[ext] NoScript 1.9 - Your Friendly Web Cop

Announce and Discuss the Latest Theme and Extension Releases.
Locked
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

[ext] NoScript 1.9 - Your Friendly Web Cop

Post by Giorgio Maone »

There's a browser safer than Firefox...
...it is Firefox with Image



NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution and the most powerful anti-XSS and anti-Clickjacking protection.

CHANGELOG


Previous discussion
dhouwn
Posts: 15
Joined: January 21st, 2008, 6:35 am

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by dhouwn »

Noscript 2.0, here we come!

BTW: http://noscript.net/forum needs to be updated.

BTW2:
When trying to send a file named "test.test (test).txt" through meebo (when having the contact as a popup window):

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://www.meebo.com/getfile.html?filetype=text%2Fplain%3B+charset%3Dus-ascii&filename=test.test+%28test%29.txt&filesize=4&domain=www.meebo.com&fileid=0827095075] requested from [http://ec2-67-202-14-4.z-1.compute-1.amazonaws.com/scripts/upload_file_ft.py]. Sanitized URL: [https://www.meebo.com/getfile.html?filetype=text/plain%3B+charset%20us-ascii&fileNAME=test.test+%20test%20.txt&filesize=4&domain=www.meebo.com&fileid=0827095075#14182912952982774857].
The warning (message bar) is just shown for a second, I guess it disappears because the iframe is reloaded.
Last edited by dhouwn on January 31st, 2009, 9:32 am, edited 1 time in total.
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Giorgio Maone »

@dhouwn:
thanks for the pointer about the forum.
That file name is no good. Please remove those round brackets.
Alan Baxter
Posts: 4419
Joined: May 30th, 2005, 2:01 pm
Location: Colorado, USA

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Alan Baxter »

RefreshBlocker for Firefox 3 has finally been released.
https://addons.mozilla.org/en-US/firefox/addon/992

In Firefox 2, both Giorgio and I recommended the RefreshBlocker extension for controlling automatic page reloads caused by the refresh parameter of the META tag element. Unfortunately, the internal changes in Firefox 3 prevented this extension from working. The developer released a version which works in Firefox 3 on Jan 3. I've been using it again for over three weeks, and it seems to works as well as it did in Firefox 2.

Woo hoo!
User avatar
therube
Posts: 21811
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by therube »

re: ClearClick warning from this post, viewtopic.php?p=5629455#p5629455.

could you tell me the page of the ClearClick thing?

http://photobucket.com/

I had logged in.
Upload 1 screenshot.
Then uploaded a second.

On the second, I received the ClearClick warning.

I was using the "new uploader" as opposed to the "bulk" or "old" version.

If I recall correctly, the warning appeared after the file had already uploaded & as/after the photobucket "Add titles, descriptions and tags to images below" page was/had loaded.

Image
Image
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
therube
Posts: 21811
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by therube »

Might there not be something that is causing 1.9 to show (partially) broken https: sessions?

(I'll investigate a bit more in a little while ... - as it could be something with SeaMonkey 2 too.)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Giorgio Maone »

@therube:
The ClearClick photobucket thing: I can't reproduce it, but did you say it's been just one shot?
Maybe it's been a race condition where the image was not loaded yet in one screenshot and was there in the other.

Regarding the HTTPS issue, I strongly doubt it's something NoScript related, but could you tell me where you can see it happening?
User avatar
therube
Posts: 21811
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by therube »

Yes, the ClearClick photobucket happened only the one time.

And yes, the broken https: warnings look to be a Gecko > 1.9.1 issue - not related to NoScript.
It happens both in SeaMonkey 1.9.1 & FF 1.9.2.
(It is either a false broken https: warning, or the warning is legit & not being acknowledged by Gecko < 1.9.1.)

(PS: Seeing this https: issue at http://www.staples.com/. Once I've begun "secure" checkout, if I then go to "Add/Edit Coupons", I'll get the https: warning.)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Curmudgeon3
Posts: 1
Joined: January 31st, 2009, 12:26 pm

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Curmudgeon3 »

At http://blog.zap2it.com I tried to enter a comment. I got this response:

"As a measure to prevent automated posting by robots, JavaScript is required. Please enable it in your browser's settings and resubmit your comment."

The address listed for the response was http://www.typepad.com/t/comments

This address (typepad.com) isn't on the blog.zap2it.com page where I tried to enter the comment. That happened to be the necessary site to add to the whitelist to enable posting my comment, so I have no current problem. But what if the necessary site wasn't the one listing the error? Some sort of "Temporarily allow all this click" context menu option counterpart to "Temporarily allow all this page" might be in order. (Or I'd be happy -- happier, even -- with a "Trace all this click" option so I could look at all the web sites and try just one site at a time.)
dhouwn
Posts: 15
Joined: January 21st, 2008, 6:35 am

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by dhouwn »

Is ClearClick always alerting when CSS transforms are used?

Example:
Try to search something at
https://developer.mozilla.org/@api/deki ... ample.html
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Giorgio Maone »

@dhouwn:
not always, but it's very likely (especially on chromatic transformation).
However it happens only on cross-site transforms (obviously).

@Curmudgeon:
I get your point, but it's very complicated to implement :(
User avatar
therube
Posts: 21811
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by therube »

Cool.
Note that it does not skew in Gecko < 1.9.0.
(Also note the unauthenticated content warning - or not - generated depending upon Gecko version. In this case, the icon does change. That is different from what I described above. And OT too.)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
bbbux
Posts: 5
Joined: January 2nd, 2009, 9:37 pm

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by bbbux »

The XSS protection is very annoying whenever I try to use evernote add-on. And apprently i can't make it an exception simply by adding it to whitelisted sites. It doesn't work when i also whitelist the site i'm trying to take a clip from either.

I think you should either put an option like "disable xss for whitelisted sites" or make it easier to make exceptions for XSS. Cause I have no idea what those regular expressions are and I won't learn them just to make no-script work.

By the way, can you show me how to add http://www.evernote.com/clip.action to XSS exception list for the time being?
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by Giorgio Maone »

@bbbux:
are you sure you're using latest NoScript version?
It's since 1.8.9.6 (5 builds and 2 stable versions ago) that we've got specific code to work around the Evernote's troubles (which however should have been fixed by Evernote: Google Notebook doesn't require any work around to work with NoScript).
bbbux
Posts: 5
Joined: January 2nd, 2009, 9:37 pm

Re: [ext] NoScript 1.9 - Your Friendly Web Cop

Post by bbbux »

Yes, I'm sure I'm using version 1.9 as of today
Locked