MozillaZine

[ext] NoScript 1.9 - Your Friendly Web Cop

Announce and Discuss the Latest Theme and Extension Releases.
Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted January 31st, 2009, 7:29 am

There's a browser safer than Firefox...
...it is Firefox with Image



NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution and the most powerful anti-XSS and anti-Clickjacking protection.

CHANGELOG


Previous discussion

dhouwn
 
Posts: 15
Joined: January 21st, 2008, 6:35 am

Post Posted January 31st, 2009, 9:23 am

Noscript 2.0, here we come!

BTW: http://noscript.net/forum needs to be updated.

BTW2:
When trying to send a file named "test.test (test).txt" through meebo (when having the contact as a popup window):
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [https://www.meebo.com/getfile.html?filetype=text%2Fplain%3B+charset%3Dus-ascii&filename=test.test+%28test%29.txt&filesize=4&domain=www.meebo.com&fileid=0827095075] requested from [http://ec2-67-202-14-4.z-1.compute-1.amazonaws.com/scripts/upload_file_ft.py]. Sanitized URL: [https://www.meebo.com/getfile.html?filetype=text/plain%3B+charset%20us-ascii&fileNAME=test.test+%20test%20.txt&filesize=4&domain=www.meebo.com&fileid=0827095075#14182912952982774857].
The warning (message bar) is just shown for a second, I guess it disappears because the iframe is reloaded.
Last edited by dhouwn on January 31st, 2009, 9:32 am, edited 1 time in total.

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted January 31st, 2009, 9:32 am

@dhouwn:
thanks for the pointer about the forum.
That file name is no good. Please remove those round brackets.

Alan Baxter
 
Posts: 4419
Joined: May 30th, 2005, 2:01 pm
Location: Colorado, USA

Post Posted January 31st, 2009, 9:47 am

RefreshBlocker for Firefox 3 has finally been released.
https://addons.mozilla.org/en-US/firefox/addon/992

In Firefox 2, both Giorgio and I recommended the RefreshBlocker extension for controlling automatic page reloads caused by the refresh parameter of the META tag element. Unfortunately, the internal changes in Firefox 3 prevented this extension from working. The developer released a version which works in Firefox 3 on Jan 3. I've been using it again for over three weeks, and it seems to works as well as it did in Firefox 2.

Woo hoo!

therube

User avatar
 
Posts: 16898
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted January 31st, 2009, 9:48 am

re: ClearClick warning from this post, viewtopic.php?p=5629455#p5629455.

could you tell me the page of the ClearClick thing?

http://photobucket.com/

I had logged in.
Upload 1 screenshot.
Then uploaded a second.

On the second, I received the ClearClick warning.

I was using the "new uploader" as opposed to the "bulk" or "old" version.

If I recall correctly, the warning appeared after the file had already uploaded & as/after the photobucket "Add titles, descriptions and tags to images below" page was/had loaded.

Image
Image
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

therube

User avatar
 
Posts: 16898
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted January 31st, 2009, 10:28 am

Might there not be something that is causing 1.9 to show (partially) broken https: sessions?

(I'll investigate a bit more in a little while ... - as it could be something with SeaMonkey 2 too.)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted January 31st, 2009, 10:40 am

@therube:
The ClearClick photobucket thing: I can't reproduce it, but did you say it's been just one shot?
Maybe it's been a race condition where the image was not loaded yet in one screenshot and was there in the other.

Regarding the HTTPS issue, I strongly doubt it's something NoScript related, but could you tell me where you can see it happening?

therube

User avatar
 
Posts: 16898
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted January 31st, 2009, 10:50 am

Yes, the ClearClick photobucket happened only the one time.

And yes, the broken https: warnings look to be a Gecko > 1.9.1 issue - not related to NoScript.
It happens both in SeaMonkey 1.9.1 & FF 1.9.2.
(It is either a false broken https: warning, or the warning is legit & not being acknowledged by Gecko < 1.9.1.)

(PS: Seeing this https: issue at http://www.staples.com/. Once I've begun "secure" checkout, if I then go to "Add/Edit Coupons", I'll get the https: warning.)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Curmudgeon3
 
Posts: 1
Joined: January 31st, 2009, 12:26 pm

Post Posted January 31st, 2009, 12:42 pm

At http://blog.zap2it.com I tried to enter a comment. I got this response:

"As a measure to prevent automated posting by robots, JavaScript is required. Please enable it in your browser's settings and resubmit your comment."

The address listed for the response was http://www.typepad.com/t/comments

This address (typepad.com) isn't on the blog.zap2it.com page where I tried to enter the comment. That happened to be the necessary site to add to the whitelist to enable posting my comment, so I have no current problem. But what if the necessary site wasn't the one listing the error? Some sort of "Temporarily allow all this click" context menu option counterpart to "Temporarily allow all this page" might be in order. (Or I'd be happy -- happier, even -- with a "Trace all this click" option so I could look at all the web sites and try just one site at a time.)

dhouwn
 
Posts: 15
Joined: January 21st, 2008, 6:35 am

Post Posted January 31st, 2009, 3:04 pm

Is ClearClick always alerting when CSS transforms are used?

Example:
Try to search something at
https://developer.mozilla.org/@api/deki ... ample.html

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted January 31st, 2009, 3:25 pm

@dhouwn:
not always, but it's very likely (especially on chromatic transformation).
However it happens only on cross-site transforms (obviously).

@Curmudgeon:
I get your point, but it's very complicated to implement :(

therube

User avatar
 
Posts: 16898
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted January 31st, 2009, 3:29 pm

Cool.
Note that it does not skew in Gecko < 1.9.0.
(Also note the unauthenticated content warning - or not - generated depending upon Gecko version. In this case, the icon does change. That is different from what I described above. And OT too.)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

bbbux
 
Posts: 5
Joined: January 2nd, 2009, 9:37 pm

Post Posted January 31st, 2009, 3:56 pm

The XSS protection is very annoying whenever I try to use evernote add-on. And apprently i can't make it an exception simply by adding it to whitelisted sites. It doesn't work when i also whitelist the site i'm trying to take a clip from either.

I think you should either put an option like "disable xss for whitelisted sites" or make it easier to make exceptions for XSS. Cause I have no idea what those regular expressions are and I won't learn them just to make no-script work.

By the way, can you show me how to add http://www.evernote.com/clip.action to XSS exception list for the time being?

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted January 31st, 2009, 4:21 pm

@bbbux:
are you sure you're using latest NoScript version?
It's since 1.8.9.6 (5 builds and 2 stable versions ago) that we've got specific code to work around the Evernote's troubles (which however should have been fixed by Evernote: Google Notebook doesn't require any work around to work with NoScript).

bbbux
 
Posts: 5
Joined: January 2nd, 2009, 9:37 pm

Post Posted January 31st, 2009, 5:03 pm

Yes, I'm sure I'm using version 1.9 as of today

Return to Extension/Theme Releases


Who is online

Users browsing this forum: No registered users and 1 guest

cron