Cease and desist letter?

Agree 100%. GµårÐïåñ and I have espoused that view several times. But it's Giorgio's call.

(Can't stop them from creating add-ons, but can stop them from infringing on a brand, trademark, and reputation.)

Update: ScriptNo is now called "ScriptSafe", but this showstopper bug still stands even in latest version 1.0.6.13.

Giorgio Maone wrote:

lipsin wrote:Current Scriptno got 1 strangest (maybe serious) bugs.

On a fresh chrome + fresh scriptno.

Code: Select all

http://www.isjavascriptenabled.com/

Paste into URL bar

[...]
2nd if temporaly allowed top level domain, sometimes some 3rd party script also pull in simultaneously.

Noscript obviously does not have this problem.

Chrome + NOTscript also does not have this behaviour.

Latest Scriptno with webrequest api got this behaviour.

It sounds really bad: ScriptNo for Chrome can't protect you when you really need it most, i.e. when visiting an unknown website for the first time.

Regarding NotScripts, while it's not affected by the same bug, it's useless as well: try to visit this page, which exposes NotScripts for Chrome's inability to block inline scripts.

Yet another proof that the current "NoScript-like" extensions for Chrome offer their users a very dangerous false sense of security.

https://chrome.google.com/webstore/deta ... gaag?hl=en seems to block your noscripts test page as well as the flashblock test page. Does this mean Chrome is finally mature enough that you could make an actual NoScript extension for it? I ask as the lack of a NoScript alternative is the main thing keeping me from moving completely over to chrome.

This extension seems to be better than the existing solutions, I will give you that. However, that being said, it breaks Giorgio's example because he used a random extension chrome ID to try and make the POC work and since this blocks that, it blocks the POC. But if he were to write a method that would roll that ID on each load, it would beat you each time until you blocked it. I tested it and Giorgio's POC defeated the extension on first run, it was only on reload/refresh that it wasn't and Giorgio's POC showed the message that it was blocked. So take this "security" with a grain of salt, since NS in its true form, wouldn't be defeated like this, even once which is all a bad guy needs to inflict damage, one chance to get in.

ScriptDefender is another one that definitely seems to have *improved* over past attempts, but I still doubt the efficacy at this point. Anyone here had a look at it? Obviously it still lacks critical features of NoScript like XSS filtering, but I'd be curious to see if it falls flat on script blocking as well.

I'm triggering spam filter... hmm...

Hey my friend, been a long time. Thanks for the heads up, will give it a look over and see. BTW, the previous extension (HTTP Switchboard) has another fatal flaw, the choices are not persistent between sessions (meaning restarting the browser) - that's a mega giant failure and limitation. Just FYI.

I just gave that a go and it has a HORRIBLE interface, extreme lack of intuitive controls and contradictory behavior as a result. I much rather the interface of the previous one (HTTPSB) had it been able to persistently remember the choices. Not to the mention the informative display of items in the visual grid is very very nice. I have been working with the developer to improve their product short of selling out NS in the process. I am saving myself for Giorgio to get the ball rolling

GµårÐïåñ wrote: BTW, the previous extension (HTTP Switchboard) has another fatal flaw, the choices are not persistent between sessions (meaning restarting the browser) - that's a mega giant failure and limitation.

That's a mistake I also made at the beginning. If you want to make your choices permament you have to click the corresponding padlock.

@tlu, ok I will give it another go and keep that in mind, thank you my friend. I so far prefer HTTPsb over the others incarnations much better as the resource display in the grid is fantastic. I will give her another go around, thank you.

Sigh. The spam filter refuses to ever let me post. Not going to bother rewriting all of that to figure out which bit it was anyways, I lost my Hungry Man pass.

:/

I recommend writing long posts in a text editor first.

qwerty017 wrote:https://chrome.google.com/webstore/deta ... gaag?hl=en seems to block your noscripts test page as well as the flashblock test page. Does this mean Chrome is finally mature enough that you could make an actual NoScript extension for it? I ask as the lack of a NoScript alternative is the main thing keeping me from moving completely over to chrome.

So Giorgio, as per this post above, any plans to release something for Chrome?
FF will prolly always be my main browser, but it'd be nice to see NoScript in Chrome too.
It seems the only "close but no cigar" alternatives are: HTTP Switchboard & NotScripts.

Thank-you.

qwerty017 wrote:https://chrome.google.com/webstore/deta ... gaag?hl=en seems to block your noscripts test page as well as the flashblock test page. Does this mean Chrome is finally mature enough that you could make an actual NoScript extension for it?

Judge by yourself.
Just open this link with HTTP Switchboard:
http://evil.hackademix.net/hsb/

(sorry for the late answer, this thread had gone out of my reader until this tweet).

Giorgio Maone wrote:Just open this link with HTTP Switchboard:
http://evil.hackademix.net/hsb/

A bit more context is needed here though:

WebKit-based browsers, including Chrome and Safari, run data URLs in a unique origin, which means they don't have access to cookies or other resources belonging to their parent. Not all browsers treat them that way, but that's what we do. [Ref. https://code.google.com/p/chromium/issu ... =142635#c7]

I believe though the chromium team is working toward better standardizing their implementation (issue 335489: "CSP 1.1: Get Blink up to spec."), i.e. data uris inherit the context of the parent, which would of course address the above proof of concept.

HTTP switchboard i like as i can turn off scripts and effectively block this.