Feature request to enable/disable PP0 protection.

Bug reports and enhancement requests
Post Reply
skriptimaahinen
Senior Member
Posts: 239
Joined: Wed Jan 10, 2018 7:37 am

Feature request to enable/disable PP0 protection.

Post by skriptimaahinen » Wed Mar 31, 2021 10:51 am

Feature request:

Advanced-tab checkbox to enable/disable PP0 protection, similarly as with XSS sanitation.


Bonus typo: (too lazy to make separate post)

nscl/content/prefetchCSSResources.js:37 "rarget"

Though I have hard time figuring out what is the use case for wrapCssAccess...
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

barbaz
Senior Member
Posts: 9961
Joined: Sat Aug 03, 2013 5:45 pm

Re: Feature request to enable/disable PP0 protection.

Post by barbaz » Wed Mar 31, 2021 12:28 pm

+1 for this as a troubleshooting tool.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 9108
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Feature request to enable/disable PP0 protection.

Post by Giorgio Maone » Wed Mar 31, 2021 4:42 pm

skriptimaahinen wrote:
Wed Mar 31, 2021 10:51 am
nscl/content/prefetchCSSResources.js:37 "rarget"
Fixed, thanks.
skriptimaahinen wrote:
Wed Mar 31, 2021 10:51 am
Though I have hard time figuring out what is the use case for wrapCssAccess...
The use case is not (currently) NoScript, since we assume JavaScript-enabled pages have plenty and more accurate ways to accomplish the same thing, but other tools which do not disable scripting but rely on NSCL for selected features, such as JS Shield (refactoring in very early stages).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0

User avatar
Giorgio Maone
Site Admin
Posts: 9108
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Feature request to enable/disable PP0 protection.

Post by Giorgio Maone » Thu Apr 01, 2021 10:36 pm

Please check latest development build:
v 11.2.5rc1
============================================================
x Configurable "csspp0" capability to for sites where the
CSS PP0 mitigation should be disabled (e.g TRUSTED)

x [nscl] Fix CSS PP0 mitigation still interfering with some
WebExtensions (thanks barbaz for report)
x [XSS] Increased sensitivity and specificity of risky
operator pre-checks
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0

barbaz
Senior Member
Posts: 9961
Joined: Sat Aug 03, 2013 5:45 pm

Re: Feature request to enable/disable PP0 protection.

Post by barbaz » Fri Apr 02, 2021 12:37 am

On update this capability is un-checked for DEFAULT/UNTRUSTED but checked for TRUSTED. Does the box being checked mean (somewhat confusingly) that CSS PP0 is NOT mitigated?

Does this capability control whether the mitigation is active when visiting the site? Or does it control whether the mitigation is applied to cross-origin stylesheets served by the site, when included by a script-disabled page?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 9108
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Feature request to enable/disable PP0 protection.

Post by Giorgio Maone » Fri Apr 02, 2021 5:56 am

barbaz wrote:
Fri Apr 02, 2021 12:37 am
On update this capability is un-checked for DEFAULT/UNTRUSTED but checked for TRUSTED. Does the box being checked mean (somewhat confusingly) that CSS PP0 is NOT mitigated?
As a capability, it means the site "can do" CSS PP0, i.e. when it's checked the mitigation is off, like any other capability: if checked, NoScript doesn't block it.
barbaz wrote:
Fri Apr 02, 2021 12:37 am
Does this capability control whether the mitigation is active when visiting the site? Or does it control whether the mitigation is applied to cross-origin stylesheets served by the site, when included by a script-disabled page?
It controls whether the site can perform CSS PP0: when disabled, NoScript checks any stylesheet (either inline, same-site or cross-site) applied to the page.
Notice that the potential delays are due only to cross-site checks, but all the stylessheets are checked.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0

barbaz
Senior Member
Posts: 9961
Joined: Sat Aug 03, 2013 5:45 pm

Re: Feature request to enable/disable PP0 protection.

Post by barbaz » Fri Apr 02, 2021 5:24 pm

Thanks Giorgio for the explanation. I've updated the sticky.

Two things:

1) "csspp0" is not the best name for this capability IMO. No one who knows what CSS PP0 is would want to explicitly allow it. And every other capability controls what's served by the site, while this one is aimed at what can be done on that site.

All of this could be resolved by just renaming it to something like no-mitigate-csspp0. Because as you said, it is whether CSS PP0 is mitigated on pages served by that site, not actually whether that site itself can perform CSS PP0. This new name would make this capability's meaning semantically consistent with every other capability and more accurately describe its purpose.

What do you think?

2) If this capability is disabled for a site that has scripts enabled, does the script-enabled status still override it as in previous NoScript?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 9108
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Feature request to enable/disable PP0 protection.

