NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/
therube wrote:How are you determining that the cookies are appearing?
Code: Select all
document.cookieyestherube wrote:If you disable all other extensions, maybe Plugins too, except for NoScript, do you still get the cookies?
yes, i thougth the code doing it was this but i commented it out and restarted firefox. And i got the same cookiestherube wrote:As a test, if you create a new Profile & only install NoScript into it, do you still get the cookies?
Code: Select all
value of "noscript.surrogate.popunder.replacement" in noscript.js pastebin qjMnPSkSI made a scan with avast and now i running clamav but nothing yet...Thrawn wrote:Just to be clear, this isn't happening for the rest of us.
Have you scanned your system for malware?
Code: Select all
>>> document.cookie
"style_cookie=printonly; popunder=yes; popundr=yes; setover18=1"the style_cookie=printonly is specific to this forum ( maybe phpbb in general). by completely script-allowed do you mean trusting all scripts even external ones? i don't have any page where i completely allow scripts it's always blocking some ggl/face/twitter widget.barbaz wrote:Whoa. It's true. This does happen.
On *this page*, using Firebug (not logged in):But I can't reproduce it anywhere else (yet), and those cookies don't show up in Advanced Cookie Manager or Data Manager...Code: Select all
>>> document.cookie "style_cookie=printonly; popunder=yes; popundr=yes; setover18=1"
Update: It is the popunder surrogate doing this, and it should only happen on pages that are completely script-allowed. So it's nothing to be worried about.
Code: Select all
pref("noscript.surrogate.popunder.sources", "@^http:\\/\\/[\\w\\-\\.]+\.[a-z]+ wyciwyg:");
pref("noscript.surrogate.popunder.replacement", "function posted on pastebin");
pref("noscript.surrogate.popunder.exceptions", ".meebo.com");
At least that's the behavior I'm getting.overblue wrote:by completely script-allowed do you mean trusting all scripts even external ones?
see http://hackademix.net/2011/09/29/script ... reference/overblue wrote:so the sources value is the regex expression to find the replacement is the code it will replace it with, right?
thanks for the link, the noscript.surrogate.popunder.sources is not right i think. I replaced the replacement code with an alert on about:config and i'm getting the alert on every page where i allow atleast one source for JSbarbaz wrote:At least that's the behavior I'm getting.overblue wrote:by completely script-allowed do you mean trusting all scripts even external ones?
see http://hackademix.net/2011/09/29/script ... reference/overblue wrote:so the sources value is the regex expression to find the replacement is the code it will replace it with, right?
yeah i know it's only on the client side, i wasn't sure about the code i could have some malware but if it is normal behavior, i'm okay with it.Giorgio Maone wrote:The code is correct.
It gets execute on any non-https page, because the popunder scripts in the wild are extremely polymorphic, often inlined and therefore that's no way to know in advance whether a page will execute them.
If the pseudo-cookies (which, BTW, are never sent to the server side because are made visible only to client-side JavaScript through fake accessors) bother you, just disable the popunder surrogate or limit it to a blacklist of yours.