MozillaZine

[ext] NoScript 1.7 - Guardian of your Trust

Announce and Discuss the Latest Theme and Extension Releases.
Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted June 25th, 2008, 7:14 am

There's a browser safer than Firefox...
...it is Firefox with Image


NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution plus unique anti-XSS protection.

CHANGELOG


Previous discussion

nagan
 
Posts: 125
Joined: April 23rd, 2008, 1:48 am

Post Posted June 25th, 2008, 8:05 am

Giorgio, can Noscript be available as a standalone exe (like shockwave plugin) rather than go to a site and install.This way I can have a user friendly standalone with me and upgrade and downgrade at will.By the way most of the issues discussed in the previous users posts work fine with 1.6.8 which I have.

VeryMellow
 
Posts: 5
Joined: June 20th, 2008, 1:11 pm

Post Posted June 25th, 2008, 8:08 am

I hope this is the right place to post this:
I think NoScript should attempt to protect you against CSRF attacks such as false image get requests (eg <img src="google.com/search?q=moo">) as well as having a form.submit in a onLoad event.

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted June 25th, 2008, 8:24 am

@nagan:
You can always use right+click, "Save link as..." over the XPI link and store it for later use.
If you need to install from your local file system, just drag & drop the XPI onto your browser window.
Recent releases are listed here.

@VeryMellow:
NoScript already protects you from cross-site POST requests from an untrusted site to a trusted one, which rules out the most dangerous CSRF attacks (those directed to form-guarded resources).
GET requests like those from IMG tags are harder to handle, because user should decide and state which sites are allowed to link other sites: how does your example differs from a normal link to a google search result (which, BTW, could be automatically loaded without scripting also using a FRAME, and IFRAME or a META refresh)?
While I'm willing to offer such an option for advanced user, the most viable solution, even if quite far in future and requiring web owner adoption, is SSP.

WaynePollock
 
Posts: 2
Joined: June 25th, 2008, 8:19 am

Post Posted June 25th, 2008, 8:40 am

Bug report: scripts won't run on localhost with Firefox 3.

I've tested this by removing all other extensions and the problem persists.
I've tried the obvious, such as whitelisting localhost.
The problem was in the previous version as well (which was the current version when
I upgraded Firefox). The only setting that works is "allow scripts globally".

My System: Windows XP - SP 3, Sambar web server V6.4

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted June 25th, 2008, 8:54 am

@WaynePollock:
it's working fine for me, really.
Could you try upgrading to NoScript 1.7 and, if the problem persist, use NoScript Options|Reset?

fswl1234

User avatar
 
Posts: 241
Joined: October 15th, 2003, 4:32 pm

Post Posted June 25th, 2008, 10:25 am

i just update have some problems
1) output window of chatzilla doesn't show anything any more
2) temporarily allow http://somesite ends up reloading all the links instead of that site alone

anyone else?

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted June 25th, 2008, 10:35 am

@redhat71:
Problem #1: thanks, bug, fixing - you can turn noscript.autoreload.allTabs about:config preference to false as a temporary work-around
Problem #2: does it still happens if you turn the noscript.forbidData about:config preference to true?

fswl1234

User avatar
 
Posts: 241
Joined: October 15th, 2003, 4:32 pm

Post Posted June 25th, 2008, 10:44 am

Giorgio Maone wrote:@redhat71:
Problem #1: thanks, bug, fixing - you can turn noscript.autoreload.allTabs about:config preference to false as a temporary work-around

doesn't seem to wfm, still blank
i'm opening chatzilla in browser tab as work-around
Problem #2: does it still happens if you turn the noscript.forbidData about:config preference to true?


true is default, changing it to false seems to fix the problem

UPDATE:
sorry, obviously it's noscript.autoreload.allTabs false that fixed my 2nd problem
toggling noscript.forbidData doesn't seem to have an affect on the chatzilla problem
Last edited by fswl1234 on June 25th, 2008, 11:09 am, edited 1 time in total.

FireFoxFlame
 
Posts: 288
Joined: May 22nd, 2004, 2:33 pm
Location: Worming within the Big Apple

Post Posted June 25th, 2008, 11:01 am

I've used this wonderful extension for quite some time and many revisions without a problem. However, I just updated to version 1.7, then, when I tried to access a Citibank account which is on my Whitelist, I triggered a notice that my browser blocked javascript...? I reverted back to 1.6.9.3 and resumed problem-free connection.

Advice/comments?

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted June 25th, 2008, 11:12 am

@FirefoxFlame:
what kind of notice, exactly?

@redhat71:
what's exactly blocked in Chatzilla? I've tried to open the main window and connect to irc.mozilla.org. The three panels (users, messages and input) are working fine for me.

fswl1234

User avatar
 
Posts: 241
Joined: October 15th, 2003, 4:32 pm

Post Posted June 25th, 2008, 11:33 am


fswl1234

User avatar
 
Posts: 241
Joined: October 15th, 2003, 4:32 pm

Post Posted June 25th, 2008, 11:45 am

tried reset noscript then restart, same problem (in 1.7.1 as well)

ps: the last part "Build identifier: blahblahblah" is missing in about:

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted June 25th, 2008, 12:46 pm

@redhat71:
OK, I managed to reproduce the Chatzilla "blank" issue on Firefox 2.0.0.14.
You can work around it either by turning noscript.forbidData to false or by by (temporarily) allowing file://
I'm not 100% sure of the reason, but this problem does not happen on Firefox 3.

fswl1234

User avatar
 
Posts: 241
Joined: October 15th, 2003, 4:32 pm

Post Posted June 25th, 2008, 1:05 pm

file:// did it, thanks

Return to Extension/Theme Releases


Who is online

Users browsing this forum: No registered users and 2 guests