InformAction Forums

hi list,

i was browsing no-ip.com recently and when attempting to sign up for an account i observed cloudfront had somehow enabled itself to temporarily allow scripts

without going into too much specifics is this behaviour seen before or to be expected ? i was initially alerted to it when cert patrol popped up with its hashed wildcard domain certs

is tracking going on now with wildcard certs ?

basic info:

*i allow base 2nd level domains
*cloudfront is not in the allow list
*i didn't temporarily allow it
*it put itself into noscript.temp

in my 2 years of firefox locally logged history the only reference to cloudfront i have are 2 jpegs - this was from quite some time ago

https://d2iq4cp2qrughe.cloudfront.net/c ... noscriptb2

this was from today

https://dc9wlm4wphap8.cloudfront.net/su ... ign-up.jpg

I'm not exactly following?

Are No-IP & cloudfront.net related?
(Looks like cloudfront is an [Amazon] CDN.)

So you are able to host screenshots on "cloudfront"?
(Not sure what the first URL is supposed to be or do?)

Strange URL:

therube wrote:I'm not exactly following?

Are No-IP & cloudfront.net related?
(Looks like cloudfront is an [Amazon] CDN.)

cloudfront serves up javascript for no-ip
cloudfront is a cdn

So you are able to host screenshots on "cloudfront"?
(Not sure what the first URL is supposed to be or do?)

i dont understand your reply
the 1st url is in my firefox history

Strange URL:

Code: Select all

https://d2iq4cp2qrughe.cloudfront.net/cm/c/?aff=3257&x-at=noscriptb2&r=http%3A%2F%2Fwww.uniblue.com%2Fcm%2Fflashgot%2Fspeedupmypc%2Fnoscriptb2%2Fdownload%2F%3Faff%3D3257%26x-at%3Dnoscriptb2

an example from a long time ago

following up on this i observed the same behavior when visiting http://www.rocsidiaz.com/

this time, brightcove.com auto-allowed itself to execute javascript

as before with cloudfront, its not in my allow list

?

Could you please PM or email me your NoScript Options|Export file?

hi georgio,

after sending my conf i can provide another example - if the following sequence is followed google.com allows itself (its deleted from the standard default install allow state)

1. http://www.aipp.com.au
*open homepage
2. http://www.aipp.com.au/AIPP/Find_a_Pro/ ... n_APP.aspx
*click the link/image down the page on left with man's eye with camera and green background under text "find an accredited photographer"
3. http://www.aipp.com.au/AIPP/Find_a_Pro/ ... dAPro.aspx
*click the link/image roughly in the middle "look for the logo! Google search for an accredited photographer"

> google.com allows itself ... (its deleted from the standard default install allow state)

Again, not following?

Google.com is Allowed by default, on a new install.
What do you mean it is "deleted"?

What domains on www.aipp.com.au have you allowed?

when noscript is initially installed a predefined whitelist is included of which google.com is included

there is no entry for google, cloudfront or brightcove domains in my whitelist but because i have some google bookmarks (for example http://www.google.com/intl/en/dmca.html) and i have "allow sites opened through bookmarks" will this then allow google.com to execute javascript on any given site ?

if my settings are as mentioned how are cloudfront and brightcove otherwise allowed to execute javascript ?

key point:
before browsing these 3 examples i have given, i did not browse brightcove.com (i never have, its not in my bookmarks), cloudfront.net (i never have, its not in my bookmarks) or google.com (i obviously have, and references exist in my bookmarks) directly so they would therefore not be put into the temp allow list which is cleared after closing FF

for aipp, with my settings, noscript will only allow base 2nd level domains, therefore not google.com

how can this be explained ?

update:
i visited http://www.rocsidiaz.com/
brightcove.com and additoinally this time youtube.com resultantly executed javascript
i do have bookmarks from youtube but i did not browse youtube directly prior or at any time during this FF session
is the option "allow sites opened through bookmarks" auto-allowing youtube in this case and over-riding the setting "allow base 2nd level domains" ?

it still does not explain brightcove ...

update:
i visited http://www.rocsidiaz.com/ again, this time with "allow sites opened through bookmarks" disabled
brightcove.com again executed javascript, youtube.com did not (due to no embedded youtube content on the homepage this time)

for aipp.com.au
with "allow sites opened through bookmarks" disabled
google did not execute javascript this time

update:
a clean install of firefox with noscript only and no other add-ons (i have many others which may have caused issues)
rocsidiaz.com - brightcove.com again executed javascript

*i have very good reason to believe and almost no doubt brightcove (a prominent ad agency) is bypassing noscript*

aipp.com.au
ok
google did not execute javascript this time

I was not able to reproduce this issue by the following steps:

1. New Profile
2. Install NoScript & restart
3. Visit http://www.rocsidiaz.com/

The only javascript that executed was from googleapis.com. facebook.net, brightcove.com, and rocsidiaz.com were all properly blocked.

update:
i reproduced this again.
in a linux mint debian 64 live VM, ran firefox, installed noscript, 2 settings changed before visiting rocsidiaz.com:

*temporarily allow base 2nd level domains;
*disable automatically reloading affected pages

javascript executed from 4 domains:
rocsidiaz (obviously)
googleapis
google
brightcove (there is no explanation for brightcove to execute)

the reason i had 4 domains execute js this time was because i did not manually delete the default list of allowed domains shipped with noscript (therefore googleapis and google executed js as expected)

JavaScript "executing" & a domain being Allowed are different.

Does cloudfront shown as being Allowed in the NoScript menu?

JavaScript "executing" & a domain being Allowed are different.

Can you elaborate precisely? Do you mean a domain in the allow list has privileges to execute js if the code is such? If so, how can it be determined if cloudfront or brightcove indeed actually execute js?

Does cloudfront shown as being Allowed in the NoScript menu?

Yes, brightcove also.

How are brightcove and cloudfront being shown in the noscript menu as temporarily allowed?