[ext] NoScript 1.4 - Lord of Plugins

Giorgio Maone · Post by **Giorgio Maone** » February 15th, 2008, 9:05 am

There's a browser safer than Firefox...
...it is Firefox with <a href="http://www.noscript.net" title="Have a safer Firefox with NoScript"><img alt="NoScript" src="http://noscript.net/noscript/logo.png"></a>!

NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution plus unique anti-XSS protection.

CHANGELOG

Previous discussion

niko322 · Post by **niko322** » February 15th, 2008, 9:20 am

hi
when "Turn cross-site POST requests into data less GET requests" is on then ,
stumbleupon discovery window disappear ,what should i put into Anti-XSS exception list ?

to make noscript & stumbleupon work properly

from error console:

[NoScript XSS] Sanitized suspicious upload to [http://www.stumbleupon.com/newurl.php] from [http://www.stumbleupon.com/newurl.php]: transformed into a download-only GET request.

Error: urchinTracker is not defined
Source File: http://www.stumbleupon.com/newurl.php
Line: 47

noend7 · Post by **noend7** » February 15th, 2008, 10:13 am

Not sure if this is how to post a new topic but...

Using NS1.4 and it's predecessor on my machine, I suddenly cannot access a key trusted site for me - the Checkfree bill payment adjunct to my bank site. I have no trouble getting in with IE, but my updated Firefox 2.0.0.12 with NS 1.4 can't access the site.

I've got checkfreeweb.com, estara.com, and https://cw11.checkfreeweb.com all on my whitelist. I even get bounced when I choose to let scripts run globally.

Noscript doesn't seem to give any listing anywhere I can find of ancillary sites to checkfree trying to execute scripts, so I'm totally stumped!

Any ideas, suggestions?

TIA

noend7

Giorgio Maone · Post by **Giorgio Maone** » February 15th, 2008, 10:20 am

@niko322:
that's extremely odd: I cannot reproduce it in any way, and the following lines in noscriptService.js, executed before the POST XSS checks, should absolutely prevent this from happening:

Code: Select all

4160 if (originSite == targetSite && 
4161       (injectionCheck < 3 || channel.requestMethod != "GET") 
4162      ) return; // same origin, fast return

Can you reproduce with 1.4, on a clean profile and/or after a NoScript Options|Reset?

noend7 · Post by **noend7** » February 15th, 2008, 10:23 am

Don't know, but I'll try it and let you know

L.A.R. Grizzly · Post by **L.A.R. Grizzly** » February 15th, 2008, 11:03 am

Giorgio Maone wrote:@L.A.R. Grizzly: Temporary permissions should be wiped out at the end of session as it's always been, the "Revoke temporary permissions" command did not change this feature. Could you upgrade to to 1.4, and if the problem is unchanged, try NoScript Options|Reset?

I completely uninstalled v1.3.2. I did notice that after uninstallation, NoScript settings remained in my prefs.js file. I edited all references to NoScript from my prefs.js file. I installed v1.4, imported my Whitelist and the problem of the Temporary Permissions not clearing on restart has been resolved. Thank you!

noend7 · Post by **noend7** » February 15th, 2008, 11:08 am

Did a reset then retried. After setting permissions for the sites NS listed, I retried but there's no change. Still no access. I'll check the prefs.js file

noend7

noend7 · Post by **noend7** » February 15th, 2008, 11:20 am

Giorgio,

I'm no expert on web-page code, but it may very well be that
<https>
is calling another page/site to do the work. In that page's code, there are several links to <https>
which is also permitted and whitelisted. So origin and target may not be identical. FWIW

noend7

niko322 · Post by **niko322** » February 15th, 2008, 11:22 am

@Giorgio

the Reset button fixed the problem thx.

Giorgio Maone · Post by **Giorgio Maone** » February 15th, 2008, 11:33 am

@noend7:
The "Reset" advice was for niko322, not for you.

I tried opening https://cw11.checkfreeweb.com and even http://cw11.checkfreeweb.com on my default Firefox, on a clean Firefox profile and even with IE7, but I can't connect.
I even tried to connect through a TOR proxy, to rule out geographic issues.
http://www.checkfreeweb.com does work, though: are you sure the URL above is correct?
If so, can you see any error message in Tools|Error Console?

noend7 · Post by **noend7** » February 15th, 2008, 12:52 pm

Apologies if I led you wrong! The correct link is:

<https://cw411.checkfreeweb.com/cw411/wps?rq=...>

And now an hour after my last try, it works fine!

Sorry for the waste of time, although the reset may have helped.

Thanks all

noend7

chconnor · Post by **chconnor** » February 15th, 2008, 11:34 pm

Hi - is there a key command to toggle "allow scripts globally"? It'd be nice.
-c

kustomrides · Post by **kustomrides** » February 15th, 2008, 11:50 pm

Unable to play from youtube site, directly, but able to play those vids embedded.

This message:

Hello, you either have JavaScript turned off or an old version of Adobe's Flash Player.

I have already installed th latest Flash. It works fine in all other browsers. WILL work in Firefox IF I disable NoScript.

Soul Stealer · Post by **Soul Stealer** » February 16th, 2008, 5:34 am

@ kustomrides - do you have both youtube and ytimg allowed? You need to.

AntiSane · Post by **AntiSane** » February 16th, 2008, 4:23 pm

Same problem, any clues to a fix?

kustomrides wrote:Unable to play from youtube site, directly, but able to play those vids embedded.

This message:

Hello, you either have JavaScript turned off or an old version of Adobe's Flash Player.

I have already installed th latest Flash. It works fine in all other browsers. WILL work in Firefox IF I disable NoScript.

[ext] NoScript 1.4 - Lord of Plugins

[ext] NoScript 1.4 - Lord of Plugins

Still no fix for Youtube vids?

Re: Still no fix for Youtube vids?