[ext] NoScript 1.7 - Guardian of your Trust
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
[ext] NoScript 1.7 - Guardian of your Trust
There's a browser safer than Firefox...
...it is Firefox with
NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution plus unique anti-XSS protection.
CHANGELOG
Previous discussion
...it is Firefox with
NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution plus unique anti-XSS protection.
CHANGELOG
Previous discussion
-
- Posts: 125
- Joined: April 23rd, 2008, 1:48 am
Re: [ext] NoScript 1.7 - Guardian of your Trust
Giorgio, can Noscript be available as a standalone exe (like shockwave plugin) rather than go to a site and install.This way I can have a user friendly standalone with me and upgrade and downgrade at will.By the way most of the issues discussed in the previous users posts work fine with 1.6.8 which I have.
-
- Posts: 5
- Joined: June 20th, 2008, 1:11 pm
Re: [ext] NoScript 1.7 - Guardian of your Trust
I hope this is the right place to post this:
I think NoScript should attempt to protect you against CSRF attacks such as false image get requests (eg <img src="google.com/search?q=moo">) as well as having a form.submit in a onLoad event.
I think NoScript should attempt to protect you against CSRF attacks such as false image get requests (eg <img src="google.com/search?q=moo">) as well as having a form.submit in a onLoad event.
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
Re: [ext] NoScript 1.7 - Guardian of your Trust
@nagan:
You can always use right+click, "Save link as..." over the XPI link and store it for later use.
If you need to install from your local file system, just drag & drop the XPI onto your browser window.
Recent releases are listed here.
@VeryMellow:
NoScript already protects you from cross-site POST requests from an untrusted site to a trusted one, which rules out the most dangerous CSRF attacks (those directed to form-guarded resources).
GET requests like those from IMG tags are harder to handle, because user should decide and state which sites are allowed to link other sites: how does your example differs from a normal link to a google search result (which, BTW, could be automatically loaded without scripting also using a FRAME, and IFRAME or a META refresh)?
While I'm willing to offer such an option for advanced user, the most viable solution, even if quite far in future and requiring web owner adoption, is SSP.
You can always use right+click, "Save link as..." over the XPI link and store it for later use.
If you need to install from your local file system, just drag & drop the XPI onto your browser window.
Recent releases are listed here.
@VeryMellow:
NoScript already protects you from cross-site POST requests from an untrusted site to a trusted one, which rules out the most dangerous CSRF attacks (those directed to form-guarded resources).
GET requests like those from IMG tags are harder to handle, because user should decide and state which sites are allowed to link other sites: how does your example differs from a normal link to a google search result (which, BTW, could be automatically loaded without scripting also using a FRAME, and IFRAME or a META refresh)?
While I'm willing to offer such an option for advanced user, the most viable solution, even if quite far in future and requiring web owner adoption, is SSP.
-
- Posts: 2
- Joined: June 25th, 2008, 8:19 am
Re: [ext] NoScript 1.7 - Guardian of your Trust
Bug report: scripts won't run on localhost with Firefox 3.
I've tested this by removing all other extensions and the problem persists.
I've tried the obvious, such as whitelisting localhost.
The problem was in the previous version as well (which was the current version when
I upgraded Firefox). The only setting that works is "allow scripts globally".
My System: Windows XP - SP 3, Sambar web server V6.4
I've tested this by removing all other extensions and the problem persists.
I've tried the obvious, such as whitelisting localhost.
The problem was in the previous version as well (which was the current version when
I upgraded Firefox). The only setting that works is "allow scripts globally".
My System: Windows XP - SP 3, Sambar web server V6.4
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
Re: [ext] NoScript 1.7 - Guardian of your Trust
@WaynePollock:
it's working fine for me, really.
Could you try upgrading to NoScript 1.7 and, if the problem persist, use NoScript Options|Reset?
it's working fine for me, really.
Could you try upgrading to NoScript 1.7 and, if the problem persist, use NoScript Options|Reset?
