[ext] NoScript 1.9 - Your Friendly Web Cop
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
[ext] NoScript 1.9 - Your Friendly Web Cop
There's a browser safer than Firefox...
...it is Firefox with
NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution and the most powerful anti-XSS and anti-Clickjacking protection.
CHANGELOG
Previous discussion
...it is Firefox with
NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution and the most powerful anti-XSS and anti-Clickjacking protection.
CHANGELOG
Previous discussion
-
- Posts: 15
- Joined: January 21st, 2008, 6:35 am
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
Noscript 2.0, here we come!
BTW: http://noscript.net/forum needs to be updated.
BTW2:
When trying to send a file named "test.test (test).txt" through meebo (when having the contact as a popup window):
The warning (message bar) is just shown for a second, I guess it disappears because the iframe is reloaded.
BTW: http://noscript.net/forum needs to be updated.
BTW2:
When trying to send a file named "test.test (test).txt" through meebo (when having the contact as a popup window):
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [https://www.meebo.com/getfile.html?filetype=text%2Fplain%3B+charset%3Dus-ascii&filename=test.test+%28test%29.txt&filesize=4&domain=www.meebo.com&fileid=0827095075] requested from [http://ec2-67-202-14-4.z-1.compute-1.amazonaws.com/scripts/upload_file_ft.py]. Sanitized URL: [https://www.meebo.com/getfile.html?filetype=text/plain%3B+charset%20us-ascii&fileNAME=test.test+%20test%20.txt&filesize=4&domain=www.meebo.com&fileid=0827095075#14182912952982774857].
Last edited by dhouwn on January 31st, 2009, 9:32 am, edited 1 time in total.
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
@dhouwn:
thanks for the pointer about the forum.
That file name is no good. Please remove those round brackets.
thanks for the pointer about the forum.
That file name is no good. Please remove those round brackets.
-
- Posts: 4419
- Joined: May 30th, 2005, 2:01 pm
- Location: Colorado, USA
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
RefreshBlocker for Firefox 3 has finally been released.
https://addons.mozilla.org/en-US/firefox/addon/992
In Firefox 2, both Giorgio and I recommended the RefreshBlocker extension for controlling automatic page reloads caused by the refresh parameter of the META tag element. Unfortunately, the internal changes in Firefox 3 prevented this extension from working. The developer released a version which works in Firefox 3 on Jan 3. I've been using it again for over three weeks, and it seems to works as well as it did in Firefox 2.
Woo hoo!
https://addons.mozilla.org/en-US/firefox/addon/992
In Firefox 2, both Giorgio and I recommended the RefreshBlocker extension for controlling automatic page reloads caused by the refresh parameter of the META tag element. Unfortunately, the internal changes in Firefox 3 prevented this extension from working. The developer released a version which works in Firefox 3 on Jan 3. I've been using it again for over three weeks, and it seems to works as well as it did in Firefox 2.
Woo hoo!
- therube
- Posts: 21835
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
re: ClearClick warning from this post, viewtopic.php?p=5629455#p5629455.
http://photobucket.com/
I had logged in.
Upload 1 screenshot.
Then uploaded a second.
On the second, I received the ClearClick warning.
I was using the "new uploader" as opposed to the "bulk" or "old" version.
If I recall correctly, the warning appeared after the file had already uploaded & as/after the photobucket "Add titles, descriptions and tags to images below" page was/had loaded.
could you tell me the page of the ClearClick thing?
http://photobucket.com/
I had logged in.
Upload 1 screenshot.
Then uploaded a second.
On the second, I received the ClearClick warning.
I was using the "new uploader" as opposed to the "bulk" or "old" version.
If I recall correctly, the warning appeared after the file had already uploaded & as/after the photobucket "Add titles, descriptions and tags to images below" page was/had loaded.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- therube
- Posts: 21835
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
Might there not be something that is causing 1.9 to show (partially) broken https: sessions?
(I'll investigate a bit more in a little while ... - as it could be something with SeaMonkey 2 too.)
(I'll investigate a bit more in a little while ... - as it could be something with SeaMonkey 2 too.)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
@therube:
The ClearClick photobucket thing: I can't reproduce it, but did you say it's been just one shot?
Maybe it's been a race condition where the image was not loaded yet in one screenshot and was there in the other.
Regarding the HTTPS issue, I strongly doubt it's something NoScript related, but could you tell me where you can see it happening?
The ClearClick photobucket thing: I can't reproduce it, but did you say it's been just one shot?
Maybe it's been a race condition where the image was not loaded yet in one screenshot and was there in the other.
Regarding the HTTPS issue, I strongly doubt it's something NoScript related, but could you tell me where you can see it happening?
- therube
- Posts: 21835
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
Yes, the ClearClick photobucket happened only the one time.
And yes, the broken https: warnings look to be a Gecko > 1.9.1 issue - not related to NoScript.
It happens both in SeaMonkey 1.9.1 & FF 1.9.2.
