Page 1 of 2
A How to block prettyLoader by site and global.
Posted: Thu Feb 13, 2014 7:20 pm
by NSuser2013
Edit:
Original Subject Title: surrogate script to eliminate cursor manipulation?
--
Updated Title: A How to block prettyLoader by site and global.
Blocking
/Edit:
This quote is from a post in my previous thread.
If you want to allow the site, but block specific JavaScript, then you'll need to write a surrogate script
liveleak makes my mouse cursor disappear, and replaces it with a progress icon for a second or two when clicking comment red button.
Is there any possible way to block this kind of behavior with a surrogate script and if so, may someone guide me in the right direction on how to do so?
Re: surrogate script to eliminate cursor manipulation?
Posted: Thu Feb 13, 2014 7:30 pm
by barbaz
Example URL where this happens?
Re: surrogate script to eliminate cursor manipulation?
Posted: Thu Feb 13, 2014 7:32 pm
by NSuser2013
barbaz wrote:Example URL where this happens?
http://www.liveleak.com/view?i=aac_1392197830
scroll down to "view comments" button, click.
Re: surrogate script to eliminate cursor manipulation?
Posted: Thu Feb 13, 2014 8:04 pm
by barbaz
No need for a surrogate (I think).
If you use Adblock Plus, just add the filter
Code: Select all
||liveleak.com^*/jquery.prettyLoader.js^
If not, try adding to USER ruleset under NoScript Options -> Advanced -> ABE
Code: Select all
Site ^https?://(?:[^/]+\.)?liveleak\.com.+/jquery.prettyLoader.js
Deny INCLUSION
Re: surrogate script to eliminate cursor manipulation?
Posted: Thu Feb 13, 2014 8:36 pm
by NSuser2013
Omg Thank you!
It never ceases to amaze me about the possibilities with NoScript & ABP..
They both work. I will use noscript to control it, that way its blocked at noscript and not bypassing noscript to be blocked my ABP.
Thanks a bunch
.
Re: [Solved]surrogate script to eliminate cursor manipulatio
Posted: Thu Feb 13, 2014 8:53 pm
by NSuser2013
Hey, barbaz.
This is now making me wonder on how much control all websites have over your cursor.
Is there a way to make a wild card, so this cmd blocks all cursor manipulations on all sites?
Like
Code: Select all
Site ^https?://(?:[^/]+\.)?*\.com.+/jquery.prettyLoader.js
Deny INCLUSION
* replacing liveleak
Re: [Solved]surrogate script to eliminate cursor manipulatio
Posted: Thu Feb 13, 2014 9:31 pm
by barbaz
NSuser2013 wrote:Hey, barbaz.
This is now making me wonder on how much control all websites have over your cursor.
Is there a way to make a wild card, so this cmd blocks all cursor manipulations on all sites?
No. The rules I suggested only block that specific jQuery script.
If you want to block that script across all sites, the correct ABE rule should be
Code: Select all
Site .+/jquery\.prettyLoader\.js
Deny INCLUSION
(And actually, if a request is hitting ABE then it's bypassing Adblock Plus, not the other way around.)
Re: [Solved]surrogate script to eliminate cursor manipulatio
Posted: Thu Feb 13, 2014 10:04 pm
by NSuser2013
NoScript ABE is spitting out an error with
Code: Select all
Site .+/jquery\.prettyLoader\.js
Deny INCLUSION
line 1:6 no viable alternative at character '+'
Re: [Solved]surrogate script to eliminate cursor manipulatio
Posted: Thu Feb 13, 2014 10:14 pm
by barbaz
???
I see it too...
Bug in AddressMatcher?
Try this instead (means the same thing)
Code: Select all
Site ^.+/jquery\.prettyLoader\.js
Deny INCLUSION
Re: [Solved]surrogate script to eliminate cursor manipulatio
Posted: Thu Feb 13, 2014 10:28 pm
by NSuser2013
barbaz wrote:???
I see it too...
Bug in AddressMatcher?
Try this instead (means the same thing)
Code: Select all
Site ^.+/jquery\.prettyLoader\.js
Deny INCLUSION
Awesome. It works.
Since we have by site blocking and global blocking for noscript, and block by site for AdBlock Plus, do you have global block filter for AdBlock Plus?
Re: A How to block prettyLoader by site and global.
Posted: Thu Feb 13, 2014 10:40 pm
by NSuser2013
I really don't like where this is going. What I mean is, why does the Firefox end user not have the power to disable mouse manipulations through about:config globally?
It is starting to look like any website may inject anything to your cursor. < Which I am not fond of at all.
http://webscripts.softpedia.com/downloadTag/spinner
Who would I go to, to get this kind of power to the end user through the browser, Mozilla?
And I am surprised I am the only one worried about this security flaw?
Re: [Solved]surrogate script to eliminate cursor manipulatio
Posted: Thu Feb 13, 2014 10:47 pm
by barbaz
NSuser2013 wrote:Since we have by site blocking and global blocking for noscript, and block by site for AdBlock Plus, do you have global block filter for AdBlock Plus?
easy, that's just
Re: A How to block prettyLoader by site and global.
Posted: Thu Feb 13, 2014 10:53 pm
by barbaz
I believe NS has some protection against cursor manipulations that are a security threat, including but not limited to ClearClick, but I don't know the details, sorry.
Re: A How to block prettyLoader by site and global.
Posted: Thu Feb 13, 2014 11:12 pm
by NSuser2013
barbaz wrote:I believe NS has some protection against cursor manipulations that are a security threat, including but not limited to ClearClick, but I don't know the details, sorry.
No biggie, you helped out a ton.
I am now over at mozillazine forums posting in the bug section, and see how it goes, once the post is approved, I will link it here so anyone interested may stay updated.
I find this as a huge security threat, wondering how it got bypassed Mozilla's security team "headbangingonwall".
Thanks a bunch
.
Re: A How to block prettyLoader by site and global.
Posted: Fri Feb 14, 2014 12:29 am
by Thrawn
The threat you're worried about is basically
Cursorjacking. Yes, NoScript protects against cursorjacking attacks via ClearClick - at least, attacks that involve making you think your cursor is somewhere other than where it really is.
If you can think of other ways in which manipulating the cursor is dangerous, then please feel free to post in the NoScript Development forum.
barbaz wrote:???
I see it too...
Bug in AddressMatcher?
Nope, not a bug. ABE just didn't know you wanted a regex, that's all. You started the string with a leading dot, which is a valid wildcard in ABE. Adding the carat fixes that.
NSuser2013 wrote:I really don't like where this is going. What I mean is, why does the Firefox end user not have the power to disable mouse manipulations through about:config globally?
If someone wants to identify the exact functions that allow cursor control, then
Controle de Scripts may help. Assuming that it doesn't rely on CAPS, which is dead.
And I am surprised I am the only one worried about this security flaw?
You're in a forum full of people who are worried about the
security risks inherent in JavaScript, run by a guy who built
the best tool in the world to fix the situation.