[ext] NoScript 1.9 - Your Friendly Web Cop

Announce and Discuss the Latest Theme and Extension Releases.
Locked
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Giorgio Maone »

@atagar:
maybe. Is there any way for me to reproduce this issue?
JohnMGoodman
Posts: 2
Joined: February 2nd, 2009, 5:23 am

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by JohnMGoodman »

Ever since I installed the NoScripts add-on to Firefox I have had a problem when logging into various web sites. Specifically, I had asked those web sites to "remember me" which, as I understand it, means they will write a persistent cookie to my machine with my user name. I told NoScripts to "Enable Automatic Secure Cookies Management" (the default for that option, as far as I recall). Ever since then those web sites act as if I were logging in from a machine without a cookie.

I'd like to better understand what "Enable Automatic Secure Cookies Management" actually does. And why I need it enabled, or if there is a way to tell it not to mess with cookies from trusted web sites (such as my bank's login site).
User avatar
luntrus
Posts: 141
Joined: May 3rd, 2005, 1:37 pm
Location: Netherlands

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by luntrus »

Hello users of NoScript,

JSMin is a filter which removes comments and unnecessary whitespace from JavaScript files. It typically reduces filesize by half, resulting in faster downloads. It also encourages a more expressive programming style because it eliminates the download cost of clean, literate self-documentation.
Try it out here, It is suggested that JSLint : http://www.jslint.com/ be used before using JSMin.
Be sure to retain your original source file. JSMin is a one-way trip: Once done, it cannot be undone.

Do not put raw control characters inside a quoted string. That is an extremely bad practice. Use \xhh notation instead. JSMin will replace control characters with spaces or linefeeds.

Use parens with confusing sequences of + or -. For example, minification changes

a + ++b

into

a+++b

which is interpreted as

a++ + b

which is wrong. You can avoid this by using parens:

a + (++b)
If you take this caution go and test it here:

http://fmarcia.info/jsmin/test.html

luntrus
Fx forever
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Giorgio Maone »

@JohnMGoodman:
the behavior you're describing may happen if you visit (before or after your secure transactions) the bank site without HTTPS.
Whenever you visit a non-https domain which you've got cookies which had been set during a HTTPS conversation, those cookies are stripped by secure cookie management.
An easy work-around for this is configuring NoScript Options|Advanced|HTTPS to force HTTPS on that site.
As a side note and generally speaking, using the "remember me" feature for a sensitive site is a very unsafe practice, since it makes CSRF and XSS attacks much more likely to succeed (because you're permanently logged in).
deathmetalfan
Posts: 1
Joined: February 2nd, 2009, 6:04 pm

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by deathmetalfan »

Hi:

I've been having some trouble loading data: urls into firefox from the command line in linux, like

$ firefox 'data:text/html,hello'

noscript gives me this message in the console dump:

[NoScript] Content BLOCKED JavaScript/Data URL -- type: 6, location: data:text/html,hello, origin: chrome://browser/content/browser.xul, ctx: [object XULElement], mime: , null

I tried setting noscript.forbiddata to false but that didn't seem to help. Is there another option I'm missing that will allow me to do this?

Thanks a lot.
User avatar
Lassar
Posts: 176
Joined: June 20th, 2007, 1:42 pm
Contact:

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Lassar »

I just updated to noscript 1.90.

Google keyword tool still not working.
https://adwords.google.com/select/KeywordToolExternal

Here are the errors and warnigns from the error console.

Error: container is null
Source File: chrome://evcextension/content/securitylabel.js
Line: 125
Error: [Exception... "Component is not available" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: file:///D:/Program%20Files/Mozilla%20Firefox/components/nsSessionStore.js :: sss_saveState :: line 1908" data: no]
Source File: file:///D:/Program%20Files/Mozilla%20Firefox/components/nsSessionStore.js
Line: 1908
Error: [Exception... "Component is not available" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: file:///D:/Program%20Files/Mozilla%20Firefox/components/nsSessionStore.js :: sss_saveState :: line 1908" data: no]
Source File: file:///D:/Program%20Files/Mozilla%20Firefox/components/nsSessionStore.js
Line: 1908
Error: userAgentButton is null
Source File: chrome://useragentswitcher/content/useragentswitcher.js
Line: 481
Error: [Exception... "Component is not available" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: file:///D:/Program%20Files/Mozilla%20Firefox/components/nsSessionStore.js :: sss_saveState :: line 1908" data: no]
Source File: file:///D:/Program%20Files/Mozilla%20Firefox/components/nsSessionStore.js
Line: 1908


warnings

Warning: Expected end of value for property but found '2'. Error in parsing value for property 'margin'. Declaration dropped.
Source File: https://adwords.google.com/select/resou ... sLater.css
Line: 1
Warning: Error in parsing value for property 'top'. Declaration dropped.
Source File: https://adwords.google.com/select/resou ... sLater.css
Line: 1
Warning: Error in parsing value for property 'left'. Declaration dropped.
Source File: https://adwords.google.com/select/resou ... sLater.css
Line: 1
Warning: Unknown property 'z-order'. Declaration dropped.
Source File: https://adwords.google.com/select/resou ... lanner.css
Line: 139
Warning: Unknown property 'whitespace'. Declaration dropped.
Source File: https://adwords.google.com/select/resou ... lanner.css
Line: 312

-
-
Curious about the FCC GROL License ?
t1470258
Posts: 10
Joined: September 24th, 2004, 12:50 am

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by t1470258 »

May I have a suggestion?