(It is either a false broken https: warning, or the warning is legit & not being acknowledged by Gecko < 1.9.1.)
(PS: Seeing this https: issue at http://www.staples.com/. Once I've begun "secure" checkout, if I then go to "Add/Edit Coupons", I'll get the https: warning.)
And yes, the broken https: warnings look to be a Gecko > 1.9.1 issue - not related to NoScript.
It happens both in SeaMonkey 1.9.1 & FF 1.9.2.
(It is either a false broken https: warning, or the warning is legit & not being acknowledged by Gecko < 1.9.1.)
(PS: Seeing this https: issue at http://www.staples.com/. Once I've begun "secure" checkout, if I then go to "Add/Edit Coupons", I'll get the https: warning.)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
-
- Posts: 1
- Joined: January 31st, 2009, 12:26 pm
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
At http://blog.zap2it.com I tried to enter a comment. I got this response:
"As a measure to prevent automated posting by robots, JavaScript is required. Please enable it in your browser's settings and resubmit your comment."
The address listed for the response was http://www.typepad.com/t/comments
This address (typepad.com) isn't on the blog.zap2it.com page where I tried to enter the comment. That happened to be the necessary site to add to the whitelist to enable posting my comment, so I have no current problem. But what if the necessary site wasn't the one listing the error? Some sort of "Temporarily allow all this click" context menu option counterpart to "Temporarily allow all this page" might be in order. (Or I'd be happy -- happier, even -- with a "Trace all this click" option so I could look at all the web sites and try just one site at a time.)
"As a measure to prevent automated posting by robots, JavaScript is required. Please enable it in your browser's settings and resubmit your comment."
The address listed for the response was http://www.typepad.com/t/comments
This address (typepad.com) isn't on the blog.zap2it.com page where I tried to enter the comment. That happened to be the necessary site to add to the whitelist to enable posting my comment, so I have no current problem. But what if the necessary site wasn't the one listing the error? Some sort of "Temporarily allow all this click" context menu option counterpart to "Temporarily allow all this page" might be in order. (Or I'd be happy -- happier, even -- with a "Trace all this click" option so I could look at all the web sites and try just one site at a time.)
-
- Posts: 15
- Joined: January 21st, 2008, 6:35 am
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
Is ClearClick always alerting when CSS transforms are used?
Example:
Try to search something at
https://developer.mozilla.org/@api/deki ... ample.html
Example:
Try to search something at
https://developer.mozilla.org/@api/deki ... ample.html
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
@dhouwn:
not always, but it's very likely (especially on chromatic transformation).
However it happens only on cross-site transforms (obviously).
@Curmudgeon:
I get your point, but it's very complicated to implement
not always, but it's very likely (especially on chromatic transformation).
However it happens only on cross-site transforms (obviously).
@Curmudgeon:
I get your point, but it's very complicated to implement
- therube
- Posts: 21835
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
Cool.
Note that it does not skew in Gecko < 1.9.0.
(Also note the unauthenticated content warning - or not - generated depending upon Gecko version. In this case, the icon does change. That is different from what I described above. And OT too.)
Note that it does not skew in Gecko < 1.9.0.
(Also note the unauthenticated content warning - or not - generated depending upon Gecko version. In this case, the icon does change. That is different from what I described above. And OT too.)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
-
- Posts: 5
- Joined: January 2nd, 2009, 9:37 pm
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
The XSS protection is very annoying whenever I try to use evernote add-on. And apprently i can't make it an exception simply by adding it to whitelisted sites. It doesn't work when i also whitelist the site i'm trying to take a clip from either.
I think you should either put an option like "disable xss for whitelisted sites" or make it easier to make exceptions for XSS. Cause I have no idea what those regular expressions are and I won't learn them just to make no-script work.
By the way, can you show me how to add http://www.evernote.com/clip.action to XSS exception list for the time being?
I think you should either put an option like "disable xss for whitelisted sites" or make it easier to make exceptions for XSS. Cause I have no idea what those regular expressions are and I won't learn them just to make no-script work.
By the way, can you show me how to add http://www.evernote.com/clip.action to XSS exception list for the time being?
- Giorgio Maone
- Posts: 3516
- Joined: September 21st, 2004, 12:05 am
- Location: Palermo - Italy
- Contact:
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
@bbbux:
are you sure you're using latest NoScript version?
It's since 1.8.9.6 (5 builds and 2 stable versions ago) that we've got specific code to work around the Evernote's troubles (which however should have been fixed by Evernote: Google Notebook doesn't require any work around to work with NoScript).
are you sure you're using latest NoScript version?
It's since 1.8.9.6 (5 builds and 2 stable versions ago) that we've got specific code to work around the Evernote's troubles (which however should have been fixed by Evernote: Google Notebook doesn't require any work around to work with NoScript).
-
- Posts: 5
- Joined: January 2nd, 2009, 9:37 pm
Re: [ext] NoScript 1.9 - Your Friendly Web Cop
Yes, I'm sure I'm using version 1.9 as of today