InformAction Forums

Hi!

I have a question about Cross-site request forgeries: I know NoScript blocks them by sanitizing and turning POST requests between sites into empty GET ones, and that blocking javascript takes care of most CSRF.

But what does it do against GET requests with parameters between sites, through images or links or anything? (I guess I'm talking about a request like example.com/changesomething.php?item=yourhouse&newvalue=owned)

And are there other vectors for CSRF?

And let's reverse the situation (I guess it's not CSRF anymore): What if an ad.com company has access to my cookie when I'm on example.com, due to example.com setup? Does NoScript prevent that cookie from being read and its data sent over to ad.com? The question extends to DOM storage, form currently filled etc.
I'm not sure I'm very clear though, so I'll quote a comment on AMO:

Will CsFire block 3rd party cookies? I control my cookies with CS Lite, but I don't want google, for example, reading my cookies when i'm on example.com, if they have a tracking bit there, etc.
This review is for a previous version of the add-on (0.5.1).

Short answer
by Philippe De Ryck (Developer) on April 28, 2010 #

The short answer is yes, CsFire will strip cookies from a request from example.com to google.com. Of course, this situation can be manipulated using the user-specifiable policies available in CsFire.

And so I come to the last question: Is there any gain in using CsFire when you already have NoScript installed?

Thanks


EDIT: I had to untick the "hide noscript element" checkbox on untrusted sites to see the captcha before posting. What good does that checkbox bring when protecting against fingerprinting and privacy issues on untrusted sites? I mean, what's the downside of unticking that box? (upside being more user friendly experience)

I've tried CsFire, but I like NoScript's ABE module better. Full control over requests, specifically deaigned for CSRF protection. You have to write your own rules, though, because as you observed, the built-in protections are limited. To do the job of CsFire:

Smith wrote:And let's reverse the situation (I guess it's not CSRF anymore): What if an ad.com company has access to my cookie when I'm on example.com, due to example.com setup?

Don't allow script from ad.com, and use RequestPolicy to block by default all cross-site requests that you personally do not approve (as with NoScript).
(Same-origin policy on cookies being circumvented?)

The question extends to DOM storage,

Disable DOM storage.
about:config
dom.storage.enabled
2-click to toggle to "false">

Will CsFire block 3rd party cookies?

Firefox will.
Firefox Tools > Options > Privacy.
Use custom settings for history.
I prefer to uncheck "Always use private browsing mode".

Check "Accept cookies from sites", then uncheck "Accept third-party cookies". Third-party cookie issue solved.

IMHO, better to check "Keep for -- Ask me every time". Then when you accept one, accept for session only. Check "Remember this setting" in the cookie prompt box. Soon, all of your frequent sites will have their cookie permissions set as you wish, with no third-party cookies, ever.

I control my cookies with CS Lite, but I don't want google, for example, reading my cookies when i'm on example.com, if they have a tracking bit there, etc.

The short answer is yes, CsFire will strip cookies from a request from example.com to google.com. Of course, this situation can be manipulated using the user-specifiable policies available in CsFire.

As said, RequestPolicy can prevent the setting of web bugs and the request from example to google.

And so I come to the last question: Is there any gain in using CsFire when you already have NoScript installed?

If there is, I truly wish someone would apprise me of it.

Incidentally, the developers of both NoScript and RequestPolicy each agree that the two complement each other perfectly, and recommend that both be used.

EDIT: I had to untick the "hide noscript element" checkbox on untrusted sites to see the captcha before posting. What good does that checkbox bring when protecting against fingerprinting and privacy issues on untrusted sites? I mean, what's the downside of unticking that box? (upside being more user friendly experience)

I've never been able to think of one. I've had that box unchecked since it first appeared.