InformAction Forums

Noscript is a great security extension; but help documentation for this gem is nearly nonexistent.

Some of the help documentation resides under the "features" page; but doesn't have much details (apart from the fact that help documentation shouldn't be in "features"). As for other features of Noscript, such as about:config preferences, surrogate script references and internal details of Noscript : they lie scattered across the forum, noscript.net and hackademix.net.

Couldn't all this information be organised into a single resource? This makes everyone's job easier - and might draw in a few more people to use Noscript!

access2godzilla wrote:about:config preferences

I'd do this one myself, except that in many cases I'd be making educated guesses about what each preference does.

surrogate script references

Er...what would you like to document about them, exactly? Not saying this is a bad idea, I'm just not sure what "references" means in this context.

and internal details of Noscript

Again not sure, unless you're referring to the various behind-the-scenes countermeasures like inclusion type checking etc?

Making educated guesses about what some feature/about:config preferences etc. isn't really an option for most users -- many are confused by them. Hence the request for it.

And some documentation as to what NS is doing behind the scenes would be great. Information regarding this is very sparse (and it is unfortunate that I have not managed to understand it by looking at NS code).

Any ideas how to handle the completely undocumented quirks (unexpected behaviors if you don't know about them), such as ABE treating INCLUSION(OBJ) as "inclusion that is either an object or object subrequest" and the behavior when entering schemes containing capital letters in the whitelist, where, say, "File:" or "fILe:" would become "file://"? AFAIK this is the first time these two have been documented, and I don't know how many more there are...

Thrawn wrote:

surrogate script references

Er...what would you like to document about them, exactly? Not saying this is a bad idea, I'm just not sure what "references" means in this context.

http://hackademix.net/2011/09/29/script ... reference/?

Bump

Please add NoScript's DNT feature to the list of things that need more obvious documentation. For it to help users most, they really should be aware of it, but it seems with the current documentation many don't know it exists.

I'd be happy to help write some of the help docs for NS if I'm told what sort of docs to do..

FWIW I just noticed that user fatboy has written quite extensive documentation of NoScript's about:config prefs (in Russian), and linked it as their personal website: https://chico-gordo.github.io/

That's an impressive effort . Google Translate isn't perfect, but gets the gist of it quite well.

Unfortunately, did not find the explanation to some items:
noscript.ABE.allowRulesetRedir
noscript.audioApiInterception
noscript.badInstall
noscript.forbidExtProtSubdocs
noscript.hideOnUnloadRegExp
noscript.injectionCheckHTML
noscript.nselNoMeta
noscript.oldStylePartial
noscript.secureCookies.recycle
noscript.visibleUIChecked
noscript.xss.checkCharset.exceptions
noscript.xss.trustData

Found, but did not understand the meaning:
noscript.asyncNetworking
https://noscript.net/changelog#1.9.4RC1
https://developer.mozilla.org/en-US/doc ... s_Requests
http://bbs.kafan.cn/thread-1668724-1-1.html
noscript.clearClick.threshold
https://noscript.net/changelog#2.3.9
http://bbs.kafan.cn/thread-1668724-1-1.html
noscript.filterXGetRx
https://noscript.net/changelog#1.1.4.6.070318
noscript.forbidData
https://noscript.net/faq#qa3_14
noscript.policynames
viewtopic.php?f=7&t=1986
noscript.safeJSRx
( https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-3.5/#firefox3.5.2 )
https://noscript.net/changelog#1.1.6.18
http://forums.mozillazine.org/viewtopic ... 9#p3034091

Of the ones you found but couldn't understand, I can understand two:

> noscript.filterXGetRx NoScript's XSS filter works in part by replacing "unsafe" portions of a URL with "safe" "equivalents". This pref seems to control at least somewhat what NS considers "unsafe" (although I don't understand all of the regex syntaxes used in it...)

> noscript.safeJSRx

Giorgio Maone wrote:NoScript prevents javascript: URLs from being loaded in top-level chrome window, in order to avoid chrome privilege escalations like the ones shown recently during the "URI handlers war".

So the browser window isn't "just a browser window", but a basically empty window containing a loaded chrome: document, which you know as all the browser UI and stuff. The NoScript feature in question here, prevents most javascript: URIs from being loaded in the same way as the chrome: document of the browser itself, defining in full which javascript: URIs are allowed.



Do those explanations help?

Certainly helped, thanks.

noscript.forbidData — is meaning "Data URI" (data: URL)?
https://en.wikipedia.org/wiki/Data_URI_scheme
https://ru.wikipedia.org/wiki/Data:_URL
http://sirdarckcat.blogspot.ru/2008/06/ ... cript.html

noscript.xss.trustData — bypass anti-XSS filter for "Data URI", if noscript.forbidData;false?

fatboy wrote:noscript.forbidData — is meaning "Data URI" (data: URL)?

I can't figure this out. I grep'd the code and it appears this pref is only referred to in code obtaining it for use, seems nothing is done with it?

fatboy wrote:noscript.xss.trustData — bypass anti-XSS filter for "Data URI",

Seems to be that, regardless of forbidData value - this code is placed just after the built-in XSS exceptions (and is the only reference to the pref):

@barbaz
1. noscript.forbidData is related to ХMLНttpRеquеst.
( https://noscript.net/faq#qa3_14 )
2. ХMLНttpRequеst is related to data: url
( https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/HTML_in_XMLHttpRequest#Method_2
https://dvcs.w3.org/hg/xhr/raw-file/tip/Overview.html#data:-urls-and-http
https://github.com/w3c/web-platform-tests/blob/master/XMLHttpRequest/data-uri.htm )
3. noscript.forbidData forbids data: url?

I don't know what it's "supposed" to do but it seems to me from looking at the code like it currently does nothing.

Thanks.