Embedded Object Allowances
-
- Senior Member
- Posts: 124
- Joined: Sun Feb 19, 2012 10:27 pm
- Location: Behind A Script
Embedded Object Allowances
I am currently using the latest development build of NoScript [and always will]. I recently re-read the FAQ but more critically this time . I then decided to apply restrictions to whitelisted sites because I really wanted to remove the almost ancient and useless FlashBlock extension. I did so but there is only one problem I am now facing.
As designed, NoScript blocks whatever one enables it to block which includes Flash and Java. For sake of discussion, I want to verify using Firefox whether or not I have the recommended Java version installed. NoScript blocks the Java applet on the Java site used to detect this. I can simply disable the aforementioned security setting but if so I would need to re-install FlashBlock which defeats the entire thing. I want to know if there is an about:config setting [because I know it can not be found in the options dialogue] that enables me to specify what type of object to allow on what site. For example, I want the Java applet [if not insecure] to be allowed on the site that uses it to check. If there is any other site that makes use of something blocked by NoScript I guess this question applies too. I remember reading something about a ‘regxp’ preference but I am horrible with mime types and do not want to break this wonderful fool-proof security scheme [NoScript is only one component] I have working for me.
Much thanks in advance.
Whilst on the subject of embedded objects…
Is it safe to allow the [at]font-face embedding [uncheck the check box in the Options dialogue] for both trusted and untrusted? I do not have the frame and iframe boxes checked and I noticed whilst reading the Creative site font was a blocked object preventing me to read what I wanted to read. I thought it was simple text but when I allowed it I was able to read the text. If it is safe to uncheck the box on that Tab I will but thought I would enquire here before making Firefox potentially vulnerable. I am almost certain everything other than the aforementioned embeddings would increase insecurities in a major way. The object in question is hosted on googleusercontent.com.
As designed, NoScript blocks whatever one enables it to block which includes Flash and Java. For sake of discussion, I want to verify using Firefox whether or not I have the recommended Java version installed. NoScript blocks the Java applet on the Java site used to detect this. I can simply disable the aforementioned security setting but if so I would need to re-install FlashBlock which defeats the entire thing. I want to know if there is an about:config setting [because I know it can not be found in the options dialogue] that enables me to specify what type of object to allow on what site. For example, I want the Java applet [if not insecure] to be allowed on the site that uses it to check. If there is any other site that makes use of something blocked by NoScript I guess this question applies too. I remember reading something about a ‘regxp’ preference but I am horrible with mime types and do not want to break this wonderful fool-proof security scheme [NoScript is only one component] I have working for me.
Much thanks in advance.
Whilst on the subject of embedded objects…
Is it safe to allow the [at]font-face embedding [uncheck the check box in the Options dialogue] for both trusted and untrusted? I do not have the frame and iframe boxes checked and I noticed whilst reading the Creative site font was a blocked object preventing me to read what I wanted to read. I thought it was simple text but when I allowed it I was able to read the text. If it is safe to uncheck the box on that Tab I will but thought I would enquire here before making Firefox potentially vulnerable. I am almost certain everything other than the aforementioned embeddings would increase insecurities in a major way. The object in question is hosted on googleusercontent.com.
Last edited by Identities Infinite on Thu Feb 23, 2012 2:29 pm, edited 1 time in total.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120219 Firefox/12.0a2 Firefox/12.0a2
Re: Embedded Object Allowances
Can't you just open the NoScript menu, point to Blocked Objects, look for the Java applet, and OK it? (Allowing scripting from java.com also)Identities Infinite wrote:I want to verify using Firefox whether or not I have the recommended Java version installed. NoScript blocks the Java applet on the Java site used to detect this. I can simply disable the aforementioned security setting...
Or hover the mouse over the placeholder (NoScript block-logo, red snake), see that it's the applet you're looking for, click it, then OK at the confirmation prompt?
Neither of these involves disabling global protection against Java.
You can use Creating Site-Specific Permissions via ABE for that.Identities Infinite wrote:I want to know if there is an about:config setting [because I know it can not be found in the options dialogue] that enables me to specify what type of object to allow on what site.