- fswl1234
- Posts: 245
- Joined: October 15th, 2003, 4:32 pm
Re: [ext] NoScript 1.7 - Guardian of your Trust
i just update have some problems
1) output window of chatzilla doesn't show anything any more
2) temporarily allow http://somesite ends up reloading all the links instead of that site alone
anyone else?
1) output window of chatzilla doesn't show anything any more
2) temporarily allow http://somesite ends up reloading all the links instead of that site alone
anyone else?
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
Re: [ext] NoScript 1.7 - Guardian of your Trust
@redhat71:
Problem #1: thanks, bug, fixing - you can turn noscript.autoreload.allTabs about:config preference to false as a temporary work-around
Problem #2: does it still happens if you turn the noscript.forbidData about:config preference to true?
Problem #1: thanks, bug, fixing - you can turn noscript.autoreload.allTabs about:config preference to false as a temporary work-around
Problem #2: does it still happens if you turn the noscript.forbidData about:config preference to true?
- fswl1234
- Posts: 245
- Joined: October 15th, 2003, 4:32 pm
Re: [ext] NoScript 1.7 - Guardian of your Trust
Giorgio Maone wrote:@redhat71:
Problem #1: thanks, bug, fixing - you can turn noscript.autoreload.allTabs about:config preference to false as a temporary work-around
doesn't seem to wfm, still blank
i'm opening chatzilla in browser tab as work-around
Problem #2: does it still happens if you turn the noscript.forbidData about:config preference to true?
true is default, changing it to false seems to fix the problem
UPDATE:
sorry, obviously it's noscript.autoreload.allTabs false that fixed my 2nd problem
toggling noscript.forbidData doesn't seem to have an affect on the chatzilla problem
Last edited by fswl1234 on June 25th, 2008, 11:09 am, edited 1 time in total.
-
- Posts: 288
- Joined: May 22nd, 2004, 2:33 pm
- Location: Worming within the Big Apple
Re: [ext] NoScript 1.7 - Guardian of your Trust
I've used this wonderful extension for quite some time and many revisions without a problem. However, I just updated to version 1.7, then, when I tried to access a Citibank account which is on my Whitelist, I triggered a notice that my browser blocked javascript...? I reverted back to 1.6.9.3 and resumed problem-free connection.
Advice/comments?
Advice/comments?
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
Re: [ext] NoScript 1.7 - Guardian of your Trust
@FirefoxFlame:
what kind of notice, exactly?
@redhat71:
what's exactly blocked in Chatzilla? I've tried to open the main window and connect to irc.mozilla.org. The three panels (users, messages and input) are working fine for me.
what kind of notice, exactly?
@redhat71:
what's exactly blocked in Chatzilla? I've tried to open the main window and connect to irc.mozilla.org. The three panels (users, messages and input) are working fine for me.
- fswl1234
- Posts: 245
- Joined: October 15th, 2003, 4:32 pm
- fswl1234
- Posts: 245
- Joined: October 15th, 2003, 4:32 pm
Re: [ext] NoScript 1.7 - Guardian of your Trust
tried reset noscript then restart, same problem (in 1.7.1 as well)
ps: the last part "Build identifier: blahblahblah" is missing in about:
ps: the last part "Build identifier: blahblahblah" is missing in about:
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
Re: [ext] NoScript 1.7 - Guardian of your Trust
@redhat71:
OK, I managed to reproduce the Chatzilla "blank" issue on Firefox 2.0.0.14.
You can work around it either by turning noscript.forbidData to false or by by (temporarily) allowing file://
I'm not 100% sure of the reason, but this problem does not happen on Firefox 3.
OK, I managed to reproduce the Chatzilla "blank" issue on Firefox 2.0.0.14.
You can work around it either by turning noscript.forbidData to false or by by (temporarily) allowing file://
I'm not 100% sure of the reason, but this problem does not happen on Firefox 3.
- fswl1234
- Posts: 245
- Joined: October 15th, 2003, 4:32 pm
Re: [ext] NoScript 1.7 - Guardian of your Trust
file:// did it, thanks