Sometimes NoScript blocks a URL showing only "message row" asking if user wants to follow the redirection. With current latest NoScript I couldn't find a way to learn "to which site" I'm being asked to be redirected other than accepting redirection. IMHO it would be nice the "message row" also writes "WHERE to" allowing and informing user to decide to follow the link or not...

Thanks...
Some Person
Posts: 20
Joined: June 7th, 2008, 11:46 pm

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Some Person »

Unable to check mortgage rates at Chase Mortgage

Fx 2.20 NS 1.9 AdBlock Original

Original site: http://mortgage.chase.com/pages/shared/gateway.jsp
Click link "check rates" = http://mortgage.chase.com/pages/purchas ... anding.jsp
Temporarily allow all this page = yes, twice (new script added after first reload).
AdBlock = Whitelist this whole site > reload.
Still shows several blocked objects: three Flash objects, three chat... objects.
Uncheck "Apply restrictions to trusted sites".
No blocked objects shown now.
All cookies allowed and show: chase.com, mortgage.chase.com, chat.chase.com
Fill in form > enter > page reloads empty form.
WTF?
Fill in form again > enter > reloads empty form again.
Error console: 24 warnings, all in "parsing value for property "xxxx-xxxx". Declaration dropped." where xxxx-xxxx = "marker-offset" or "moz-user-select". If you can't reproduce it, I can copy each error message and re-post. The first one looks like this:

Warning: Error in parsing value for property 'marker-offset'. Declaration dropped. Source File: http://mortgage.chase.com/pages/shared/gateway.jsp Line: 0

Thank you!
oki-inu
Posts: 3
Joined: February 3rd, 2009, 12:15 am

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by oki-inu »

I recently noticed a problem with NoScript I have not seen addressed. NoScript is blocking blogrolls by Blogrolling on my and other blogs. Blogrolling is on my white list and the page is trusted and completely allowed. In fact if I allow scripts globally it still blocks the blogroll. Only when I disable NoScript can I see the blogroll, something I obviously don't want to do. There are no error messages, the page acts like a fully trusted site but the blogroll is missing. I just updated to 1.9 but it didn't work in the last version I had either.

It works OK with version 1.8.2.1
Last edited by oki-inu on February 4th, 2009, 2:37 am, edited 1 time in total.
User avatar
unholy
Posts: 4
Joined: August 18th, 2008, 8:39 pm

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by unholy »

For me the most annoying part of using NoScript was always the huge amount of needles labor when setting policies for commonly used sites. More precisely the need to remember each unknown domain name and then write it manually in another place, just to check what kind of site is it, and must it be added to untrusted list as advertisement provider or statistics collector for example. While NoScript itself is extremely usable extension in terms of keeping out unnecessary information, the need to burden my brain with tons of unnecessary information just to be able to use it to it's full is serious disadvantage.

Is it possible to add to the list of options for unknown sites an option to copy it's base domain name to the clipboard? This way it will be possible to check unknown sites without the need to remember each of their names.
User avatar
jimattfield
Posts: 3
Joined: February 3rd, 2009, 5:13 am
Contact:

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by jimattfield »

Hi Giorgio,

I have been a NoScript user for a long time without problem but when I just upgraded to v1.9 my BBC Syndication applet broke and will not display although no error messages are shown. No amount of changing settings, whitelisting, XSS disabling or twiddling will restore it. It appears fine if NoScript is disabled and one of my other machines still with version 1.8.9 works fine. I just can't get a handle on it at all. You can see the effect at http://www.attfield.co.uk. It should be just below the W3C block. FYI here is the script block (in a DIV called 'bbcbox') but with the actual 'src' page name obfuscated. I have tried the beta 1.9.0.2 builds but with no change. I would much appreciate any clues.

<!-- BBCi Syndication -->
<noscript><a href="http://www.bbc.co.uk/news" target="_BBC">
<img src="http://newsimg.bbc.co.uk/shared/bsp/hi/services/htmlsyndication/img/synd_js_error_js-inactive.gif"
width="165" height="200" border="0" alt="BBCi: Javascript is not available on this browser"/></a></noscript>
<script src="http://www.bbc.co.uk/syndication/html/jsserver/1234567890123" language="JavaScript" type="text/javascript"></script>
<!-- /BBCi Syndication -->

Stop press: Doh! Forgot the error console which reports "[NoScript] Potential cross-site E4X hijacking detected and blocked (http://www.bbc.co.uk/syndication/html/j ... 4567890123)". Clues as to how to disable this for this site appreciated - I'm going off to search the docs.

