InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

some CAPS questions

https://forums.informaction.com/viewtopic.php?t=6676

Page 1 of 1

some CAPS questions

Posted: Sun Jun 19, 2011 4:42 am
by al_9x
  1. You mentioned that CAPS is scheduled for removal, could you point to some Mozilla info about that, Bugzilla, wiki, whatever exists?
  2. How much of it will be left for the sake of NS?
  3. Is there going to be any replacement functionality?
  4. Is it currently possible to add additional policies with NS installed? What's the trick, it doesn't seem to work?
  5. If not possible, I am curious as to why, since CAPS supports multiple policies.

Re: some CAPS questions

Posted: Sun Jun 19, 2011 7:31 am
by Giorgio Maone
al_9x wrote: You mentioned that CAPS is scheduled for removal, could you point to some Mozilla info about that, Bugzilla, wiki, whatever exists?
References are very sparse, but CAPS for property access control is already dead, even though its corpse may still contract sometimes, see https://bugzilla.mozilla.org/show_bug.cgi?id=453928#c0 for instance
al_9x wrote: How much of it will be left for the sake of NS?
Domain-wide script execution control. Notice that NoScript 3 currently does not use CAPS at all, though.
al_9x wrote:Is there going to be any replacement functionality?
Nothing of declarative and user-facing, I'm afraid. A combination of page-level surrogates (or pagemods, or whatever can run user scripts before anything else) and Proxies, maybe.
al_9x wrote:Is it currently possible to add additional policies with NS installed? What's the trick, it doesn't seem to work?
[*] If not possible, I am curious as to why, since CAPS supports multiple policies.
It's a CAPS design flaw: even though CAPS does support multiple policies, if the same site is listed in two different policies the results are unpredictable. Therefore, you can use multiple policies as long as their site lists have no intersection (making NoScript generally incompatible with any other site-level policy).

Re: some CAPS questions

Posted: Fri Jun 01, 2012 8:04 am
by Thrawn
Giorgio Maone wrote:
al_9x wrote:[*] If not possible, I am curious as to why, since CAPS supports multiple policies.
It's a CAPS design flaw: even though CAPS does support multiple policies, if the same site is listed in two different policies the results are unpredictable. Therefore, you can use multiple policies as long as their site lists have no intersection (making NoScript generally incompatible with any other site-level policy).
Does that mean that to apply a different CAPS policy to a site, you would need to leave it untouched (default-denied) in NoScript?

And is it possible for users to tweak the 'trusted'/'untrusted' policies by adding entries to prefs.js?

Re: some CAPS questions

Posted: Fri Jun 01, 2012 8:21 am
by Giorgio Maone
Thrawn wrote: Does that mean that to apply a different CAPS policy to a site, you would need to leave it untouched (default-denied) in NoScript?
Exactly, otherwise it would be automatically added to NoScript's "maonoscript" policy.
Also, in order to override the default policy, your custom policy must include a

Code: Select all

user_pref("capability.policy.mycustompolicy.javascript.enabled", "allAccess");
clause, in addition to the others.
Thrawn wrote: And is it possible for users to tweak the 'trusted'/'untrusted' policies by adding entries to prefs.js?
Yes, but it requires extreme care for the reasons explained above.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited