[ext] NoScript 1.8 - Your Browser is YOURS

[Boblebad]

Hi there

NoScript is XSS blocking a perfectly safe page, it's the Danish tax administration office

Here what the console tells:

[NoScript XSS] Sanitized suspicious request. Original URL [https://login.service.csc.dk/sp/startSSO.ping?PartnerIdpId=https%3A%2F%2Fsaml.sikker-adgang.dk] requested from [https://fobs-sf.fobs.dk/readcookie.cdc?NOOA=2009-01-28T13:04:23.102Z&RESUME=aHR0cDovL3NrdGZic3BmNDo5MDMxL3NwL3Jlc3VtZS9zcC9jZGNzdGFydFNTTy5waW5n]. Sanitized URL: [https://login.service.csc.dk/sp/startSSO.ping?PartnerIdpId=https%3A%2F%2Fsaml.sikker-adgang.dk%2F].

Best regards
Carsten, Denmark

[pirlouy]

@pirlouy:
I thought you already knew about the noscript.firstRunRedirection about:config preference. http://noscript.net/faq#qa2_5

Yeah, I know; in fact I talked about extensions.update.interval
If someone does not want extension to be often updated, he can increaze the default value (in sec ?).

@Luntrus: thanks for Karma Blocker; I have missed it; I'm going to try.

[luntrus]

Hi users of NoScript,

Sometimes we want to check on the code we normally block for instance for Iframes, we know that Iframe malware still totals up to 7% of the overall malware number. A nice online checker for BadStuff is to be found here:
http://jutaky.no-ip.org/index.php?optio ... &Itemid=32
Check out what is on a URL...
Of course one could check through JSView but there one needs a trained eye, and not every user is equipped that way, so enjoy tho online checker, and stay safe and secure, is the wish of,

luntrus

[Alan Baxter]

@pirlouy:
I misread your previous post. Thank you for the clarification. BTW, Fx 3.0.6 RC1 is available.

[milchmueller]

Dear Giorgio, great program, thank you so much for your work!!!

Clickjacking:

Please look at
http://www.secniche.org/gcr_clkj/

A div tag is used
<div id="mydiv"
onmouseover="document.location='http://www.xssed.com';"
style="position:absolute;width:2px;height:2px;background:#000000;border:0px"></div>

If Scripts are enabled at this page, NoScript (ver. 1.8.9.7 here) does not prevent going to the "clickjacked" page http://www.xssed.com.

Any hints?

Regards, Harald

[Giorgio Maone]

@Everybody:
sorry for the delay, Mozillazine notifications not working for me (again).
I'm trying to answer in chronological order, please repost your questions if I miss anyone...

@ovesh:
did I already suggest you Standard Diagnostic?

@NZJon:
"Allow globally" always enabled on startup means something is broken in your profile.
Please try Standard Diagnostic

@luntrus:
Maybe my Surrogate Scripts has not been clear enough.
It's not meant to block google-analytics.com (NoScript already blocks it by default), but to replace it with a dummy so page depending on it don't break.
If you start blocking google-analytics.com by other means (host file, ABP, Karma and so on) NoScript's Surrogates can't help you anymore and you're back at square one with broken pages.
Regarding chrome://global/content/bindings/general.xml? abphit:96754750514#basecontrol -- it is from AdBlock Plus' element hiding machinery

@vger2:
either I'm missing something, or your link is actually broken.
http://united&co.xdccing.com/GET?bot=UN ... ???????+???
You can't have an ampersand inside the host name: this way you're contacting just "united" as the host name, and it obviously doesn't exist (unless you've got one in your LAN).

@ksdz:
Thanks for reporting. The long random "+-" sequence by Poken is actually taking too much time being processed by XSS filters.
I'm gonna fix this in next release.

@DaleStan:
Investigating, thanks.

@johndoe32102002:
Could you please elaborate?
The already present NoScript HTTPS enhancements should help in any HTTPS->HTTP leakage scenario, if correctly configured.
Please send me an email if you've got some further suggestion about them.

@sychtos:
The NoScript icon never disappear to me, even if I had reports of extension conflicts (e.g. with StumbleUpon) which might cause this.
Could you try Standard Diagnostic?

@Carsten:
I'm investigating and I'll fix that in next release.
In the meanwhile you can work around by adding https://fobs-sf.fobs.dk to your whitelist.

@milchmueller:
That guy is just an idiot.
For a brief explanation of his idiocy, read here:
http://hackademix.net/2009/01/28/ie8s-c ... ment-10664

[milchmueller]

Dear Giorgio,

@milchmueller:
That guy is just an idiot.
For a brief explanation of his idiocy, read here:
http://hackademix.net/2009/01/28/ie8s-c ... ment-10664

Thank you for your reply, you are totally right, sorry for the inconvenience, this is my fault (because I have not understand correctly what clickjacking is). I have just read it on Heise
http://www.heise-online.co.uk/news/112518
(german:
http://www.heise.de/newsticker/meldung/122863
)
and I've asked for an explanation (and sent the author your great explanation, sorry again for my stupidity).

Thank you! Regards, Harald

[nagan]

Perhaps they were down the line.Bringing them up once again.

Please check this.Even with NS allowed and nothing blocked of ABPlus this seems to be the info.This site come up when I click a downloadable file
http://www.zshare.net/adsblocked.html . This seems to be the site referred by downloads.

Other suggestions
1.When there is only one item blocked the moment I allow the icon shifts to the right for me to go there and click again ,a small punishment for allowing status bar label?

2.XSS ,click jacking are there, can't you noscript popunders?

3.Even in case of partial allows it would be better if you have an icon which shows the present page condition.It could be misleading if google is allowed and not the present site.

