InformAction Forums

guest wrote:blocking inline scripts

guest wrote:1st. party (i)frames

guest wrote:"if?" possible inline (i)frames

guest wrote:pictures.

guest wrote:
blocking inline scripts

Done by default.

guest wrote:
"if?" possible inline (i)frames

Not possible AFAIK.

guest wrote:Please refresh my memory...Mozilla decided to stop blocking inline scripts in FX in one of the recent versions.
I think there was a discussion here about that 5 months ago?
So is blocking inline scripts a recent feature,& I just forgot the change log for the recent NS versions?
...or has it been like this pretty much from the start?

guest wrote:I think it's the 1st one.I'm sure there was some change/update about something like this?

guest wrote:noscript.forbidIFramesContext looks familiar when it comes to blocking 1st. party Iframes.
Thank you,but what value do I use?

guest wrote:What about blocking 1st. party Frames?

guest wrote:

guest wrote:
"if?" possible inline (i)frames

Not possible AFAIK.

I thought so,because I don't remember reading anything about this here.
Please ask Giorgio for this feature request.
...And NO,I'm not going to waste my time signing up,& asking him directly.I know for a fact it hasn't worked out for the 99.99% of people in the past.

guest wrote:Since Mozilla got rid of Load Images in FX's Content tab in one of the recent versions.
I made an ABE rule like this:
# PICS BLOCK
Site *.*/*.jp* *.*/*.png* *.*/*.gif* *.*/*.bmp* *.*/*.svg*
.example.com/something.js
Deny

To undo it all I have to do is to put an # in front of *.*/*.jp*
It's better than doing it in about:config or using some add-on.

However,I'm sure there is no ABE rule to block inline pics?
Am I wrong?

guest wrote:I'm not going to waste your time with an example,because inline everything is everywhere.

guest wrote:
Please refresh my memory...Mozilla decided to stop blocking inline scripts in FX in one of the recent versions.
I think there was a discussion here about that 5 months ago?
So is blocking inline scripts a recent feature,& I just forgot the change log for the recent NS versions?
...or has it been like this pretty much from the start?

... what?
NoScript has always been blocking inline scripts.

guest wrote:I think it's the 1st one.I'm sure there was some change/update about something like this?

Oh, you mean the whole CAPS deal. NoScript uses a different method of blocking inline scripts in modern Gecko (>= 28). So you're safe.

guest wrote:
noscript.forbidIFramesContext looks familiar when it comes to blocking 1st. party Iframes.
Thank you,but what value do I use?

0

guest wrote:
What about blocking 1st. party Frames?

Different checkbox in Embeddings.. so if I were you I'd try a harmless example page to see whether the forbidIFramesContext pref applies to FRAMEs too.
(I don't know. I don't use the frame blocking. If you can't find a suitable test page let me know and I'll try it out with my local server and let you know the results.)

guest wrote:
"if?" possible inline (i)frames

Not possible AFAIK.

I thought so,because I don't remember reading anything about this here.
Please ask Giorgio for this feature request.
...And NO,I'm not going to waste my time signing up,& asking him directly.I know for a fact it hasn't worked out for the 99.99% of people in the past.

Why would you want to block inline iframes? There is no security or privacy benefit to doing that.
I'm not going to ask for that feature, sorry.

guest wrote:
Since Mozilla got rid of Load Images in FX's Content tab in one of the recent versions.
I made an ABE rule like this:
# PICS BLOCK
Site *.*/*.jp* *.*/*.png* *.*/*.gif* *.*/*.bmp* *.*/*.svg*
.example.com/something.js
Deny

To undo it all I have to do is to put an # in front of *.*/*.jp*
It's better than doing it in about:config or using some add-on.

However,I'm sure there is no ABE rule to block inline pics?
Am I wrong?

"Inline pics" meaning data URIs? Yeah, I don't think ABE filters those.. or at least, ABE is not designed to filter them...

guest wrote:

Oh, you mean the whole CAPS deal. NoScript uses a different method of blocking inline scripts in modern Gecko (>= 28). So you're safe.

Yeah that sounds familiar.Thanks.
However,what is/are the Preference Name(s) that control this?

guest wrote:

guest wrote:
noscript.forbidIFramesContext looks familiar when it comes to blocking 1st. party Iframes.
Thank you,but what value do I use?

0

Thank you,but what happens if I use 1,2,or leave it blank?
Seriously,there needs to be an About:config Entries page for NS.

  0 -- block always
  1 -- block if parent is in a different site (default)
  2 -- block if parent is in a different domain
  3 -- block if parent is in a different 2nd level domain

guest wrote:

guest wrote:
What about blocking 1st. party Frames?

