NoScript and Mac

[kukla]

I've been using NS for years, on faith, without completely understanding, in a technical sense, all its under-the-hood features--although I do have a very general grasp of what's involved. (I do understand the protection it offers against exploits directed at plug-ins, like Java or Flash. But this is not what I'm focusing on here. I suppose what I'm asking has more to do with the protection NS offers against JavaScript exploits, in particular.)

As I've been using Macs during this time, I've never been sure just how vulnerable Macs are to the various JavaScript exploits, such as XSS, ClickJacking, malicious scripts, or anything else, that NoScript protects against. (And are these exploits considered JavaScript exploits?) Are these exploits written cross platform, or mostly for PC? Or is this a question that doesn't make sense, since these are not written with any particular platform in mind? In other words, JavaScript is JavaScript, regardless of the platform.

Can someone throw some light on this entire question concerning NoScript and OSX.

[barbaz]

Or is this a question that doesn't make sense, since these are not written with any particular platform in mind? In other words, JavaScript is JavaScript, regardless of the platform.

Mostly this... but from my understanding most OS X specific vulnerabilities (other than social engineering) exploit Java so that's when NoScript can come in extra handy.
If you're particularly concerned about OS X specific vulnerabilities, I recommend that you completely disable the Java plug-in (from Add-ons manager), enable it manually only when needed, and when it's enabled let NS block the Java you don't need.

[kukla]

Yeah, know very well about Java. Firefox is now blocking it by default, and have always had that set in NS, as well. Besides that, I've had it completely disabled at the system level for years. My question isn't directed at the plug-in blocking that NS does.

[barbaz]

The kind of vulnerabilities you're worried about are either generic, or they would be browser- or server-specific. What works on Firefox for Windows or Linux would also work on Firefox for Mac.

[Thrawn]

Protection at the operating system level is meaningless for most web attacks.

[kukla]

Someone elsewhere has pointed out that that link is from 2008, five years out of date, and that most current browsers have now implemented anti-XSS protection. Is that true, and if so does NoScript offer anti-XSS above and beyond what might be the built-in anti-XSS of the current Firefox, or, for that matter, any widely used browser, such as Safari or Chrome?

In addition to that, I'm wondering just how widespread the use of XSS exploits is these days.

[barbaz]

most current browsers have now implemented anti-XSS protection. Is that true, and if so does NoScript offer anti-XSS above and beyond what might be the built-in anti-XSS of the current Firefox, or, for that matter, any widely used browser, such as Safari or Chrome?

Yes and yes; but I don't know the details.

[Thrawn]

I would bet on NoScript's filters being much better than those in Internet Explorer or Chrome, because Giorgio has a much faster release cycle and doesn't have to be as conservative as browser vendors do.

However, it's not just XSS you have to worry about. CSRF is not quite as dangerous, but can still do a lot of damage, and is much harder to prevent. Internet Explorer, Chrome, and Safari will do nothing to save you there.

They don't generally protect you from clickjacking, either (X-Frame-Options is only a partial defence, and only works at all if the victim site supports it).

Running OSX will usually protect you from drive-by-downloading a keylogger or becoming part of a botnet. But the more your data and activities move online, the more damage an attacker can do without needing to leave your browser.