InformAction Forums

While visiting this web page I discovered that clicking anywhere on the page opens a pop-up window displaying another website, apparently operated by the same people that maintain the blog. The only websites I allowed to use scripts on the page were blogger.com ; blogspot.com ; google.com ; gstatic.com; and googleapis.com . All of these are, AFAIK, trustable. I am also using ABP and am subscribed to the EasyList and Fanboy's List filters, and have already sent a report to the developers of that add-on.

I discovered this issue using version 2.1.7 of Noscript, but updating to 2.1.8rc3 did not cause the popups to stop occurring on that web page. Fortunately, it's confined to just that website, and doesn't appear to have infested my browser.

Not surprising, since they say that:

Microsoft Tech Squad Blog Maintained by V tech-squad

and have loaded the page with links to their main site, v-tech: ... and that's just a small sample.

Blocking *all* scripting stops the pop-up, but the site probably isn't very usable that way. It's not an official MS site, just someone trying to make a living by getting you to their commercial site. Perhaps there are no-cost help forums in addition to official MS Support?

Or perhaps a Surrogate Script could be made for this site? I'll ask Giorgio to have a look, else the above suggestion applies.

banjo2E wrote:The only websites I allowed to use scripts on the page were blogger.com ; blogspot.com ; google.com ; gstatic.com; and googleapis.com . All of these are, AFAIK, trustable.

Since blogspot.com hosts user content in its sub-domains, if users can add arbitrary content, then trusting blogspot.com, you would be trusting all blogger users.

Blogs tend to work ok without scripts, since the focus is usually on readable content not interaction. That's the simplest solution here. A surrogate is overkill, but is pretty simple, so here it is:

sources = "@microsoft-support-squad.blogspot.com"
replacement = "addEventListener('DOMContentLoaded', function() document.body.onclick = null, true);"

Agreed, trusting blogspot, blogger, wordpress or any of the public free blogs as the wildcard, you are allowing ANYONE who hosts a blog there, even if malicious. So bad move. Allowing googleapis.com as a general rule is also a mistake, because even if you trust the source of the tool, HOW it is used by someone can be completely different and quite malicious, think a gun in the hands of a cop/soldier vs. gang member/assassin, same tool, different purpose. So be careful allowing general things like this and if you don't allow scripts on blogs, much of them, if not all, will run just fine and no need to open yourself up to whatever else they got linked there.

Additionally agreed, surrogates are overkill in this case, but at least he was kind enough to provide it to you, and you can make your own call on that. But if you take a bit of time and just be more proactive about what you allow/don't allow, you'd be better off. This way you KNOW what is going on and have a heads up each time and are actively making the choice, instead of going into passive mode. Another way you can get better control over cross site linking like this would be to install RequestPolicy, its an awesome tool, a bit hard to get used to as a novice at first, but you get the idea pretty quick and you will see how much it will make a difference in security, even though initially it might appear to break every page.

For example if you want site xyz that you trust to use googleapis then you can tell RP to allow xyz<->googleapis but that doesn't mean that another site bad_xyz will have access to it, so THEN you can just whitelist it in NS and feel pretty good that you are limiting its ACTUAL access but allowing to work fine for those you trusted and allowed explicit access in RP. More than one route to a solution.

Agree with GµårÐïåñ on the dangers of allowing all of those sites with user-uploaded content, and on the advisability of using RequestPolicy to help control them.
The site didn't seem to work for me without some script allowed, but I kept the remote domains blocked in RP. Possibly, some combination of permissions in NS and RP could make the site usable but fairly safe.

Thanks to al_9x for the surrogate, in case you do decide to go that route.

Please let us know if this closes the issue for you.