Page 1 of 3
Embedded Object Allowances
Posted: Sun Feb 19, 2012 10:49 pm
by Identities Infinite
I am currently using the latest development build of NoScript [and always will]. I recently re-read the FAQ but more critically this time . I then decided to apply restrictions to whitelisted sites because I really wanted to remove the almost ancient and useless FlashBlock extension. I did so but there is only one problem I am now facing.
As designed, NoScript blocks whatever one enables it to block which includes Flash and Java. For sake of discussion, I want to verify using Firefox whether or not I have the recommended Java version installed. NoScript blocks the Java applet on the Java site used to detect this. I can simply disable the aforementioned security setting but if so I would need to re-install FlashBlock which defeats the entire thing. I want to know if there is an about:config setting [because I know it can not be found in the options dialogue] that enables me to specify what type of object to allow on what site. For example, I want the Java applet [if not insecure] to be allowed on the site that uses it to check. If there is any other site that makes use of something blocked by NoScript I guess this question applies too. I remember reading something about a ‘regxp’ preference but I am horrible with mime types and do not want to break this wonderful fool-proof security scheme [NoScript is only one component] I have working for me.
Much thanks in advance.
Whilst on the subject of embedded objects…
Is it safe to allow the [at]font-face embedding [uncheck the check box in the Options dialogue] for both trusted and untrusted? I do not have the frame and iframe boxes checked and I noticed whilst reading the Creative site font was a blocked object preventing me to read what I wanted to read. I thought it was simple text but when I allowed it I was able to read the text. If it is safe to uncheck the box on that Tab I will but thought I would enquire here before making Firefox potentially vulnerable. I am almost certain everything other than the aforementioned embeddings would increase insecurities in a major way. The object in question is hosted on googleusercontent.com.
Re: Embedded Object Allowances
Posted: Thu Feb 23, 2012 6:57 am
by Tom T.
Identities Infinite wrote:I want to verify using Firefox whether or not I have the recommended Java version installed. NoScript blocks the Java applet on the Java site used to detect this. I can simply disable the aforementioned security setting...
Can't you just open the NoScript menu, point to Blocked Objects, look for the Java applet, and OK it? (Allowing scripting from java.com also)
Or hover the mouse over the placeholder (NoScript block-logo, red snake), see that it's the applet you're looking for, click it, then OK at the confirmation prompt?
Neither of these involves disabling global protection against Java.
Identities Infinite wrote:I want to know if there is an about:config setting [because I know it can not be found in the options dialogue] that enables me to specify what type of object to allow on what site.
You can use
Creating Site-Specific Permissions via ABE for that.
No about:config stuff or regxp needed.
Re: Embedded Object Allowances
Posted: Thu Feb 23, 2012 2:28 pm
by Identities Infinite
I am blind and use the JAWS For Windows screen reader. I do not use a mouse or screen. I thought those options in the Blocked Objects sub-menu are all ‘temporarily allow’ options. Which one should I choose? When I close the browser, re-open it and repeat the same steps it should not be blocked. I am bad with ABE but I will read to whatever you linked.
Re: Embedded Object Allowances
Posted: Thu Feb 23, 2012 3:04 pm
by therube
> those options in the Blocked Objects sub-menu are all ‘temporarily allow’ options
That is correct.
Re: Embedded Object Allowances
Posted: Thu Feb 23, 2012 6:34 pm
by Identities Infinite
Is there any way to permanently allow an object for a specific site for purposes such as checking against latest updates without using ABE? Or, is that just not safe no matter how legitimate the site and update check is? This is the ABE rule I thought might work but I might be extremely incorrect.
Code: Select all
# rule to allow the Java applet on the Java and Oracle web sites
Accept from *java.com *oracle.com *oracleimg.com
Allow application/java
Deny
Edit: I read about:plugins for the correct MIME types so this may be a more correct rule. Can anybody say either way?
Code: Select all
# rule to permit update checking on the Java web site
Accept from *.java.com
Allow application/x-java-applet application/x-java-bean application/x-java-vm application/java-deployment-toolkit
Deny
Whilst on the subject of blocked objects:
What is the '@font-face' embedding an is it safe to allow for both trusted and untrusted? I do not have 'frame' and 'iframe' boxes checked and I noticed whilst reading the Creative site 'font' was a blocked object preventing me to read what I wanted to read
. I think the object is hosted on googleusercontent.com because that is the one I allowed. I thought it was simple text but when I allowed it I was able to read the text. If it is safe to uncheck the box on the Embeddings Tab I will but thought I would enquire here before making Firefox potentially vulnerable. I am almost certain everything other than the aforementioned embeddings would increase insecurities in a major way.