No about:config stuff or regxp needed.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
-
- Senior Member
- Posts: 124
- Joined: Sun Feb 19, 2012 10:27 pm
- Location: Behind A Script
Re: Embedded Object Allowances
I am blind and use the JAWS For Windows screen reader. I do not use a mouse or screen. I thought those options in the Blocked Objects sub-menu are all ‘temporarily allow’ options. Which one should I choose? When I close the browser, re-open it and repeat the same steps it should not be blocked. I am bad with ABE but I will read to whatever you linked.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120222 Firefox/12.0a2 Firefox/12.0a2
Re: Embedded Object Allowances
> those options in the Blocked Objects sub-menu are all ‘temporarily allow’ options
That is correct.
That is correct.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:12.0a2) Gecko/20120222 Firefox/12.0a2 SeaMonkey/2.9a2
-
- Senior Member
- Posts: 124
- Joined: Sun Feb 19, 2012 10:27 pm
- Location: Behind A Script
Re: Embedded Object Allowances
Is there any way to permanently allow an object for a specific site for purposes such as checking against latest updates without using ABE? Or, is that just not safe no matter how legitimate the site and update check is? This is the ABE rule I thought might work but I might be extremely incorrect.
Edit: I read about:plugins for the correct MIME types so this may be a more correct rule. Can anybody say either way?
Whilst on the subject of blocked objects:
What is the '@font-face' embedding an is it safe to allow for both trusted and untrusted? I do not have 'frame' and 'iframe' boxes checked and I noticed whilst reading the Creative site 'font' was a blocked object preventing me to read what I wanted to read . I think the object is hosted on googleusercontent.com because that is the one I allowed. I thought it was simple text but when I allowed it I was able to read the text. If it is safe to uncheck the box on the Embeddings Tab I will but thought I would enquire here before making Firefox potentially vulnerable. I am almost certain everything other than the aforementioned embeddings would increase insecurities in a major way.
Code: Select all
# rule to allow the Java applet on the Java and Oracle web sites
Accept from *java.com *oracle.com *oracleimg.com
Allow application/java
Deny
Code: Select all
# rule to permit update checking on the Java web site
Accept from *.java.com
Allow application/x-java-applet application/x-java-bean application/x-java-vm application/java-deployment-toolkit
Deny
What is the '@font-face' embedding an is it safe to allow for both trusted and untrusted? I do not have 'frame' and 'iframe' boxes checked and I noticed whilst reading the Creative site 'font' was a blocked object preventing me to read what I wanted to read . I think the object is hosted on googleusercontent.com because that is the one I allowed. I thought it was simple text but when I allowed it I was able to read the text. If it is safe to uncheck the box on the Embeddings Tab I will but thought I would enquire here before making Firefox potentially vulnerable. I am almost certain everything other than the aforementioned embeddings would increase insecurities in a major way.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
Re: Embedded Object Allowances
The rule is missing the "Site" line. This is where you specify the source of the object(s) to which the rule replies.Identities Infinite wrote:Is there any way to permanently allow an object for a specific site for purposes such as checking against latest updates without using ABE? Or, is that just not safe no matter how legitimate the site and update check is? This is the ABE rule I thought might work but I might be extremely incorrect.Edit: I read about:plugins for the correct MIME types so this may be a more correct rule. Can anybody say either way?Code: Select all
# rule to allow the Java applet on the Java and Oracle web sites Accept from *java.com *oracle.com *oracleimg.com Allow application/java Deny
Code: Select all
# rule to permit update checking on the Java web site Accept from *.java.com Allow application/x-java-applet application/x-java-bean application/x-java-vm application/java-deployment-toolkit Deny
See Creating Site-Specific Permissions via ABE
Try something like this:
Code: Select all
Site: *@http://java.com
Accept from .java.com .oracle.com
Deny
The Accept line restricts which sites will accept, or allow, the above objects.
Let us know if that works for you.
There have been malicious exploits using font download, which is why NoScript provides blocking for this.Whilst on the subject of blocked objects:
What is the '@font-face' embedding an is it safe to allow for both trusted and untrusted?