[Lassar]

Can't get noscript to work with google adwords keyword tool. How do you get it to work ?

[sycthos]

@sychtos:
The NoScript icon never disappear to me, even if I had reports of extension conflicts (e.g. with StumbleUpon) which might cause this.
Could you try Standard Diagnostic?

Okay, I've tried the diagnostic. I disabled every extension except NoScript, but the icon would still disappear immediately whenever the little bookmark box pops up.

[luntrus]

Hi Giorgio Maone,

A couple of days now Microsoft has published their anti-clickjacking solution on their website,
and last year they shared this proposed solution with other browser builders.
It is a meta tag solution
Metatag: X-FRAME-OPTIONS
Values
DENY (page cannot be rendered in frame)
SAMEORIGIN (page can be in a frame when this is a frame from pages of the same subdomain)

Is this solution full proof? Is its implementation also coming to Fx and Flock?
Is this IE8 solution the final answer to the problem?
I have put my cards on the protection of NoScript.

luntrus

[Giorgio Maone]

@sychtos:
what about themes?

@nagan:
the ZShare thing can be handled with Surrogates. At this moment I'm very busy and sleepy, I promise I will answer both this and the other questions of yours tomorrow.

@luntrus:
http://hackademix.net/2009/01/29/x-fram ... n-firefox/ (and follow also the links to the previous posts)

@Lassar:
it's almost surely a Google Analytics issue.
Could you try if the problem persists with latest development build?

BTW especially for Carsten and ksdz:

1.8.9.9
=====================================================================
+ Experimental X-FRAME-OPTIONS compatibility support (see
http://hackademix.net/2009/01/29/x-fram ... n-firefox/ and
http://evil.hackademix.net/frameopts/ )
x Updated pt-BR translation
x Fixed freeze on Poken URLs (thanks ksdz for report)
x Fixed URIs nested in query string being normalized with trailing
slash (thanks Carsten for report about login.service.csc.dk)

[luntrus]

Hi users of NoScript,

Another reason to use NoScript protection.
TinyURL masks malicious links
Again a popular webservice is being abused by malcreants.:
TinyURL directs to malicious websites to circumvent various security systems.
TinyURL service enables to change long URLs by shorters ones,
so they these links can be easier mailed.
TinyURL then automatically redirects to the right webpage.
It was only a matter of time before cybercrime started
to abuse these kind of webservices on a grand scale.

Cybercriminals know to easily circumvent Google Safe Browser security,
according to security firm Finjan:. http://www.finjan.com/MCRCblog.aspx?EntryId=2153
Safe browser has an up-to-date database of malicious sites
that are then blocked automatically for users.
This plug-in that can be used inside Google Chrome and Firefox,
does not recognize the malicious sites because of the shorte UR.
The warning Safe Browser normally shows, is not shown.
The browser user is redirected immediately to the bad site.

Next to TinyURL there are various other similar services,
like Kurl, bit.ly and w3t.org.
bit.ly was also being abused by cyber criminals, as Finjan's survey showed.
In the mean time the malicious links have been deleted,
but the chance is there that usingurl-shorteners
is going to be a general malware pattern to hide their own malicious domains is obvious.

luntrus

[axmaan]

I've just been thrashing around to get the new Flash player installer to work {bad, bad Adobe.}

A problem arising is that I would like to permit Flash video/streaming on a site-by site occasional basis, rather than
the broad 'everywhere' option, or having to 'trust' the site .

The same is true of Javascripts, I'd like to permit on an ad-hoc basis sometimes.

Is this possible, am I missing something? If not , can it be considered for a future release?

A little further observation, could it be possible to build some persistence into the NS pop-up?
It's a bit tedious having to alter permissions one-by-one, calling the poop-up each time.
A tick-list that doesn't close the dialogue would be nicer. Perhaps two columns, temporary & permanent.
Maybe use rt~clik if you don't want to close it immediately.

And an option to prevent Goo-tracking, too.

reverently,
axmaan

[opopopoo]

NoScript newest version in use.

I'm unable to open the url http://www.arcor.de.
Loading page process stops in the middle of progress bar.
Mozilla activity icon (right upper corner) continues to spin.
Firewall shows steady inbound and outbound traffic, few mb/sec.
Problem not reproducible on other machine or on the same machine but different windows account -> another profile.
According to firewalls indications firefox is producing this traffic.

It must be definitely the NoScript because disabling this extension helps to avoid load problems
with http://www.arcor.de.
Other profiles where I have done counter-check (same and some other machine) also have NoScript installed. See below for NS-related section of prefs.js
user_pref("noscript.blockNSWB", true);
user_pref("noscript.confirmUnblock", false);
user_pref("noscript.firstRunRedirection", false);
user_pref("noscript.forbidBookmarklets", true);
user_pref("noscript.forbidMetaRefresh", true);
user_pref("noscript.gtemp", "");
user_pref("noscript.httpsForced", "*.gmx.net\n*.gmx.de\n*.arcor.de\n");
user_pref("noscript.httpsForcedExceptions", "");
user_pref("noscript.notify", false);
user_pref("noscript.notify.bottom", false);
user_pref("noscript.options.tabSelectedIndexes", "1,1,0");
user_pref("noscript.policynames", "");
user_pref("noscript.showBaseDomain", false);
user_pref("noscript.showDomain", true);
user_pref("noscript.showGlobal", false);
user_pref("noscript.temp", "");
user_pref("noscript.toolbarToggle", 0);
user_pref("noscript.untrusted", "http://ad.de.doubleclick.net");
user_pref("noscript.version", "1.8.9.7");

What is wrong with this profile ?