maccrawj wrote:
Soren wrote:
maccrawj wrote:
Even if you were to fix Flash in this way, it's still blocking other
functions like scripting.
Yep, but only Cross Site Scipting exploits.
My point was removing flash blocking globally (suggestion offered I
replied to) != whitelist the domain. Flash blocking is only one thing
NoScript blocks, so it still blocks whatever functionality it's
configured to since the domain is untrusted.
Why you bring up XSS I'm not sure?
Might be digging a bit too deep into this, but Flash allows a 'feature' of XSS
exploiting (basically, the very old 'swap image function' dressed in a nice
suit ;)
My main concern is how people can view Flash content without being 'rectally
harvested' at the same time.
At present moment, even with Flash 10.x, this doesn't seem to be the case.
If one wants protection against scripts acting on page load and page
exit, there's no way around web washer.
Again I'm lost about where you are going with this. With a domain not
whitelisted, no scripts or other content that NoScript is configured to
block will run (short of a NoScript bug). What are you saying?
I'm only saying that NoScript isn't perfect, and that the author has admitted
to that the proggie is an 'ongoing project'.
Also, I'm shamelessly promoting the usability of an old util named WebWasher ;)
Reason being that this util is able to protect either a private user or a corporate user against 0-day exploits based on e.g. image minipulation, which is VERY common
these days.
To give a concrete example, NoScript is blocking pics out from 'Properties' of
the pic.
But what if the properties of the pic is altered to the dimensional of '0*0'?
Then 99 pct. of all corporate content filters will allow this b-itch right
through without even questioning if it's valid data.
Point: Using a properly configured WebWasher, this exploit will *never* reach
the workstation.
Sure sounds like he has not whitelisted the domains hosting netgear
content (there may be more than netgear.com) which is the ultimate fix.
No, and NoScript is still buggy as hell.
Eh? I've used netgear.com and have no issues, what do you mean by "no"
vs. what I have said?
I'm not quite sure I understand what you mean here...?
I've months ago attempted a dialouge with the NoScript author,
revealing several bugs, but no luck so far. He responds to email, but
plays the ignorance card. No hope ;)
Bugs such as? Even buggy it's better than surfing naked if it blocks
most otherwise active content.
I will not, at any time, reveal any bug that I've posted to any programmer,
unless hopelessly ignored.
But, sure, better partly safe than completely naked, agreed.
I'm also sure that Giorgio M. is addressing everything possible as we speak.
Seems like today it's all about profiling and mining data, not
supporting it.
I contacted him about an issue with wildcard domain whitelist patterns
not working and got a response within 24hrs. Of course I went through
the forums not email, so YMMV.
Yep, as you say, there are issues, and those are being dealt with, as far as I
know.
For a quick NoScript fix you can use Ctrl+Shift+Backslash to toggle
whitelisting of current domain (netgear.com for example).
Brian Weeden wrote:
If you go into the NoScript options there is a place where you can set
exactly what it blocks, and Flash is one of them.
I leave it blocked because it kills a lot of annoying ads but you
can easily
allow Flash and still keep scripting disabled.
