InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[Fixed] 11.2.4rc1 DoS's some sites

https://forums.informaction.com/viewtopic.php?t=26264

Page 1 of 1

[Fixed] 11.2.4rc1 DoS's some sites

Posted: Mon Mar 15, 2021 12:55 am
by barbaz
Trying to visit e.g. https://web.archive.org/web/20160115151 ... uthor/John with NoScript 11.2.4rc1 spams so many requests to archive.org that they temporarily banned my IP. These request are to their archived versions of twemoji.maxcdn.com SVGs.

These requests do not happen with NoScript 11.2.3.

How to stop this?

EDIT Downgrading to 11.2.3 has made *all* my browsing MUCH faster. I suspect this is not the only site that 11.2.4rc1 is DoSing.

Re: 11.2.4rc1 DoS's some sites

Posted: Mon Mar 15, 2021 8:26 am
by skriptimaahinen
Get the same problem. Though, there are lots of pages where I see no prefetching even when I would expect it. Are all CSS resources supposed to be prefetched or what are the conditions?

Re: 11.2.4rc1 DoS's some sites

Posted: Mon Mar 15, 2021 10:56 am
by Giorgio Maone
  1. It's supposed to fetch all the resources referenced by all the stylesheets in the page at once (causing this problem in situations when the resources are many more than those actually supposed to be used by the site): the work around is prefetching just one for each subdomain, the way I had originally implemented but discarded in RC1, hoping to avoid this "odd" behavior which can reveal site owners you're using NoScript. On the other hand, there are plenty ways to tell already, so I'm reverting to my first idea.
  2. The missing resources are from cross-site stylesheets, which cannot be easily parsed because of security restrictions. I'm working around this as well, by limiting this mitigation to scriptless pages only (where it makes sense, because JavaScript is much more easy and accurate at doing the same job) and overriding CORS there for stylesheets, which anyway then could be accessed only by privileged code such as NoScript.
I'm on both the issues, hoping to release RC2 in a few hours.

Re: 11.2.4rc1 DoS's some sites

Posted: Tue Mar 16, 2021 12:28 am
by Giorgio Maone
Please check [ldb], thanks.
v 11.2.4rc2
============================================================
x [nscl] Switch to NSCL for messaging
x [nscl] Rollback unneded window.opener patching (thanks
skriptimaahinen for insight)
x CSS PP0 mitigation: cross-site stylesheets on scriptless
pages, one resource per host
x Limit CSS PP0 mitigation to scriptless pages and prefetch
only cross-site resources

Re: 11.2.4rc1 DoS's some sites

Posted: Tue Mar 16, 2021 1:25 am
by barbaz
Fixed in 11.2.4rc2, thanks Image
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited