Embedded Object Allowances

Ask for help about NoScript, no registration needed to post
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Embedded Object Allowances

Post by Identities Infinite »

I am currently using the latest development build of NoScript [and always will]. I recently re-read the FAQ but more critically this time . I then decided to apply restrictions to whitelisted sites because I really wanted to remove the almost ancient and useless FlashBlock extension. I did so but there is only one problem I am now facing.

As designed, NoScript blocks whatever one enables it to block which includes Flash and Java. For sake of discussion, I want to verify using Firefox whether or not I have the recommended Java version installed. NoScript blocks the Java applet on the Java site used to detect this. I can simply disable the aforementioned security setting but if so I would need to re-install FlashBlock which defeats the entire thing. I want to know if there is an about:config setting [because I know it can not be found in the options dialogue] that enables me to specify what type of object to allow on what site. For example, I want the Java applet [if not insecure] to be allowed on the site that uses it to check. If there is any other site that makes use of something blocked by NoScript I guess this question applies too. I remember reading something about a ‘regxp’ preference but I am horrible with mime types and do not want to break this wonderful fool-proof security scheme [NoScript is only one component] I have working for me.

Much thanks in advance.

Whilst on the subject of embedded objects…
Is it safe to allow the [at]font-face embedding [uncheck the check box in the Options dialogue] for both trusted and untrusted? I do not have the frame and iframe boxes checked and I noticed whilst reading the Creative site font was a blocked object preventing me to read what I wanted to read. I thought it was simple text but when I allowed it I was able to read the text. If it is safe to uncheck the box on that Tab I will but thought I would enquire here before making Firefox potentially vulnerable. I am almost certain everything other than the aforementioned embeddings would increase insecurities in a major way. The object in question is hosted on googleusercontent.com.
Last edited by Identities Infinite on Thu Feb 23, 2012 2:29 pm, edited 1 time in total.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120219 Firefox/12.0a2 Firefox/12.0a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Embedded Object Allowances

Post by Tom T. »

Identities Infinite wrote:I want to verify using Firefox whether or not I have the recommended Java version installed. NoScript blocks the Java applet on the Java site used to detect this. I can simply disable the aforementioned security setting...
Can't you just open the NoScript menu, point to Blocked Objects, look for the Java applet, and OK it? (Allowing scripting from java.com also)

Or hover the mouse over the placeholder (NoScript block-logo, red snake), see that it's the applet you're looking for, click it, then OK at the confirmation prompt?

Neither of these involves disabling global protection against Java.
Identities Infinite wrote:I want to know if there is an about:config setting [because I know it can not be found in the options dialogue] that enables me to specify what type of object to allow on what site.
You can use Creating Site-Specific Permissions via ABE for that.
No about:config stuff or regxp needed.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: Embedded Object Allowances

Post by Identities Infinite »

I am blind and use the JAWS For Windows screen reader. I do not use a mouse or screen. I thought those options in the Blocked Objects sub-menu are all ‘temporarily allow’ options. Which one should I choose? When I close the browser, re-open it and repeat the same steps it should not be blocked. I am bad with ABE but I will read to whatever you linked.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120222 Firefox/12.0a2 Firefox/12.0a2
User avatar
therube
Ambassador
Posts: 7969
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Embedded Object Allowances

Post by therube »

> those options in the Blocked Objects sub-menu are all ‘temporarily allow’ options

That is correct.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:12.0a2) Gecko/20120222 Firefox/12.0a2 SeaMonkey/2.9a2
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: Embedded Object Allowances

Post by Identities Infinite »

Is there any way to permanently allow an object for a specific site for purposes such as checking against latest updates without using ABE? Or, is that just not safe no matter how legitimate the site and update check is? This is the ABE rule I thought might work but I might be extremely incorrect.

Code: Select all

# rule to allow the Java applet on the Java and Oracle web sites
Accept from *java.com *oracle.com *oracleimg.com
Allow application/java
Deny
Edit: I read about:plugins for the correct MIME types so this may be a more correct rule. Can anybody say either way?

