[ext] NoScript 1.9 - Your Friendly Web Cop

[Giorgio Maone]

There's a browser safer than Firefox...
...it is Firefox with



NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution and the most powerful anti-XSS and anti-Clickjacking protection.

CHANGELOG

• Features
• Screenshots
• FAQ
• Download

Previous discussion

[dhouwn]

Noscript 2.0, here we come!

BTW: http://noscript.net/forum needs to be updated.

BTW2:
When trying to send a file named "test.test (test).txt" through meebo (when having the contact as a popup window):

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://www.meebo.com/getfile.html?filetype=text%2Fplain%3B+charset%3Dus-ascii&filename=test.test+%28test%29.txt&filesize=4&domain=www.meebo.com&fileid=0827095075] requested from [http://ec2-67-202-14-4.z-1.compute-1.amazonaws.com/scripts/upload_file_ft.py]. Sanitized URL: [https://www.meebo.com/getfile.html?filetype=text/plain%3B+charset%20us-ascii&fileNAME=test.test+%20test%20.txt&filesize=4&domain=www.meebo.com&fileid=0827095075#14182912952982774857].

The warning (message bar) is just shown for a second, I guess it disappears because the iframe is reloaded.

[Giorgio Maone]

@dhouwn:
thanks for the pointer about the forum.
That file name is no good. Please remove those round brackets.

[Alan Baxter]

RefreshBlocker for Firefox 3 has finally been released.
https://addons.mozilla.org/en-US/firefox/addon/992

In Firefox 2, both Giorgio and I recommended the RefreshBlocker extension for controlling automatic page reloads caused by the refresh parameter of the META tag element. Unfortunately, the internal changes in Firefox 3 prevented this extension from working. The developer released a version which works in Firefox 3 on Jan 3. I've been using it again for over three weeks, and it seems to works as well as it did in Firefox 2.

Woo hoo!

[therube]

re: ClearClick warning from this post, viewtopic.php?p=5629455#p5629455.

could you tell me the page of the ClearClick thing?

http://photobucket.com/

I had logged in.
Upload 1 screenshot.
Then uploaded a second.

On the second, I received the ClearClick warning.

I was using the "new uploader" as opposed to the "bulk" or "old" version.

If I recall correctly, the warning appeared after the file had already uploaded & as/after the photobucket "Add titles, descriptions and tags to images below" page was/had loaded.

[therube]

Might there not be something that is causing 1.9 to show (partially) broken https: sessions?

(I'll investigate a bit more in a little while ... - as it could be something with SeaMonkey 2 too.)

[Giorgio Maone]

@therube:
The ClearClick photobucket thing: I can't reproduce it, but did you say it's been just one shot?
Maybe it's been a race condition where the image was not loaded yet in one screenshot and was there in the other.

Regarding the HTTPS issue, I strongly doubt it's something NoScript related, but could you tell me where you can see it happening?

[therube]

Yes, the ClearClick photobucket happened only the one time.

And yes, the broken https: warnings look to be a Gecko > 1.9.1 issue - not related to NoScript.
It happens both in SeaMonkey 1.9.1 & FF 1.9.2.
(It is either a false broken https: warning, or the warning is legit & not being acknowledged by Gecko < 1.9.1.)

(PS: Seeing this https: issue at http://www.staples.com/. Once I've begun "secure" checkout, if I then go to "Add/Edit Coupons", I'll get the https: warning.)

[Curmudgeon3]

At http://blog.zap2it.com I tried to enter a comment. I got this response:

"As a measure to prevent automated posting by robots, JavaScript is required. Please enable it in your browser's settings and resubmit your comment."

The address listed for the response was http://www.typepad.com/t/comments

This address (typepad.com) isn't on the blog.zap2it.com page where I tried to enter the comment. That happened to be the necessary site to add to the whitelist to enable posting my comment, so I have no current problem. But what if the necessary site wasn't the one listing the error? Some sort of "Temporarily allow all this click" context menu option counterpart to "Temporarily allow all this page" might be in order. (Or I'd be happy -- happier, even -- with a "Trace all this click" option so I could look at all the web sites and try just one site at a time.)

[dhouwn]

Is ClearClick always alerting when CSS transforms are used?

Example:
Try to search something at
https://developer.mozilla.org/@api/deki ... ample.html

[Giorgio Maone]

@dhouwn:
not always, but it's very likely (especially on chromatic transformation).
However it happens only on cross-site transforms (obviously).

@Curmudgeon:
I get your point, but it's very complicated to implement

[therube]

Cool.
Note that it does not skew in Gecko < 1.9.0.
(Also note the unauthenticated content warning - or not - generated depending upon Gecko version. In this case, the icon does change. That is different from what I described above. And OT too.)

[bbbux]

The XSS protection is very annoying whenever I try to use evernote add-on. And apprently i can't make it an exception simply by adding it to whitelisted sites. It doesn't work when i also whitelist the site i'm trying to take a clip from either.

I think you should either put an option like "disable xss for whitelisted sites" or make it easier to make exceptions for XSS. Cause I have no idea what those regular expressions are and I won't learn them just to make no-script work.

By the way, can you show me how to add http://www.evernote.com/clip.action to XSS exception list for the time being?

[Giorgio Maone]

@bbbux:
are you sure you're using latest NoScript version?
It's since 1.8.9.6 (5 builds and 2 stable versions ago) that we've got specific code to work around the Evernote's troubles (which however should have been fixed by Evernote: Google Notebook doesn't require any work around to work with NoScript).

[bbbux]

Yes, I'm sure I'm using version 1.9 as of today