Additional: setting noscript.checkHijackings to FALSE cures the problem but I'm not really happy with this. I need to find a way to suppress E4X checking for a declared URL.
User avatar
MartinHowe
Posts: 4
Joined: February 3rd, 2009, 6:58 am
Location: The next most easterly town in England
Contact:

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by MartinHowe »

I have found a problem with objects, especially with W3C compliance regarding fallback content.

I have a customised reCAPTCHA library that uses an object to display the manual verification widget if JavaScript is disabled or otherwise not available:

Code: Select all

<object style="width:350px;height:320px;" data="'.$server.'/noscript?k='.$pubkey.$errorpart.'" type="text/html" standby="reCAPTCHA widget">This object is disabled.</object>

According to W3C rules, the text "This object is disabled." is supposed to be visible if the object itself is blocked.

Steps to reproduce:
1) Turn javascript off using web developer or similar tool.
2) Navigate to http://www.martinhowe.net/home/contact.php
3) Mark the site as untrusted and reload.

Expected result:
* NoScript blocks the OBJECT used by reCAPTCHA, but displays the content between the <object> and </object> tags; i.e., inside the object area, the text "This object is disabled." should be visible.

Actual result:
* NoScript blocks the entire object, including the fallback content, in contravention of W3C rules for HTML 4.01. I have had to resort to adding an extra paragraph after the object -- that paragraph is visible even when the object is working, so it doesn't look good.

When an object is blocked, either because the browser doesn't support them or because of security settings, the browser is supposed to display the content between the <object> and </object> tags, rather like the <noscript> tags for JavaScript.

It is also worth pointing out that since objects can be (and are) used to include pure text or plain HTML (not just scripts) I would expect NoScript to simply display as normal any object whose MIME type is just "text/html" as normal, recursively applying the NoScript security rules to the object content as needed.

Heck, maybe well-known good guys like reCAPTCHA should be on the built-in whitelist anyway :)
User avatar
Lassar
Posts: 176
Joined: June 20th, 2007, 1:42 pm
Contact:

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Lassar »

unholy wrote:For me the most annoying part of using NoScript was always the huge amount of needles labor when setting policies for commonly used sites. More precisely the need to remember each unknown domain name and then write it manually in another place, just to check what kind of site is it, and must it be added to untrusted list as advertisement provider or statistics collector for example. While NoScript itself is extremely usable extension in terms of keeping out unnecessary information, the need to burden my brain with tons of unnecessary information just to be able to use it to it's full is serious disadvantage.


I agree with this. I set noscript to scripts globally allowed.

As far as trusted sites are concerned; you really do not know who to trust; unless you are the lord almighty.

A hacker might find a overlooked security flaw. A site you might think is trusted, gets hacked.

It happens all the time with microsoft finding new security flaws. And we all trust microsoft right ?

It makes more sense to have a blacklist of sites we don't trust.

-
-
Curious about the FCC GROL License ?
User avatar
unholy
Posts: 4
Joined: August 18th, 2008, 8:39 pm

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by unholy »

[offtopic]
Lassar wrote:It happens all the time with microsoft finding new security flaws. And we all trust microsoft right ?


Wrong. I never perceived trust as the mater of religion you describe. Choosing to treat something as partially trustworthy means that that sufficient amount of information has been accumulated to make reliable risk calculation. Choosing whom to trust on the base of some kind of urge to believe in something, and deciding to believe in everyone, who hasn't personally betrayed your trust, just because you managed to convince yourself that believing in people gives good karma is not something i'm capable of understanding.

But what you decided to give as example is even harder to understand. Claiming that all of us must trust in specific software company, just because it proved to be able to maintain for many years 99.9% monopoly in developing the software mallware depends on... Just because we see that basically any new mallware spreading medium is created by Microsoft and is possible because of some new genius API they develop and maintain we must chose to trust them? What kind of nonsense is that?

Sorry, you failed to convince me. I don't trust Microsoft. I don't believe you that everyone here trusts Microrsoft. And while there are situations when blacklisting feature is usable (to satisfy people who trust Microsoft for example) i don't see it as better approach.
[/offtopic]
liqid
Posts: 1
Joined: February 3rd, 2009, 12:52 pm

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by liqid »

Since Version 3 of Firefox, I think, there's a new way of generating html pages when visiting ftp sites in the browser. The new html is supported by some javascripts that allow sorting the files. They are pretty useful at that, so I'd like to whitelist them. Thing is though, that I don't have the slightest clue where they come from, because temporarily enabling scripts for the viewed site doesn't help and the site source code doesn't tell me anything. View Source doesn't deliver html on ftp sites (which is perfectly fine).
(Version of NoScript is 1.9.0.1)
Locked