MozillaZine

[ext] NoScript 1.4 - Lord of Plugins

Announce and Discuss the Latest Theme and Extension Releases.
Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted February 15th, 2008, 9:05 am

There's a browser safer than Firefox...
...it is Firefox with <a href="http://www.noscript.net" title="Have a safer Firefox with NoScript"><img alt="NoScript" src="http://noscript.net/noscript/logo.png"></a>!


NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution plus unique anti-XSS protection.

CHANGELOG


Previous discussion

niko322
 
Posts: 50
Joined: April 11th, 2007, 1:26 pm

Post Posted February 15th, 2008, 9:20 am

hi
when "Turn cross-site POST requests into data less GET requests" is on then ,
stumbleupon discovery window disappear ,what should i put into Anti-XSS exception list ?

to make noscript & stumbleupon work properly

from error console:

[NoScript XSS] Sanitized suspicious upload to [http://www.stumbleupon.com/newurl.php] from [http://www.stumbleupon.com/newurl.php]: transformed into a download-only GET request.

Error: urchinTracker is not defined
Source File: http://www.stumbleupon.com/newurl.php
Line: 47

noend7
 
Posts: 13
Joined: February 15th, 2008, 9:58 am

Post Posted February 15th, 2008, 10:13 am

Not sure if this is how to post a new topic but...

Using NS1.4 and it's predecessor on my machine, I suddenly cannot access a key trusted site for me - the Checkfree bill payment adjunct to my bank site. I have no trouble getting in with IE, but my updated Firefox 2.0.0.12 with NS 1.4 can't access the site.

I've got checkfreeweb.com, estara.com, and https://cw11.checkfreeweb.com all on my whitelist. I even get bounced when I choose to let scripts run globally.

Noscript doesn't seem to give any listing anywhere I can find of ancillary sites to checkfree trying to execute scripts, so I'm totally stumped!

Any ideas, suggestions?

TIA

noend7

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted February 15th, 2008, 10:20 am

@niko322:
that's extremely odd: I cannot reproduce it in any way, and the following lines in noscriptService.js, executed before the POST XSS checks, should absolutely prevent this from happening:
Code: Select all
4160 if (originSite == targetSite &&
4161       (injectionCheck < 3 || channel.requestMethod != "GET")
4162      ) return; // same origin, fast return

Can you reproduce with 1.4, on a clean profile and/or after a NoScript Options|Reset?

noend7
 
Posts: 13
Joined: February 15th, 2008, 9:58 am

Post Posted February 15th, 2008, 10:23 am

Don't know, but I'll try it and let you know

L.A.R. Grizzly

User avatar
 
Posts: 5349
Joined: March 15th, 2005, 5:32 pm
Location: Akron, Ohio, USA

Post Posted February 15th, 2008, 11:03 am

Giorgio Maone wrote:@L.A.R. Grizzly: Temporary permissions should be wiped out at the end of session as it's always been, the "Revoke temporary permissions" command did not change this feature. Could you upgrade to to 1.4, and if the problem is unchanged, try NoScript Options|Reset?


I completely uninstalled v1.3.2. I did notice that after uninstallation, NoScript settings remained in my prefs.js file. I edited all references to NoScript from my prefs.js file. I installed v1.4, imported my Whitelist and the problem of the Temporary Permissions not clearing on restart has been resolved. Thank you!
Win7 Pro SP1 64 Bit
Comodo Internet Security
Pale Moon 28.7.2, Interlink Mail 52.9.7238, Firefox 52.9.0esr, Thunderbird 52.9.1 and SeaMonkey 2.48

noend7
 
Posts: 13
Joined: February 15th, 2008, 9:58 am

Post Posted February 15th, 2008, 11:08 am

Did a reset then retried. After setting permissions for the sites NS listed, I retried but there's no change. Still no access. I'll check the prefs.js file

noend7

noend7
 
Posts: 13
Joined: February 15th, 2008, 9:58 am

Post Posted February 15th, 2008, 11:20 am

Giorgio,

I'm no expert on web-page code, but it may very well be that
<https>
is calling another page/site to do the work. In that page's code, there are several links to <https>
which is also permitted and whitelisted. So origin and target may not be identical. FWIW

noend7

niko322
 
Posts: 50
Joined: April 11th, 2007, 1:26 pm

Post Posted February 15th, 2008, 11:22 am

@Giorgio

the Reset button fixed the problem thx.

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted February 15th, 2008, 11:33 am

@noend7:
The "Reset" advice was for niko322, not for you.

I tried opening https://cw11.checkfreeweb.com and even http://cw11.checkfreeweb.com on my default Firefox, on a clean Firefox profile and even with IE7, but I can't connect.
I even tried to connect through a TOR proxy, to rule out geographic issues.
http://www.checkfreeweb.com does work, though: are you sure the URL above is correct?
If so, can you see any error message in Tools|Error Console?

noend7
 
Posts: 13
Joined: February 15th, 2008, 9:58 am

Post Posted February 15th, 2008, 12:52 pm

Apologies if I led you wrong! The correct link is:

<https://cw411.checkfreeweb.com/cw411/wps?rq=...>

And now an hour after my last try, it works fine!

Sorry for the waste of time, although the reset may have helped.

Thanks all

noend7

chconnor
 
Posts: 33
Joined: October 28th, 2006, 11:17 pm

Post Posted February 15th, 2008, 11:34 pm

Hi - is there a key command to toggle "allow scripts globally"? It'd be nice.
-c

kustomrides
 
Posts: 12
Joined: November 5th, 2004, 2:51 am

Post Posted February 15th, 2008, 11:50 pm

Unable to play from youtube site, directly, but able to play those vids embedded.

This message:

Hello, you either have JavaScript turned off or an old version of Adobe's Flash Player.


I have already installed th latest Flash. It works fine in all other browsers. WILL work in Firefox IF I disable NoScript.

Soul Stealer

User avatar
 
Posts: 480
Joined: March 31st, 2007, 1:18 pm
Location: God's Country

Post Posted February 16th, 2008, 5:34 am

@ kustomrides - do you have both youtube and ytimg allowed? You need to.
It's like I said.

AntiSane
 
Posts: 4
Joined: April 25th, 2007, 3:49 pm

Post Posted February 16th, 2008, 4:23 pm

Same problem, any clues to a fix?



kustomrides wrote:Unable to play from youtube site, directly, but able to play those vids embedded.

This message:

Hello, you either have JavaScript turned off or an old version of Adobe's Flash Player.


I have already installed th latest Flash. It works fine in all other browsers. WILL work in Firefox IF I disable NoScript.

Return to Extension/Theme Releases


Who is online

Users browsing this forum: No registered users and 1 guest