InformAction Forums

Hello,

I've noticed and read that XSLT is blocked on untrusted sites with newer NoScript versions. I've understood that you consider it 'active content', which I do not understand why you do, as it is run once when the page loads. I've also read that this was done mainly because of (now fixed) security problems in the XSLT processor in Firefox, and that it is there to prevent future security problems in it from wreaking havoc. But with the same argument, couldn't you block all HTML from untrusted sites because "it has had problems in the past, thus it probably has more of them?".

Also, NoScript blocking XSLT processing almost always leads to that the page you want to view is completely unusable and unviewable. It would thus make sense to get a popup dialog asking you if you want to enable XSLT for the site (or not), or at least be able to _just_ enable XSLT processing for a site (but not other types of content).

(Another minor gripe is that with blocked javascript, usually the blue bar above the status bar is shown. Sometimes it isn't, and I haven't been able to find any pattern in this. When XSLT is blocked, it never is shown.)

Anyway, to summarize: I'd either want to see XSLT allowed for untrusted sites by default, or an easy way to enable just XSLT for a site. Or both.

Regards, Alexander Toresson

If you want it allowed for untrusted sites, uncheck the XSLT menu item.

Though if it were allowed for all, how would you know that you would want it to block a particular site prior to you visiting the site? You wouldn't till after the fact. So in that respect you have given away any protections that may be afford.

NoScript already blocks, might you say, the most dangerous HTML from untrusted sites. If you want to look at it that the (often) easiest way to effect an HTML exploit is through the use of JavaScript, so if JavaScript is blocked from untrusted sites (as it is by default), then in a round about way (very roundabout way ), you might say that you are blocking HTML from untrusted sites. (Obviously that is not what you are doing, but you are at least blocking one potential method that an untrusted site may be able to exploit you.)

eulex wrote:I've understood that you consider it 'active content', which I do not understand why you do

Because after some discussion inside the Mozilla Security Group everybody agreed it deserved to be labeled as "active content" and blocked by default in by a no-active-content policy like NoScript's.

eulex wrote: I've also read that this was done mainly because of (now fixed) security problems in the XSLT processor in Firefox, and that it is there to prevent future security problems in it from wreaking havoc. But with the same argument, couldn't you block all HTML from untrusted sites because "it has had problems in the past, thus it probably has more of them?".

The main difference is that HTML (or most image formats, or current CSS implementation) are not Turing complete languages, while XSLT is and therefore has a much higher exploitation potential.

eulex wrote:Anyway, to summarize: I'd either want to see XSLT allowed for untrusted sites by default

Just uncheck NoScript Options|Untrusted|Forbid XSLT.

PS, what is the "blue bar"?

PPS, Giorgio, could you put "Turing" into English? Even with the links it's still Greek to me.

therube wrote:PPS, Giorgio, could you put "Turing" into English? Even with the links it's still Greek to me.

It means more or less that it can perform any kind of computation.

Personally I think its great that XSLT is blocked as active content and glad it was included so quickly in the NS release.