InactiveUser 188 Posted ... I consider The NoScript Misnomer to be a very important article.By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of:NoScript comes with a default, enabled whitelist.whitelists are inherently flawed, even more so if you don't even maintain them yourselfif you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of securityblocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxingI personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps). Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either. 4 NbK, wer, rickjames and 1 other reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
OpenSourcerer 1442 Posted ... Thank you for the link to the blog. Wasn't aware of the whitelist containing sites that doesn't exist. When I install NoScript, I always delete all (deletable) entries. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
zhang888 1066 Posted ... Totally true. This whitelist wasn't there a few years ago when NoScript was small, efficient and not commercial But as it became popular, with some distros pushing it by default, they started to find ways to make profits.This is almost the same way Adblock did. That whitelist can be divided in 3 groups:1) Companies that paid (those CDNs)2) Users that were too much complaining about sites that were broken (yahoo and friends)3) Author's personal preferece (like maone.net and others) 1 rickjames reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
rickjames 106 Posted ... The noScript defaults are pretty weak. Its kind of sad people just install it and assume everything's kosher. The JS Switch addon is also really nice. It just adds a little button in the browser that disables js completely. The settings I use:My whitelist only has a few sites I actually work with. Everything else was deleted. Quote Share this post Link to post
OpenSourcerer 1442 Posted ... But the JS Switch does not protect against Clickjacking and XSS. (Sent via Tapatalk - this generally means I'm not sitting in front of my PC) Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
rickjames 106 Posted ... But the JS Switch does not protect against Clickjacking and XSS. If the jacking attempt was done via js and js was disabled via JS Switch then one could say it does. Everyone's surfing habits are different, and mine rarely require js. But when its needed I just press js switch then allow whats needed in noScript. Quote Share this post Link to post
zhang888 1066 Posted ... As a JS security researcher I also have a small disagreement with @giganerd.With 3d party block of JS, whether using NoScript (meh) or uBlock Origin (good), you have a total control of yourJS Same-Domain-Origin-Policy, or shortly SOP.Today with modern HTML5 and JS, Browsers slowly gave up those agreed policies with all the fancy compatibility things.When you are aware of the domain you are currently focused on, in other words, the active tab, and you use uBlock with 3dparty JS disabled, you have zero risk of clickjacking (UI redressing attack) and XSS.Both above attacks require you to run 3d party scripts that will either send the contents of your current domain cookies or DOMdata to 3d parties. While blocking 3d party domains JS, you break those exploitation attemts.The only successful way to exploit it in this case, would be planting JS code in the content of the same domain. But in this case,it gives the attacker much more privileges, rendering client-side attacks less effective. 1 encrypted reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
rickjames 106 Posted ... @sheivokoThanks for the uBlock tip. Its impressive as hell. TYVM. Quote Share this post Link to post
NbK 4 Posted ... ya uBlock is amazing. ty for posting this thread, had no idea of its existence Quote Share this post Link to post