InformAction Forums

NoScript anonymizes POST requests from untrusted sites to trusted ones. This is a great CSRF defence.

Would it be simple to implement the following, probably as preferences in about:config?

1. Anonymize ALL requests from untrusted sites to trusted sites - in case sites do dumb things like allowing GET-based CSRF.
2. Anonymize all requests sent to non-whitelisted sites - to hinder tracking services.
3. Anonymize/block requests sent to sites specifically marked as Untrusted (which are usually trackers).

I would probably use #1 and #3, and would at least experiment with #2.

ABE can sort of do this, but it requires rules to be written per-site, whereas managing the regular whitelist and blacklist is much easier.

In a similar vein, I noticed that the code in Policy.js to stop Google Analytics web bugs (unless Google Analytics is whitelisted) is hardcoded to look for 'google-analytics'. Maybe it could be converted to use a list of strings specified by a preference in about:config. Or it could apply to all sites specifically marked as Untrusted, which would fulfil point #3 above; after all, usually such sites are nonessential trackers.

Anyone's thoughts?

Both proposals are interesting, putting the topic link in my TODO list.

Thanks

Point #1 could also defeat the CRIME and BREACH attacks on TLS.

@Giorgio: Actually, I'm now in the process of handling this myself, in SABER .

If you're interested, I'll PM you the link to the XPI file on my Google Drive.