Different checkbox in Embeddings.. so if I were you I'd try a harmless example page to see whether the forbidIFramesContext pref applies to FRAMEs too.
(I don't know. I don't use the frame blocking. If you can't find a suitable test page let me know and I'll try it out with my local server and let you know the results.)

I'll try to use the example you gave to Rube when I have more time.

guest wrote:What's the difference if the Frames,or Iframes are done in a regular way,or as inline.They'll be there regardless of the delivery method.
Otherwise why bother blocking the Frames,or Iframes at all.
So please ask Giorgio for this feature request.

guest wrote:

"Inline pics" meaning data URIs? Yeah, I don't think ABE filters those.. or at least, ABE is not designed to filter them...

Well,then there's definitely no such ABE rules Syntax.Otherwise I would had seen it here.
I'm not even going to talk about the data URIs/data:image/whatever;base64.
We all know it's a lost cause.

If you want an example:http://windows.microsoft.com/en-us/wind ... emes_files
The blue Windows 8 logo in the upper-left corner of the page.
Even if you get rid of it.There's an identical green one underneath it which is definitely inline.

noscript.surrogate.byeinlinesvg.replacement : window.addEventListener('load', function() {for (let e of document.getElementsByTagName('svg')){e.parentNode.removeChild(e);} }, false);
noscript.surrogate.byeinlinesvg.sources : !@^https?://

guest wrote:
What's the difference if the Frames,or Iframes are done in a regular way,or as inline.They'll be there regardless of the delivery method.
Otherwise why bother blocking the Frames,or Iframes at all.
So please ask Giorgio for this feature request.

Please see http://noscript.net/faq#qa4_8. This feature is in NoScript to help prevent *cross-site* attacks; blocking part of the page itself isn't going to do anything in that regard.
Sounds like what you want is an annoyance zapped, not a security feature.. and NS isn't an annoyance removal tool except coincidentally. So unless you can show by example that IFRAME srcdocs can be exploited just like "normal" IFRAMEs in a way that has security implications, this feature request has no use in NoScript.

noscript.surrogate.byeinlinesvg.replacement : window.addEventListener('load', function() {for (let e of document.getElementsByTagName('svg')){e.parentNode.removeChild(e);} }, false);
noscript.surrogate.byeinlinesvg.sources : !@^https?://

guest wrote:1.How does NS blocks inline scripts?
1.1.How does NS blocks inline scripts with CAPS in Fx28,& newer Fx versions?

guest wrote:2.In about:config what Preference name(s) controls this?
3.What are the values?

guest wrote:A bit more...
4.If an inline Iframe,or an inline Frame has an inline script inside of it.Is the inline script blocked by default? (I think so.)

guest wrote:5.If an inline script is 3rd. party.
For example:inside the inline script.the inline script also calls on a 3rd. party JS:http://thirdparty.com/blah/bad.js
Is the 3rd. party script blocked,or goes undetected? (I think it's blocked like always.)

guest wrote:Something else to consider...
6.If an inline Iframe,or an inline Frame also calls on a 3rd. party Iframe,or a 3rd. party Frame:http://thirdparty.com/blah/bad.html (Yes,frames inside frames.)
Then,the original inline Iframe,or the original inline Frame also has an inline script inside of it.That also calls on a 3rd. party JS...WTF happens then?
Yes,I had seen this,& if I could remember an example.I would give it to you.

Even worse...
7.What if the 3rd. party Iframe,or the 3rd. party Frame have their own inline scripts,that also call on a 4th. party JS?...Wait,my eyes are bleeding... What happens then?

Yes,this answers my questions,but it does not apply to inline Iframes,or an inline Frames:https://noscript.net/faq#qa4_8

guest wrote:I think we all know that NS is a security tool.The fact that NS blocks ads,or annoyances are just beneficial side effects.

Look at it this way:
1.Pretty much every website uses inline Iframes,or inline Frames.They are only annoyances because they were designed that way.They could just as easily had been designed to be malicious.With no way to stop them.WHAT WILL YOU DO THEN???

If you want to wait until you,or someone else gets attacked,& hopefully not suffer the consequences.That's fine,but I would take preventative measures now.

2.Reasons/Questions 4-7 above.
3.Inline pics.

At this point everybody uses them,& with no "reqular" ways to block any of these.It's just a matter of time before disaster strikes.

If you still refuse...how about a surrogate to block inline Iframes,& inline Frames?
While surrogates are mostly for JS.Will it work for inline Iframes,& inline Frames?

