InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

feature request I've always wanted: trigger NoScript on other items besides scripts

https://forums.informaction.com/viewtopic.php?t=26105

Page 1 of 1

feature request I've always wanted: trigger NoScript on other items besides scripts

Posted: Thu Sep 03, 2020 4:39 am
by jawz101
I understand the idea of NoScript is to be a script blocker first... and then other items (object, frame, font, webgl, fetch, etc.) can be blocked once a domain has been identified by using javascript.

However it would be nice to have other items trigger a domain to be blockable if they appear w/o the use of javascript.

eg. if webgl, xhr/fetch, ping, fonts, etc. are used but not necessarily javascript.

All things being blocked via NoScript, I've observed website's size being 40% fonts that were downloaded from some 3rd party domain wasn't necessarily using javascript as well. And could some of these other web components besides javascript introduce security issues on their own?

This would turn NoScript into more of a uMatrix but must NoScript really have to always revolve around javascript only? NoScript has a less cumbersome interface than uMatrix since it doesn't have the extreme granularity and I'd like to be able to reduce traffic and exposure by detecting more domains.

in summary, ability to identify domains by other technologies than javascript (fetch, ping, object, etc.)
-reduce page loads
-catches more domains
-reduces unforeseen security issues that other web technologies may introduce - not necessarily related to javascript


Thank you for your consideration

Re: feature request I've always wanted: trigger NoScript on other items besides scripts

Posted: Thu Sep 03, 2020 5:05 am
by skriptimaahinen
Each of those technologies is detected separately. So if the page has no javascript but some external fonts are used, Noscript will list the domain. Same goes for frames, objects and media.

Fetch, ping and webgl can only be used with javascript, so javascript needs to be enabled before they can be used or detected.

Re: feature request I've always wanted: trigger NoScript on other items besides scripts

Posted: Thu Sep 03, 2020 2:43 pm
by barbaz
jawz101 wrote: Thu Sep 03, 2020 4:39 am could some of these other web components besides javascript introduce security issues on their own?
Yes, that's why NoScript blocks them.
jawz101 wrote: Thu Sep 03, 2020 4:39 am must NoScript really have to always revolve around javascript only?
It already doesn't. It revolves around active content, which could be Javascript or WASM or HTML5 media or fonts or etc.
jawz101 wrote: Thu Sep 03, 2020 4:39 am I'd like to be able to reduce traffic and exposure by detecting more domains.

[...]
-reduce page loads
-catches more domains
Sorry, this is not the purpose of NoScript.
jawz101 wrote: Thu Sep 03, 2020 4:39 am -reduces unforeseen security issues that other web technologies may introduce - not necessarily related to javascript
Again, NoScript already does this. If you know of a vulnerability through not-currently-blocked content types that does not require an already-blocked content type to exploit, please let Giorgio know.

Re: feature request I've always wanted: trigger NoScript on other items besides scripts

Posted: Sat Sep 05, 2020 1:34 am
by jawz101
Thank you for the replies. It is good to know that it catches those things
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited