[ext] NoScript 1.7 - Guardian of your Trust

Announce and Discuss the Latest Theme and Extension Releases.
Locked
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

[ext] NoScript 1.7 - Guardian of your Trust

Post by Giorgio Maone »

There's a browser safer than Firefox...
...it is Firefox with Image


NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution plus unique anti-XSS protection.

CHANGELOG


Previous discussion
nagan
Posts: 125
Joined: April 23rd, 2008, 1:48 am

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by nagan »

Giorgio, can Noscript be available as a standalone exe (like shockwave plugin) rather than go to a site and install.This way I can have a user friendly standalone with me and upgrade and downgrade at will.By the way most of the issues discussed in the previous users posts work fine with 1.6.8 which I have.
VeryMellow
Posts: 5
Joined: June 20th, 2008, 1:11 pm

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by VeryMellow »

I hope this is the right place to post this:
I think NoScript should attempt to protect you against CSRF attacks such as false image get requests (eg <img src="google.com/search?q=moo">) as well as having a form.submit in a onLoad event.
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by Giorgio Maone »

@nagan:
You can always use right+click, "Save link as..." over the XPI link and store it for later use.
If you need to install from your local file system, just drag & drop the XPI onto your browser window.
Recent releases are listed here.

@VeryMellow:
NoScript already protects you from cross-site POST requests from an untrusted site to a trusted one, which rules out the most dangerous CSRF attacks (those directed to form-guarded resources).
GET requests like those from IMG tags are harder to handle, because user should decide and state which sites are allowed to link other sites: how does your example differs from a normal link to a google search result (which, BTW, could be automatically loaded without scripting also using a FRAME, and IFRAME or a META refresh)?
While I'm willing to offer such an option for advanced user, the most viable solution, even if quite far in future and requiring web owner adoption, is SSP.
WaynePollock
Posts: 2
Joined: June 25th, 2008, 8:19 am

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by WaynePollock »

Bug report: scripts won't run on localhost with Firefox 3.

I've tested this by removing all other extensions and the problem persists.
I've tried the obvious, such as whitelisting localhost.
The problem was in the previous version as well (which was the current version when
I upgraded Firefox). The only setting that works is "allow scripts globally".

My System: Windows XP - SP 3, Sambar web server V6.4
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by Giorgio Maone »

@WaynePollock:
it's working fine for me, really.
Could you try upgrading to NoScript 1.7 and, if the problem persist, use NoScript Options|Reset?
User avatar
fswl1234
Posts: 245
Joined: October 15th, 2003, 4:32 pm

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by fswl1234 »

i just update have some problems
1) output window of chatzilla doesn't show anything any more
2) temporarily allow http://somesite ends up reloading all the links instead of that site alone

anyone else?
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by Giorgio Maone »

@redhat71:
Problem #1: thanks, bug, fixing - you can turn noscript.autoreload.allTabs about:config preference to false as a temporary work-around
Problem #2: does it still happens if you turn the noscript.forbidData about:config preference to true?
User avatar
fswl1234
Posts: 245
Joined: October 15th, 2003, 4:32 pm

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by fswl1234 »

Giorgio Maone wrote:@redhat71:
Problem #1: thanks, bug, fixing - you can turn noscript.autoreload.allTabs about:config preference to false as a temporary work-around

doesn't seem to wfm, still blank
i'm opening chatzilla in browser tab as work-around
Problem #2: does it still happens if you turn the noscript.forbidData about:config preference to true?


true is default, changing it to false seems to fix the problem

UPDATE:
sorry, obviously it's noscript.autoreload.allTabs false that fixed my 2nd problem
toggling noscript.forbidData doesn't seem to have an affect on the chatzilla problem
Last edited by fswl1234 on June 25th, 2008, 11:09 am, edited 1 time in total.
FireFoxFlame
Posts: 288
Joined: May 22nd, 2004, 2:33 pm
Location: Worming within the Big Apple

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by FireFoxFlame »

I've used this wonderful extension for quite some time and many revisions without a problem. However, I just updated to version 1.7, then, when I tried to access a Citibank account which is on my Whitelist, I triggered a notice that my browser blocked javascript...? I reverted back to 1.6.9.3 and resumed problem-free connection.

Advice/comments?
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by Giorgio Maone »

@FirefoxFlame:
what kind of notice, exactly?

@redhat71:
what's exactly blocked in Chatzilla? I've tried to open the main window and connect to irc.mozilla.org. The three panels (users, messages and input) are working fine for me.
User avatar
fswl1234
Posts: 245
Joined: October 15th, 2003, 4:32 pm

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by fswl1234 »

User avatar
fswl1234
Posts: 245
Joined: October 15th, 2003, 4:32 pm

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by fswl1234 »

tried reset noscript then restart, same problem (in 1.7.1 as well)

ps: the last part "Build identifier: blahblahblah" is missing in about:
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by Giorgio Maone »

@redhat71:
OK, I managed to reproduce the Chatzilla "blank" issue on Firefox 2.0.0.14.
You can work around it either by turning noscript.forbidData to false or by by (temporarily) allowing file://
I'm not 100% sure of the reason, but this problem does not happen on Firefox 3.
User avatar
fswl1234
Posts: 245
Joined: October 15th, 2003, 4:32 pm

Re: [ext] NoScript 1.7 - Guardian of your Trust

Post by fswl1234 »

file:// did it, thanks
Locked