What is the full URL of the site in question? I'll check it out.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
-
- Senior Member
- Posts: 124
- Joined: Sun Feb 19, 2012 10:27 pm
- Location: Behind A Script
Re: Embedded Object Allowances
I will try that ABE rule. I thought the asterisk was the wildcard instead of ‘site’. I also understand the MIME types do not need to be defined.
I think it was this page. I now realised I think I allowed the Flash object which has the text. I never encountered that much text contained within a Flash object before and JAWS usually never reads anything that well with respect to Flash. After reading your reply regarding inline frames in another thread, I have wisely disallowed those too. I did not those were being used to inject malicious code. I will also keep the @font-face box checked now that I know better.
I think it was this page. I now realised I think I allowed the Flash object which has the text. I never encountered that much text contained within a Flash object before and JAWS usually never reads anything that well with respect to Flash. After reading your reply regarding inline frames in another thread, I have wisely disallowed those too. I did not those were being used to inject malicious code. I will also keep the @font-face box checked now that I know better.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
-
- Senior Member
- Posts: 124
- Joined: Sun Feb 19, 2012 10:27 pm
- Location: Behind A Script
Re: Embedded Object Allowances
That does not work. I am noticing some placeholders like and . If that worked I should not be locating these.
I removed the colon from line 2 because NoScript returned a syntax error and after that there was no error. I pressed OK, tested it on java.com | Do I have Java? | Verify Java version.
Code: Select all
<EMBED>, java-deployment-toolkit@http://java.com/en/download/testjava.jsp
Code: Select all
<EMBED>, java-applet@http://java.com/jsp_utils/jreVerify.class
I removed the colon from line 2 because NoScript returned a syntax error and after that there was no error. I pressed OK, tested it on java.com | Do I have Java? | Verify Java version.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
Re: Embedded Object Allowances
I'm sorry for my lack of clarity. You are correct. What I meant to say was that the asterisk in the Site line is the wildcard that allows all objects emanating from that source.Identities Infinite wrote:I will try that ABE rule. I thought the asterisk was the wildcard instead of ‘site’.
Sometimes I get too wordy. This time, I was too brief. Can't win. (wink)
Let's make it simpler and more inclusive.Identities Infinite wrote:That does not work. I am noticing some placeholders likeandCode: Select all
<EMBED>, java-deployment-toolkit@http://java.com/en/download/testjava.jsp
. If that worked I should not be locating these.Code: Select all
<EMBED>, java-applet@http://java.com/jsp_utils/jreVerify.class
Code: Select all
Site .java.com
Accept from .java.com .oracle.com
Deny
If necessary, we can add an ending wildcard:
Code: Select all
Site .java.com/*
Typo on my part, sorry.I removed the colon from line 2 because NoScript returned a syntax error....
Will check your linked page shortly. I hope these help.
Edit: Yes, after allowing (temporarily) creative.com and images.creative.com, I see a placeholder only for a Flash object, which as you said, displays the text and other content. There was no font object that I could see.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
-
- Senior Member
- Posts: 124
- Joined: Sun Feb 19, 2012 10:27 pm
- Location: Behind A Script
Re: Embedded Object Allowances
I have NoScript set up to show only base-level domains. This makes it much more easy for me to manage the whitelist and creative.com is on the whitelist. There is a font object still blocked when one of the Flash objects are allowed [not the one with 2 domains like creative.com and http://creative.com I think it is]. The font box is checked and the box to extend untrusted site restrictions to whitelisted sites is also checked. It says something like ‘temporarily allow font at themes.googleusercontent.com’.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
-
- Senior Member
- Posts: 124
- Joined: Sun Feb 19, 2012 10:27 pm
- Location: Behind A Script
Re: Embedded Object Allowances
Weird, I tried both modifications to the rule and both did not make the placeholders go away. the java-applet and java-deployment-toolkit are still being blocked. I downloaded the PDF and I will really have to studdy it hardcore to understand exactly how to write these things. Does it matter that I use Java 7 Update 4?
