Page 1 of 2
NoScript now embedded into Chrome??
Posted: Tue Mar 02, 2010 7:55 pm
by Vux
http://lifehacker.com/5483611/chrome-be ... t-controls
As for cookies, images, JavaScript, plug-ins, and pop-ups, you can now set Chrome up in each case to always block them, always allow them, or accept them only from sites you add to a list. For hardcore fans of NoScript, FlashBlock, and other such web streamlining tools, that's a pretty nice addition.
Re: NoScript now embedded into Chrome??
Posted: Tue Mar 02, 2010 8:36 pm
by Vux
Re: NoScript now embedded into Chrome??
Posted: Tue Mar 02, 2010 9:16 pm
by Giorgio Maone
It's a first step, but quite different yet.
If you enable JavaScript on a certain site, you're automatically enabling all the 3rd party scripts loaded by pages on that site, even though you didn't whitelist them.
Furthermore, you have not even an easy way to see them.
This is a great weakness if you want to use this feature for security/privacy purposes, because if a site in your whitelist gets compromised with an iframe or script injection, or it includes tracking scripts, you've got no defense.
Re: NoScript now embedded into Chrome??
Posted: Wed Mar 03, 2010 8:44 am
by Fionavar
FYI: I have had to disable this option as it totally messes up Extensions. There seems to be no way to make sure Extension operate correctly when Java Security is initiated in the current approach.
Re: NoScript now embedded into Chrome??
Posted: Fri Apr 02, 2010 4:59 pm
by Vux
http://lifehacker.com/5177709/chrome-th ... wn-contest
Wow at Chrome being the only unhacked browser. Amazing.
I wonder what's more secure: Firefox with NoScript or Chrome with its superior sandboxing and security features?
If FF + NoScript, just how much more vulnerable is Chrome? I love Chrome but not sure if I feel secure enough with just using Chrome's blanket Allow All or Disallow All javascript blocking.
Re: NoScript now embedded into Chrome??
Posted: Sat Apr 03, 2010 11:01 am
by Giorgio Maone
Vux wrote:I wonder what's more secure: Firefox with NoScript or Chrome with its superior sandboxing and security features?
Chrome as no "superior" security features over Firefox+NoScript, sandboxing aside (Firefox will get some in 3.7, probably).
To say it all, NoScript as many more security features than Chrome (e.g.
ClearClick or
ABE), and the Google crew had even to disable their "XSS Auditor" filter (which already was quite easy to bypass) because of serious performance problems, so
serious XSS protection is again a bullet point for NoScript (IE8's competition on that side is
a gun aimed at your feet 
)
Most important, sandboxing is definitely overrated (yes, SandboxIE, I'm looking at you).
In this Web 2.0+ age, the ability to touch your hard disk and other system resources (which is what sandboxes try to impair) is not very important anymore: your in-browser password store and the services you access online (e.g. credit card transactions) are the most valuable targets, and an attacker can "own" them even without the need of a browser exploit (a web application vulnerability is enough). Of course, a browser vulnerability is a bonus, but manipulating to the browser process is more than enough, and no sandboxing can help you with that.
Notice that
I've been talking about this stuff already more than two years ago
Re: NoScript now embedded into Chrome??
Posted: Sat Apr 03, 2010 3:39 pm
by Vux
Well, my point is that if you go to a malicious website, is Chome with JavaScript disabled just as safe as going to a malicious website with NoScript and everything disabled?
Re: NoScript now embedded into Chrome??
Posted: Sat Apr 03, 2010 3:50 pm
by Giorgio Maone
Vux wrote:Well, my point is that if you go to a malicious website, is Chome with JavaScript disabled just as safe as going to a malicious website with NoScript and everything disabled?
Nope, Chrome is much less safe because it lacks defenses against several kind of non-Javascript attacks, including plugin-based ones, XSS, CSRF and Clickjacking.
Re: NoScript now embedded into Chrome??
Posted: Mon May 10, 2010 11:56 pm
by Fionavar
Hi Giorgio,
I am just wondering if there have been any developments that you are involved in or know of that continues to improve security for Chrome?
Re: NoScript now embedded into Chrome??
Posted: Tue May 11, 2010 1:17 am
by GµårÐïåñ
What chrome is offering is nothing more than an all or nothing band-aid. It is no different than what is built-in for Firefox by default. If anything, they should be ashamed that it took them this long to provide it. It gives no granular control over individual sites, partial sites, or as Giorgio stated the myriad of other benefits that NoScript provides. At least with Fx there is a REAL API to provide someone like Giorgio the ability to provide that granular control over more aspects of security than saying "let's block everything or nothing", even if it can be done on a per site basis. To top it off, they are taking it out of the hands of the people and trying to do it themselves, which has many other implications that no one ever considers. The question people should be asking is why doesn't google provide the API for developers to use instead of locking it in the code without any way to actually use it in any meaningful way?
Re: NoScript now embedded into Chrome??
Posted: Sun May 30, 2010 5:09 pm
by Davezilla
Fionaavr wrote:FYI: I have had to disable this option as it totally messes up Extensions. There seems to be no way to make sure Extension operate correctly when Java Security is initiated in the current approach.
Hello Fionaavr,
If you don't mind me asking, which extensions did it affect?
Re: NoScript now embedded into Chrome??
Posted: Sun May 30, 2010 10:22 pm
by Fionavar
Hi Davezilla,
It was Forecastfox Weather - it seems no longer to be an issue with 6.XX. I still am not using Chrome as the default browser owing the to the other (i.e. ABE) ongoing security deficiencies, fwiiw.
Re: NoScript now embedded into Chrome??
Posted: Mon May 31, 2010 9:46 am
by Davezilla
Fionavar wrote:Hi Davezilla,
It was Forecastfox Weather - it seems no longer to be an issue with 6.XX. I still am not using Chrome as the default browser owing the to the other (i.e. ABE) ongoing security deficiencies, fwiiw.
OK thanks for the reply.
Re: NoScript now embedded into Chrome??
Posted: Wed Aug 04, 2010 7:29 am
by Vux
Google Chrome Now Has Resource-Blocking Adblock
http://apple.slashdot.org/story/10/07/2 ... ng-Adblock
"It seems to have slipped under the radar, but Google Chrome now has resource-blocking abilities, and may have had the ability for some time. Using the 'beforeload' event on the document, an extension can now intercept resources from loading. Adblock for Chrome has already added it, and I expect the other 'ad-blocking' extensions have as well. Before you start praising Google, however, it's the WebKit team that deserves your credit; one Chromium developer responded to praise by stating '... thank Apple — they added it to WebKit, we just inherited it.' Firefox vs. Chrome just got a bit more exciting."
Does this finally make Chrome as safe as using NoScript?
Re: NoScript now embedded into Chrome??
Posted: Wed Aug 04, 2010 4:58 pm
by GµårÐïåñ
Not by a long shot. That false sense of security is what will destroy many and if they fall for it, they have no one to blame but themselves.