Code: Select all

# rule to permit update checking on the Java web site
Accept from *.java.com
Allow application/x-java-applet application/x-java-bean application/x-java-vm application/java-deployment-toolkit
Deny
Whilst on the subject of blocked objects:
What is the '@font-face' embedding an is it safe to allow for both trusted and untrusted? I do not have 'frame' and 'iframe' boxes checked and I noticed whilst reading the Creative site 'font' was a blocked object preventing me to read what I wanted to read . I think the object is hosted on googleusercontent.com because that is the one I allowed. I thought it was simple text but when I allowed it I was able to read the text. If it is safe to uncheck the box on the Embeddings Tab I will but thought I would enquire here before making Firefox potentially vulnerable. I am almost certain everything other than the aforementioned embeddings would increase insecurities in a major way.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Embedded Object Allowances

Post by Tom T. »

Identities Infinite wrote:Is there any way to permanently allow an object for a specific site for purposes such as checking against latest updates without using ABE? Or, is that just not safe no matter how legitimate the site and update check is? This is the ABE rule I thought might work but I might be extremely incorrect.

Code: Select all

# rule to allow the Java applet on the Java and Oracle web sites
Accept from *java.com *oracle.com *oracleimg.com
Allow application/java
Deny
Edit: I read about:plugins for the correct MIME types so this may be a more correct rule. Can anybody say either way?

Code: Select all

# rule to permit update checking on the Java web site
Accept from *.java.com
Allow application/x-java-applet application/x-java-bean application/x-java-vm application/java-deployment-toolkit
Deny
The rule is missing the "Site" line. This is where you specify the source of the object(s) to which the rule replies.
See Creating Site-Specific Permissions via ABE

Try something like this:

Code: Select all

Site: *@http://java.com
Accept from .java.com .oracle.com 
Deny
The "Site" wildcard allows all objects from that java domain.
The Accept line restricts which sites will accept, or allow, the above objects.
Let us know if that works for you.
Whilst on the subject of blocked objects:
What is the '@font-face' embedding an is it safe to allow for both trusted and untrusted?
There have been malicious exploits using font download, which is why NoScript provides blocking for this.
What is the full URL of the site in question? I'll check it out.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: Embedded Object Allowances

Post by Identities Infinite »

I will try that ABE rule. I thought the asterisk was the wildcard instead of ‘site’. I also understand the MIME types do not need to be defined.

I think it was this page. I now realised I think I allowed the Flash object which has the text. I never encountered that much text contained within a Flash object before and JAWS usually never reads anything that well with respect to Flash. After reading your reply regarding inline frames in another thread, I have wisely disallowed those too. I did not those were being used to inject malicious code. I will also keep the @font-face box checked now that I know better.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: Embedded Object Allowances

Post by Identities Infinite »

That does not work. I am noticing some placeholders like

Code: Select all

<EMBED>, java-deployment-toolkit@http://java.com/en/download/testjava.jsp
and

Code: Select all

<EMBED>, java-applet@http://java.com/jsp_utils/jreVerify.class
. If that worked I should not be locating these.

I removed the colon from line 2 because NoScript returned a syntax error and after that there was no error. I pressed OK, tested it on java.com | Do I have Java? | Verify Java version.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Embedded Object Allowances

Post by Tom T. »

Identities Infinite wrote:I will try that ABE rule. I thought the asterisk was the wildcard instead of ‘site’.
I'm sorry for my lack of clarity. You are correct. What I meant to say was that the asterisk in the Site line is the wildcard that allows all objects emanating from that source.

Sometimes I get too wordy. This time, I was too brief. Can't win. (wink)
Identities Infinite wrote:That does not work. I am noticing some placeholders like

Code: Select all

<EMBED>, java-deployment-toolkit@http://java.com/en/download/testjava.jsp
and

Code: Select all

<EMBED>, java-applet@http://java.com/jsp_utils/jreVerify.class
. If that worked I should not be locating these.
Let's make it simpler and more inclusive.

Code: Select all

Site .java.com
Accept from .java.com .oracle.com
Deny
Per the ABE Rules .pdf, this "glob expression' should allow everything that matches java.com.
If necessary, we can add an ending wildcard:

Code: Select all

Site .java.com/*
If that doesn't work, then we'll use the regular expression template which is provided in the above ABE documentation.
I removed the colon from line 2 because NoScript returned a syntax error....
Typo on my part, sorry.

Will check your linked page shortly. I hope these help.