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
Re: Embedded Object Allowances
OK, now I think I misunderstood your intentions. I thought you wanted just the applet that tells you if you have the latest version of Java?Identities Infinite wrote:Weird, I tried both modifications to the rule and both did not make the placeholders go away. the java-applet and java-deployment-toolkit are still being blocked.
Let's be clear on exactly what you *want* to allow, then go from there.
The version of Java shouldn't affect how we write the rule to allow only that which you want.Does it matter that I use Java 7 Update 4?
I'll have to see if I can reproduce your font object. I use full domains *and* base domains. Blocking by full domain allows for much better fine-tuning, although a longer menu.
Example:
Default whitelist includes yahoo.com and yimg.com.
I don't use the other areas of Yahoo much, at least not enough to whitelist them, so I deleted those and added
mail.yahoo.com and mail.yimg.com.
So in fact, I actually temp-allowed only
http://www.creative.com
http://images.creative.com
If this prevents the font object, I think that's an advantage. But will check again with only base domains and see if I can reproduce.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
-
- Senior Member
- Posts: 124
- Joined: Sun Feb 19, 2012 10:27 pm
- Location: Behind A Script
Re: Embedded Object Allowances
When the site is queried for updates against the version I have I do not know what is being used. I assume the Java applet and Deployment Toolkit are both being requested from the site. These are plug-ins obviously. The Java Virtual Machine is also being requested and I assume that is the program installed on the machine [not a plug-in]. I assumed all Java plug-ins were needed to return ‘congradulations’ or the reverse type message when it says I need to update. Am I wrong? Before I applied the restrictions of untrusted sites to whitelisted sites none of these were blocked and most the time the check went smoothly. The only way I can check is with Internet Explorer 9 which always works because that thing just lets everything through.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120223 Firefox/12.0a2 Firefox/12.0a2
Re: Embedded Object Allowances
OK, I switched from trusty Firefox 3.6 to 10.2 to double-check.
Using JSView add-on, I see that their style sheet makes a call to
In addition to allowing the Creative scripting, I had to give permissions in RequestPolicy, a very useful add-on that complements NoScript nicely, but might add too much complexity for the visually-impaired. I allowed requests to googleapis.com, then to googleusercontent.com.
THEN I see in Blocked Objects menu,
Also, in "Recently blocked sites",
Code uploaded by random unknown users is even more likely to be dangerous than that of web sites that care about their reputation.
This is acknowledged even in the NoScript Default Whitelist, where this forum, the NoScript home page, and Giorgio's personal and company pages are whitelisted, but his blog, hackademix.net, is not. The reason being that users often post or link to POC (Proof of Concept) - benign examples of how to exploit a vulnerability they've found. Of course, we "hope" they're benign. But that is why the blog is not default-whitelisted.
Given that the site seems to work fine with the default font and theme, I see no reason to risk letting some user-created content run, unless it's absolutely necessary for the specific games or whatever. Make sense?
Using JSView add-on, I see that their style sheet makes a call to
Code: Select all
http://fonts.googleapis.com/css?family=Droid+Sans
THEN I see in Blocked Objects menu,
Code: Select all
Temporarily allow font @http://themes.googleusercontent.com
Code: Select all
Allow all from http://themes.googleusercontent.com
This is acknowledged even in the NoScript Default Whitelist, where this forum, the NoScript home page, and Giorgio's personal and company pages are whitelisted, but his blog, hackademix.net, is not. The reason being that users often post or link to POC (Proof of Concept) - benign examples of how to exploit a vulnerability they've found. Of course, we "hope" they're benign. But that is why the blog is not default-whitelisted.
Given that the site seems to work fine with the default font and theme, I see no reason to risk letting some user-created content run, unless it's absolutely necessary for the specific games or whatever. Make sense?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Re: Embedded Object Allowances
Sorry, we cross-posted about Java. I was researching Creative Alchemy, and when finished posting that, saw your post about Java.
I need to log off for a while. I'll try to get back to the Java issue some time later; if not, within 24 hours, unless someone else gets here first.
Thank you for your patience.
I need to log off for a while. I'll try to get back to the Java issue some time later; if not, within 24 hours, unless someone else gets here first.
Thank you for your patience.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27