Re: Embedded Object Allowances
Posted: Fri Feb 24, 2012 3:06 am
by Tom T.
Identities Infinite wrote:Is there any way to permanently allow an object for a specific site for purposes such as checking against latest updates without using ABE? Or, is that just not safe no matter how legitimate the site and update check is? This is the ABE rule I thought might work but I might be extremely incorrect.
Code: Select all
# rule to allow the Java applet on the Java and Oracle web sites
Accept from *java.com *oracle.com *oracleimg.com
Allow application/java
Deny
Edit: I read about:plugins for the correct MIME types so this may be a more correct rule. Can anybody say either way?
Code: Select all
# rule to permit update checking on the Java web site
Accept from *.java.com
Allow application/x-java-applet application/x-java-bean application/x-java-vm application/java-deployment-toolkit
Deny
The rule is missing the "Site" line. This is where you specify the source of the object(s) to which the rule replies.
See
Creating Site-Specific Permissions via ABE
Try something like this:
Code: Select all
Site: *@http://java.com
Accept from .java.com .oracle.com
Deny
The "Site" wildcard allows all objects from that java domain.
The Accept line restricts which sites will accept, or allow, the above objects.
Let us know if that works for you.
Whilst on the subject of blocked objects:
What is the '@font-face' embedding an is it safe to allow for both trusted and untrusted?
There have been malicious exploits using font download, which is why NoScript provides blocking for this.
What is the full URL of the site in question? I'll check it out.
Re: Embedded Object Allowances
Posted: Fri Feb 24, 2012 3:18 am
by Identities Infinite
I will try that ABE rule. I thought the asterisk was the wildcard instead of ‘site’. I also understand the MIME types do not need to be defined.
I think it was
this page. I now realised I think I allowed the Flash object which has the text. I never encountered that much text contained within a Flash object before and JAWS usually never reads anything that well with respect to Flash. After reading your reply regarding inline frames in another thread, I have wisely disallowed those too. I did not those were being used to inject malicious code. I will also keep the @font-face box checked now that I know better.
Re: Embedded Object Allowances
Posted: Fri Feb 24, 2012 3:28 am
by Identities Infinite
That does not work. I am noticing some placeholders like
Code: Select all
<EMBED>, java-deployment-toolkit@http://java.com/en/download/testjava.jsp
and
Code: Select all
<EMBED>, java-applet@http://java.com/jsp_utils/jreVerify.class
. If that worked I should not be locating these.
I removed the colon from line 2 because NoScript returned a syntax error and after that there was no error. I pressed OK, tested it on java.com | Do I have Java? | Verify Java version.
Re: Embedded Object Allowances
Posted: Fri Feb 24, 2012 3:53 am
by Tom T.
Identities Infinite wrote:I will try that ABE rule. I thought the asterisk was the wildcard instead of ‘site’.
I'm sorry for my lack of clarity. You are correct. What I meant to say was that the asterisk in the Site line is the wildcard that allows all objects emanating from that source.
Sometimes I get too wordy. This time, I was too brief. Can't win. (wink)
Identities Infinite wrote:That does not work. I am noticing some placeholders like
Code: Select all
<EMBED>, java-deployment-toolkit@http://java.com/en/download/testjava.jsp
and
Code: Select all
<EMBED>, java-applet@http://java.com/jsp_utils/jreVerify.class
. If that worked I should not be locating these.
Let's make it simpler and more inclusive.
Code: Select all
Site .java.com
Accept from .java.com .oracle.com
Deny
Per the
ABE Rules .pdf, this "glob expression' should allow everything that matches java.com.
If necessary, we can add an ending wildcard:
If that doesn't work, then we'll use the regular expression template which is provided in the above ABE documentation.
I removed the colon from line 2 because NoScript returned a syntax error....
Typo on my part, sorry.
Will check your linked page shortly. I hope these help.
Edit: Yes, after allowing (temporarily) creative.com and images.creative.com, I see a placeholder only for a Flash object, which as you said, displays the text and other content. There was no font object that I could see.