Edit: Yes, after allowing (temporarily) creative.com and images.creative.com, I see a placeholder only for a Flash object, which as you said, displays the text and other content. There was no font object that I could see.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: Embedded Object Allowances

Post by Identities Infinite »

I have NoScript set up to show only base-level domains. This makes it much more easy for me to manage the whitelist and creative.com is on the whitelist. There is a font object still blocked when one of the Flash objects are allowed [not the one with 2 domains like creative.com and http://creative.com I think it is]. The font box is checked and the box to extend untrusted site restrictions to whitelisted sites is also checked. It says something like ‘temporarily allow font at themes.googleusercontent.com’.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: Embedded Object Allowances

Post by Identities Infinite »

Weird, I tried both modifications to the rule and both did not make the placeholders go away. the java-applet and java-deployment-toolkit are still being blocked. I downloaded the PDF and I will really have to studdy it hardcore to understand exactly how to write these things. Does it matter that I use Java 7 Update 4?
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Embedded Object Allowances

Post by Tom T. »

Identities Infinite wrote:Weird, I tried both modifications to the rule and both did not make the placeholders go away. the java-applet and java-deployment-toolkit are still being blocked.
OK, now I think I misunderstood your intentions. I thought you wanted just the applet that tells you if you have the latest version of Java?
Let's be clear on exactly what you *want* to allow, then go from there.
Does it matter that I use Java 7 Update 4?
The version of Java shouldn't affect how we write the rule to allow only that which you want.

I'll have to see if I can reproduce your font object. I use full domains *and* base domains. Blocking by full domain allows for much better fine-tuning, although a longer menu.

Example:
Default whitelist includes yahoo.com and yimg.com.

I don't use the other areas of Yahoo much, at least not enough to whitelist them, so I deleted those and added
mail.yahoo.com and mail.yimg.com.

So in fact, I actually temp-allowed only
http://www.creative.com
http://images.creative.com

If this prevents the font object, I think that's an advantage. But will check again with only base domains and see if I can reproduce.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: Embedded Object Allowances

Post by Identities Infinite »

When the site is queried for updates against the version I have I do not know what is being used. I assume the Java applet and Deployment Toolkit are both being requested from the site. These are plug-ins obviously. The Java Virtual Machine is also being requested and I assume that is the program installed on the machine [not a plug-in]. I assumed all Java plug-ins were needed to return ‘congradulations’ or the reverse type message when it says I need to update. Am I wrong? Before I applied the restrictions of untrusted sites to whitelisted sites none of these were blocked and most the time the check went smoothly. The only way I can check is with Internet Explorer 9 which always works because that thing just lets everything through.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Embedded Object Allowances

Post by Tom T. »

OK, I switched from trusty Firefox 3.6 to 10.2 to double-check.

Using JSView add-on, I see that their style sheet makes a call to

Code: Select all

http://fonts.googleapis.com/css?family=Droid+Sans
In addition to allowing the Creative scripting, I had to give permissions in RequestPolicy, a very useful add-on that complements NoScript nicely, but might add too much complexity for the visually-impaired. I allowed requests to googleapis.com, then to googleusercontent.com.

THEN I see in Blocked Objects menu,

Code: Select all

Temporarily allow font @http://themes.googleusercontent.com
Also, in "Recently blocked sites",

Code: Select all

Allow all from http://themes.googleusercontent.com
Code uploaded by random unknown users is even more likely to be dangerous than that of web sites that care about their reputation.

This is acknowledged even in the NoScript Default Whitelist, where this forum, the NoScript home page, and Giorgio's personal and company pages are whitelisted, but his blog, hackademix.net, is not. The reason being that users often post or link to POC (Proof of Concept) - benign examples of how to exploit a vulnerability they've found. Of course, we "hope" they're benign. But that is why the blog is not default-whitelisted.

Given that the site seems to work fine with the default font and theme, I see no reason to risk letting some user-created content run, unless it's absolutely necessary for the specific games or whatever. Make sense?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Embedded Object Allowances

Post by Tom T. »

Sorry, we cross-posted about Java. I was researching Creative Alchemy, and when finished posting that, saw your post about Java.

I need to log off for a while. I'll try to get back to the Java issue some time later; if not, within 24 hours, unless someone else gets here first.
Thank you for your patience.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Post Reply