Page 1 of 1
Noscript and interclue
Posted: Sat Jun 27, 2009 3:56 am
by Roxz
I've recentlly downloaded interclue and what it does ir previews a webpage before you actuallyy open it but the preview is not showing ok beacause noscript is blocking some elements and the problem is that ther is no way see taht prewview correctlly without deactivating or unistalling nocript so i wanted to ask for some compatibillyty with that add-on
Re: Noscript and interclue
Posted: Sun Jun 28, 2009 2:55 pm
by therube
Re: NoScript and Interclue
Posted: Tue Aug 04, 2009 8:08 pm
by Rob
I recently tried Interclue, too. I've already complained to them that their previews seem to bypass NoScript, so I have the opposite experience. I get lots of cookie requests that I wouldn't get otherwise, which suggests that NoScript isn't preventing scripts when Interclue loads pages in the background. I don't like that idea. Their support staff indicated that they would work with Giorgio to resolve the issue.
Re: Noscript and interclue
Posted: Tue Aug 04, 2009 8:31 pm
by Giorgio Maone
I've just installed interclue, but as far as I can tell it's not "bypassing" NoScript at all.
In order to work, previews are loaded an about:blank which, in NoScript's default configuration, can run JavaScript, but those previews are filtered by Interclue not to contain any code.
Of course their filter might be flawed, and in that case some script could manage to run, but even then they would run in the about:blank context, therefore their potential would be quite limited (no cross-site scripting), even though they could exploit some browser vulnerability to do nasty stuff.
At any rate, no cookie can be set by scripts from about:blank because of the same domain policy, albeit cross-domain cookies can be set by other means, e.g. linking off-site images. But that's definitely not NoScript's business.
All in all, using extensions like Interclue do widen your attack surface to a certain extent (see the aforementioned filter flaw + exploitable browser vulnerability scenario): if this is acceptable or not depends on your convenience requirements.
Re: Noscript and interclue
Posted: Wed Aug 05, 2009 2:26 pm
by Rob
Thanks for checking into it Giorgio. I guess I'll work with the Interclue folks to see whether the behavior can be changed to reduce the cookie noise without losing useful functionality.