[Alan Baxter]

@khms:
I use the JSView extension for that. It also makes it easy to examine the code of the external script, at least whatever the code happens to be at the time you examine it.

[Alan Baxter]

@kolermigon:
OK. Your reasonably toned followup shows you weren't trolling, but more frustrated.

lots of bugfix releases could be avoided if tested long enough.

Good point. The NoScript 1.8.1 release was problematic for several people. Alternative beta testing methodologies might be worth discussing here -- especially since Giorgio winds up having to do all the work anyhow.

A core issue is the compromise between long-term testing and quick release in response to a browser vulnerability.
http://noscript.net/faq#qa2_6

NoScript is a security software, hence its users expect it to do every effort to keep their browsing experience as safe as it can be, always.
This means that every time a new browser weakness is reported, a new kind of web threat is discovered or a bug is found in NoScript itself (hey, no software is perfect!), NoScript is immediately updated to react as needed.

Giorgio does quite a bit of testing himself before release, but it's obvious he can't catch everything. Perhaps it would have been better if NoScript 1.8.1 had been released with the new feature turned off by default, as it is in 1.8.1.3, and marked Experimental. After a longer period of use and then only if deemed appropriate for general use, it could be turned on by default. Sort of similar to the iframe blocking which is disabled by default.

Alternative effective testing methods are used by some other extensions, but I don't have time to list them now.

Edits: Fixed 1.8.1.3 version number and misspelling

[C@rb0n]

Should this have occurred?

[NoScript XSS] Sanitized suspicious request. Original URL [https://wiki.mozilla.org/JavaScript:TraceMonkey] requested from [http://www.osnews.com/]. Sanitized URL: [https://wiki.mozilla.org/JavaScript%20TraceMonkey#9943396141060536171].

Doesn't look at all menacing to me.

[yitzhakbg]

Web syncing with EverNote causes NoScript to report a suspected XSS attack. I reported this to EverNote (support case 22309) and received the following response:

Hello,

Please know that the recent versions of the NoScript add-on to Firefox 3 are incompatible with Evernote. We recommend disabling NoScript until you resolve your issues.

Thank you,
-Evernote Support

[mozilliner]

With the version 1.8.1.3 of noscript the sites of http://view.stern.de can't be used. What can I do?

[Giorgio Maone]

@khms
For that movie to work permanently you need both code.google.com and http://www.youtube.com in your whitelist.
That's to prevent Flash-based XSS, i.e. an untrusted site embedding a movie from a trusted site to interact with the latter in a malicious way.

@useSVGnotSWF:
Try to put the following in about:config keyword.URL:

Code: Select all

http://toolz.hackademix.net/redir/#https%3A%2F%2Fssl.scroogle.org%2Fcgi-bin%2Fnbbwssl.cgi!Gw=


You need to allow toolz.hackademix.net, though, but you can copy its code to a domain you trust if you prefer so (it's all client side).
Check http://toolz.hackademix.net/redir/ for more info about its anonymity.

@C@arbon:
that's triggered by "JavaScript:TraceMonkey" being a valid javascript: URL. Next version will be more accurate in assessing the payload, i.e. it will check also if "(" or "=" follow the "JavaScript:" prefix.

@yitzhakbg:
I'm investigating. In the meanwhile, could you:

1. Send me the [NoScript XSS] lines you get in Tools|Error Console when it happens
2. Check if the problem persists with 1.8.1.5?

@mozilliner:
If you mean the slideshow, it's working for me as soon as I allow "stern.de"

[mozilliner]

@mozilliner:
If you mean the slideshow, it's working for me as soon as I allow "stern.de" [/quote]

I don't mean the slideshow of "view.stern.de". Click on a picture of the slideshow. Then you see a mail-Icon at the top right site to send the picture by mail, but nothing happens by clicking on this icon. After deactivating NoScript it works.

[Giorgio Maone]

@mozilliner:
The email button is disabled for me, I supposed because I'm not logged in (it does not work on IE either).
The only two buttons enabled (one has a "forbid" sign on it, the other is a zoom) do work for me.
Are you sure you were logged in when you tried?

[khms]

@khms
For that movie to work permanently you need both code.google.com and http://www.youtube.com in your whitelist.
That's to prevent Flash-based XSS, i.e. an untrusted site embedding a movie from a trusted site to interact with the latter in a malicious way.

Hmm ... no, that doesn't work for me. I only get the placeholder. The only way I avoid the placeholder is by temporarily enabling

Code: Select all

*@http://www.youtube.com

or

Code: Select all

shockwave-flash@http://www.youtube.com

(or everything, of course), and I can't permanently enable anything with that syntax.

[Giorgio Maone]

@khms:
have you got "Apply these restrictions to trusted sites as well" checked in your NoScript Options|Plugins panel?
If so, there's currently no way to permanently whitelist plugin objects.

[khms]

@khms:
have you got "Apply these restrictions to trusted sites as well" checked in your NoScript Options|Plugins panel?
If so, there's currently no way to permanently whitelist plugin objects.

Yes.

Hmm.

Will there be such a way in the future? Or is there a good reason why this should not work?

[Giorgio Maone]

@khms:
there will be likely a way in the future. The main reasons for it not being there yet are 1) performance (it should use a separate and more complex whitelist, taking in account both the embedding page and the content origin); 2) lack of an UI to configure and mantain it.
Both these aspectS are being taken care of in the work towards NoScript 2.x.

[mozilliner]

@mozilliner:
The email button is disabled for me, I supposed because I'm not logged in (it does not work on IE either).
The only two buttons enabled (one has a "forbid" sign on it, the other is a zoom) do work for me.
Are you sure you were logged in when you tried?

Sorry, please try the double arrows down the rigth of the picture or any other symbol, which shows in the statusbar a text beginning with "javascript." when the mouse move over a symbol.

[Giorgio Maone]

@mozilliner:
OK, found it: GoogleAnalytics being disabled and scripts referencing it being intermixed with the "real" functionality.
You can either enable googleanalytics.com or, if you prefer, set the following two about:config preferences to fool stern.de into believing GA is there.

noscript.jsHack:

Code: Select all

_0=function(){};with(window)urchinTracker=_0,pageTracker={_setDomainName:_0,_trackPageview:_0}


noscript.jsHackRegExp:

Code: Select all

^http://view\.stern\.de/


[Giorgio Maone]

@yitzhakbg:
I installed EverNote and tried it.
There's no chance for it to work with NoScript because of the way EverNote's uploads are currently implemented: they injects tons of 3rd party scripts inside the page you're trying to scrap (e.g. evernote.com, jquery.com, googleapi.com and even googleanalytics.com) and obviously cannot work either if the page in question is itself not whitelisted.
Since there are many easy ways for an extension to accomplish the same simple task (uploading a form to a server) without touching web content pages or requiring content JavaScript to be enabled, I believe it's EverNote responsibility to implement its functionality in a more security-friendly way.