Post by Giorgio Maone » Fri Apr 02, 2021 7:03 pm

barbaz wrote:
Fri Apr 02, 2021 5:24 pm
1) "csspp0" is not the best name for this capability IMO. No one who knows what CSS PP0 is would want to explicitly allow it. And every other capability controls what's served by the site, while this one is aimed at what can be done on that site.
Not sure about this: "webgl", for instance, is something "can be done" on the page (creating a webgl or webgl2 canvas context).
On the other hand, I'm tempted to use a less cryptic label for those who don't bother to loop up the details of this specific attack, and also to coalesce in this capability other kind of potential future CSS-related mitigations which require the same kind of pre-emptive analysis and/or patching (with the same trade-offs). What about "unmitigated-css" or "unrestricted-css" or "unchecked-css" or "unsafe-css"?
barbaz wrote:
Fri Apr 02, 2021 5:24 pm
2) If this capability is disabled for a site that has scripts enabled, does the script-enabled status still override it as in previous NoScript?
If you mean the "disable restrictions" (either globally or per tab) modes, yes: they just enable all the capabilities for the desired context.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0

barbaz
Senior Member
Posts: 9961
Joined: Sat Aug 03, 2013 5:45 pm

Re: Feature request to enable/disable PP0 protection.

Post by barbaz » Fri Apr 02, 2021 7:55 pm

I like "unchecked-css" :) It's the most descriptive and technically accurate. I would still suggest formulating it more like "no-check-css" or "skip-check-css", because this is not about an inherent property of the CSS in general, it's about whether NoScript should not run its mitigation.

(alternately, unscanned-css / no-scan-css / skip-scan-css, if the use of the word "check" is confusing for people looking at a "check"box. I don't know if it would be or not.)
Giorgio Maone wrote:
Fri Apr 02, 2021 7:03 pm
barbaz wrote:
Fri Apr 02, 2021 5:24 pm
2) If this capability is disabled for a site that has scripts enabled, does the script-enabled status still override it as in previous NoScript?
If you mean the "disable restrictions" (either globally or per tab) modes, yes: they just enable all the capabilities for the desired context.
I meant the "script" capability (which is why I referenced previous NoScript). Sorry for not being clear.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 9108
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Feature request to enable/disable PP0 protection.

Post by Giorgio Maone » Fri Apr 02, 2021 8:15 pm

barbaz wrote:
Fri Apr 02, 2021 5:24 pm
2) If this capability is disabled for a site that has scripts enabled, does the script-enabled status still override it as in previous NoScript?
No, it doesn't. They're independent now (even though on upgrade from <= 11.2.4 any preset, including CUSTOM ones, which have "script", automatically get the new capability).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0

skriptimaahinen
Senior Member
Posts: 239
Joined: Wed Jan 10, 2018 7:37 am

Re: Feature request to enable/disable PP0 protection.

Post by skriptimaahinen » Sat Apr 03, 2021 10:58 am

Seems fine to have the protection as permission.

However, none of the suggested renames make it any more clear whether one should check or uncheck the option to prevent this mysterious threat (not that the original tells anything either). So I assume there will be lot of questions about this in any case.

Do keep the name short though. The permissions list is getting long. The popup already resizes considerably when opening and closing the custom tab.
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

fatboy
Senior Member
Posts: 61
Joined: Fri Jul 25, 2014 6:56 am
Contact:

Re: Feature request to enable/disable PP0 protection.

Post by fatboy » Tue Apr 27, 2021 11:51 am

Maybe change in Settings the tooltip for "unchecked CSS" to "CSS PP0"?
The user will be able to find the CSS PP0 using a search engine.
 
UDP: Because there are checkboxes in Settings, the word "unchecked" may be misunderstood:
"When another box is checked, the previous box is automatically unchecked."
(Horstmann, Cay S.,Cornell, Gary / Core Java™ 2, Volume I - Fundamentals)
Last edited by fatboy on Tue Apr 27, 2021 1:09 pm, edited 2 times in total.
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 SM/2.49.5 NS/2.9.0.14

barbaz
Senior Member
Posts: 9961
Joined: Sat Aug 03, 2013 5:45 pm

Re: Feature request to enable/disable PP0 protection.

Post by barbaz » Tue Apr 27, 2021 12:59 pm

fatboy wrote:
Tue Apr 27, 2021 11:51 am
Maybe change in Settings the tooltip for "unchecked CSS" to "CSS PP0"?
The user will be able to find the CSS PP0 using a search engine.
No, it's better to leave it as-is. Again, no one who knows what CSS PP0 is would want to explicitly allow it, and Giorgio wants to keep the door open to in future add other mitigations for other pure-CSS vulnerabilities to this capability.
*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9961
Joined: Sat Aug 03, 2013 5:45 pm

Re: Feature request to enable/disable PP0 protection.

Post by barbaz » Wed Apr 28, 2021 7:22 pm

barbaz wrote:
Fri Apr 02, 2021 7:55 pm
(alternately, unscanned-css / no-scan-css / skip-scan-css, if the use of the word "check" is confusing for people looking at a "check"box. I don't know if it would be or not.)
Apparently it is -
fatboy wrote:
Tue Apr 27, 2021 11:51 am
UDP: Because there are checkboxes in Settings, the word "unchecked" may be misunderstood:
"When another box is checked, the previous box is automatically unchecked."
(Horstmann, Cay S.,Cornell, Gary / Core Java™ 2, Volume I - Fundamentals)
Guest wrote:
Wed Apr 28, 2021 4:09 am
Checking "unchecked_css" makes it unchecked and unchecking it makes it checked? :roll:
Let's continue this discussion in viewtopic.php?f=7&t=26310 .
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply