InformAction Forums

Just as the subject states, does NS x-content-type-options function work even if all scripts are allowed to run? I understand that NS provides support for this header that is not present in neither Firefox 3.6 nor Firefox 4.

I ask because I noticed that when I run the security test from browsersope.org with "allow scripts globally" enabled, the test fails with the x-content-type-options item. But if only browsercope.org is allowed to run scripts, then the test is passed. However, there is no indication in the error console that should typically indicate nosniff in action ("[NoScript] Blocking nosniff ..."). As soon as I enable browserscope2.org, along browserscope.org, scripts to run, then the test fails in the aforementioned. In both cases I have noscript.nosniff pref set to true.

Also, I notice noscript.toStaticHTML pref, but browserscope.org security test points out that there is no support for said function (toStaticHTML test failed). Does NS implement toStaticHTML APIs with the said pref?

/m

Oh, and using NoScript 2.0.9.8rc3 on Firefox 4 beta 12

Most Browserscope tests work only if JavaScript is enabled, because they're themselves JavaScript based.
And yes, both these features do work even in "Allow globally" mode. If browserscope fails to detect them, it's a browserscope bug.

For the moment, I have only found browserscope.org to be such site that allows testing for security technologies that are otherwise only exercised under certain conditions during normal use.

If this is the case, then this will be filed for bugs in the browserscope report page.

Mr. Maone, out of curiosity and if you would permit, have you ever tried running the browserscope security tests with "allow scripts globally" active, using NS 2.0.9.8rc3 with Firefox 4 beta 12, or Firefox 3.6.13? If this is so, and if your results show tests only failing under "sandbox attribute" and "origin header" (which are not supported by Firefox even with NS installed), whereas my results show that tests failed under "toStaticHTML API" and "x-content-type-options" along with the two aforementioned, then comparing your results and mine reveal a potential problem on my end, and would take this into consideration before filing reports to browserscope.

Thank you.

/m

OK, I looked deeper in this issue and found that

1. Browserscope apparently changed recently the way it test for content options, and rather than testing them cross-site css and js (where they're actually useful) they test them for a same-site frame (where NoScript does not apply them and has dubious usefulness). I've got yet to decide if applying them to same-site frames too (even though the added security is negligible if compared with the performance impact) or let it go.
2. Latest Firefox 4 seem to have a bug (or otherwise a change with side effects) preventing toStaticHTML from being attached to windows, and even surrogates from running. If you check on Fx 3.6.13 you'll see it works. I'm investigating to fix or work-around this.

Your explanation on (1) now makes sense on why I started noticing failing the content options test for both Fx 3.6 and Fx 4. So I thought perhaps it was brought about by a change in NS, but now it was brought about by a change in the test. Why they changed the methodology if only negligible security may be observed by doing so, where most common cases happen in cross-site requests, is anyone's guess.

On (2), indeed the test fails under Fx 4, but passes under Fx 3.6.

/m

Both the issues are worked around in latest development build, thanks.

Confirmed working with NS 2.0.9.9rc3. Thank you. Now that we have that sorted, onto my next inquiry on another thread.

/m