Re: Embedded Object Allowances
Posted: Fri Feb 24, 2012 4:04 am
by Identities Infinite
I have NoScript set up to show only base-level domains. This makes it much more easy for me to manage the whitelist and creative.com is on the whitelist. There is a font object still blocked when one of the Flash objects are allowed [not the one with 2 domains like creative.com and
http://creative.com I think it is]. The font box is checked and the box to extend untrusted site restrictions to whitelisted sites is also checked. It says something like ‘temporarily allow font at themes.googleusercontent.com’.
Re: Embedded Object Allowances
Posted: Fri Feb 24, 2012 4:11 am
by Identities Infinite
Weird, I tried both modifications to the rule and both did not make the placeholders go away. the java-applet and java-deployment-toolkit are still being blocked. I downloaded the PDF and I will really have to studdy it hardcore to understand exactly how to write these things. Does it matter that I use Java 7 Update 4?
Re: Embedded Object Allowances
Posted: Fri Feb 24, 2012 4:57 am
by Tom T.
Identities Infinite wrote:Weird, I tried both modifications to the rule and both did not make the placeholders go away. the java-applet and java-deployment-toolkit are still being blocked.
OK, now I think I misunderstood your intentions. I thought you wanted just the applet that tells you if you have the latest version of Java?
Let's be clear on exactly what you *want* to allow, then go from there.
Does it matter that I use Java 7 Update 4?
The version of Java shouldn't affect how we write the rule to allow only that which you want.
I'll have to see if I can reproduce your font object. I use full domains *and* base domains. Blocking by full domain allows for much better fine-tuning, although a longer menu.
Example:
Default whitelist includes yahoo.com and yimg.com.
I don't use the other areas of Yahoo much, at least not enough to whitelist them, so I deleted those and added
mail.yahoo.com and mail.yimg.com.
So in fact, I actually temp-allowed only
http://www.creative.com
http://images.creative.com
If this prevents the font object, I think that's an advantage. But will check again with only base domains and see if I can reproduce.
Re: Embedded Object Allowances
Posted: Fri Feb 24, 2012 5:06 am
by Identities Infinite
When the site is queried for updates against the version I have I do not know what is being used. I assume the Java applet and Deployment Toolkit are both being requested from the site. These are plug-ins obviously. The Java Virtual Machine is also being requested and I assume that is the program installed on the machine [not a plug-in]. I assumed all Java plug-ins were needed to return ‘congradulations’ or the reverse type message when it says I need to update. Am I wrong? Before I applied the restrictions of untrusted sites to whitelisted sites none of these were blocked and most the time the check went smoothly. The only way I can check is with Internet Explorer 9 which always works because that thing just lets everything through.
Re: Embedded Object Allowances
Posted: Fri Feb 24, 2012 5:22 am
by Tom T.
OK, I switched from trusty Firefox 3.6 to 10.2 to double-check.
Using
JSView add-on, I see that their style sheet makes a call to
Code: Select all
http://fonts.googleapis.com/css?family=Droid+Sans
In addition to allowing the Creative scripting, I had to give permissions in
RequestPolicy, a very useful add-on that complements NoScript nicely, but might add too much complexity for the visually-impaired. I allowed requests to googleapis.com, then to googleusercontent.com.
THEN I see in Blocked Objects menu,
Code: Select all
Temporarily allow font @http://themes.googleusercontent.com
Also, in "Recently blocked sites",
Code: Select all
Allow all from http://themes.googleusercontent.com
Code uploaded by random unknown users is even more likely to be dangerous than that of web sites that care about their reputation.
This is acknowledged even in the NoScript
Default Whitelist, where this forum, the NoScript home page, and Giorgio's personal and company pages are whitelisted, but his blog, hackademix.net, is not. The reason being that users often post or link to POC (Proof of Concept) - benign examples of how to exploit a vulnerability they've found. Of course, we "hope" they're benign. But that is why the blog is not default-whitelisted.
Given that the site seems to work fine with the default font and theme, I see no reason to risk letting some user-created content run, unless it's absolutely necessary for the specific games or whatever. Make sense?
Re: Embedded Object Allowances
Posted: Fri Feb 24, 2012 5:25 am
by Tom T.
Sorry, we cross-posted about Java. I was researching Creative Alchemy, and when finished posting that, saw your post about Java.
I need to log off for a while. I'll try to get back to the Java issue some time later; if not, within 24 hours, unless someone else gets here first.
Thank you for your patience.