Finally...Like you guys always say:It can't hurt to ask.
PLEASE ask Giorgio to block inline Iframes,& inline Frames in NS just like blocking regular Iframes,& Frames.

noscript.surrogate.noinlineframe.replacement : window.addEventListener("load", function(){for(let j of document.querySelectorAll('iframe[srcdoc],iframe[src^="data:"],frame[src^="data:"]')){j.parentNode.removeChild(j);}}, false);
noscript.surrogate.noinlineframe.sources : !@^https?://

guest wrote:Wow thanks.
I was going to ask for a surrogate in my last reply,but you beat me to it.Glad you're 1 step ahead of me.
I'll test it when I have more time.

guest wrote:Since we are on the subject of pics...
Barbaz,I would like to know your personal opinion on this.

We all know that Giorgio for some unknown reason thinks that blocking pics has something to do with ads instead of security. (Which is not true.)Not to mention that a million people had failed to convince him otherwise. (Privacy=Security.)

guest wrote:Lets use scorecardresearch.com as an example.
You can black list it/untrusted it,& then go to Options-Embeddings-"Check" Block every object from a site marked as untrusted.
However,you still get that invisible 1x1 pixel web bug/beacon.
Wouldn't it be nice if you could block that pic without a host list,ABP/something similar,or an ABE rule?
BTW,this should also apply to inline pics.
What do you think?

guest wrote:Speaking of which,please remind me.
If you select Block every object from a site marked as untrusted.Are CSS,& XML blocked?

guest wrote:
2.In about:config what Preference name(s) controls this?
3.What are the values?

Oh, that's what you're asking about inline scripts. There is no preference to block or not block inline scripts specifically (it's useless and dangerous to have that configurable).

*I* am not going to ask because IMO that is pointless. It's just like asking to block all DIVs in a page. It's not going to help you in terms of security or privacy.
If you're fine with a surrogate, this one should zap inline (I)FRAMES after the fact:

Code: Select all

Code: Select all
noscript.surrogate.noinlineframe.replacement : window.addEventListener("load", function(){for(let j of document.querySelectorAll('iframe[srcdoc],iframe[src^="data:"],frame[src^="data:"]')){j.parentNode.removeChild(j);}}, false);
noscript.surrogate.noinlineframe.sources : !@^https?://

guest wrote:
Since we are on the subject of pics...
Barbaz,I would like to know your personal opinion on this.

We all know that Giorgio for some unknown reason thinks that blocking pics has something to do with ads instead of security. (Which is not true.)Not to mention that a million people had failed to convince him otherwise. (Privacy=Security.)

No, Privacy != Security. That's why TOR Browser has NoScript installed with cascading permissions mode enabled by default...

guest wrote:
Lets use scorecardresearch.com as an example.
You can black list it/untrusted it,& then go to Options-Embeddings-"Check" Block every object from a site marked as untrusted.
However,you still get that invisible 1x1 pixel web bug/beacon.
Wouldn't it be nice if you could block that pic without a host list,ABP/something similar,or an ABE rule?
BTW,this should also apply to inline pics.
What do you think?

Old versions of NoScript used to offer exactly the sort of thing you're talking about, but Fx 4+ made it impossible to implement, so it was removed.

guest wrote:Wouldn't it be nice to have the fine grain control to (Temporary) Allow JS to run,but still be able to block any/all inline scripts?
Would yet another surrogate be in order?

guest wrote:

No, Privacy != Security. That's why TOR Browser has NoScript installed with cascading permissions mode enabled by default...

1.You mean disabled!?
2.I think we all know that If you (Temporary) Allow 1st. party JS to run.It will trigger/run it's sub domain(s) JS.Which will trigger/run 3rd. party JS.At this point,sub domain(s),or 3rd. party JS can trigger/run all kinds of malicious crap.
Clearly no one should ever allow that!
Cascading is only good on respectable/white listed sites.
3.That's not what I was asking. (Keep reading.)

guest wrote:I will rephrase these last two,& CSS/XML. (Btw,thanks for confirming that CSS,& XML are not blocked just like I thought.)

Wouldn't it be nice if you blocked/untrusted scorecardresearch.com.Then,went to Options-Embeddings-"Checked" Block every object from a site marked as untrusted.
Everything coming from scorecardresearch.com would get blocked.Including:regular Objects,CSS,XML,& pics.As well as:inline scripts,inline (I)Frames,& inline pics.Everything
Just as if you 127,255,or 0 scorecardresearch.com in hosts.

I would ask for this feature request,but I had learned my lesson the last time.
You all lied to us.I asked,it hurt,I'm bleeding,& limping away.