NoScript AFAIK is blocking (deny by default) based solely on DOMAIN hosting the
content, not good or bad content. The XSS logic (a work in progress) might do
additional blocking based on how/what the content is but I doubt it's enabling
content beyond this: Whitelisted domains calling non-whitelisted domain's content or
non-whitelisted sites calling whitelisted domain's content get blocked until both are
whitelisted domains.
Of course if you whitelist & get hit by that site, it's most likely because you
allowed that sites content although I can see where the NoScript XSS might be buggy
misinterpreting where content is truly hosted due to obscured references which fool
it into thinking it's dealing with whitelisted domain thus mistakenly allowing
content from/on a domain not whitelisted. Still safer than browsing in allow all by
default mode!
On the other hand, AdBlock is the add-on that blocks with blacklists (allow by
default) based on URL patterns & dimension/type which can certainly be fooled and is
why the patterns get updated all the time.
Allow by default & then filtering is the method most licm fail to protext ne
Soren wrote:
maccrawj wrote:
Soren wrote:
maccrawj wrote:
Even if you were to fix Flash in this way, it's still blocking other
functions like scripting.
Yep, but only Cross Site Scipting exploits.
My point was removing flash blocking globally (suggestion offered I
replied to) != whitelist the domain. Flash blocking is only one thing
NoScript blocks, so it still blocks whatever functionality it's
configured to since the domain is untrusted.
Why you bring up XSS I'm not sure?
Might be digging a bit too deep into this, but Flash allows a 'feature'
of XSS exploiting (basically, the very old 'swap image function' dressed
in a nice suit ;)
My main concern is how people can view Flash content without being
'rectally harvested' at the same time.
At present moment, even with Flash 10.x, this doesn't seem to be the case.
If one wants protection against scripts acting on page load and page
exit, there's no way around web washer.
Again I'm lost about where you are going with this. With a domain not
whitelisted, no scripts or other content that NoScript is configured
to block will run (short of a NoScript bug). What are you saying?
I'm only saying that NoScript isn't perfect, and that the author has
admitted to that the proggie is an 'ongoing project'.
Also, I'm shamelessly promoting the usability of an old util named
WebWasher ;)
Reason being that this util is able to protect either a private user or
a corporate user against 0-day exploits based on e.g. image
minipulation, which is VERY common these days.
To give a concrete example, NoScript is blocking pics out from
'Properties' of the pic.
But what if the properties of the pic is altered to the dimensional of
'0*0'?
Then 99 pct. of all corporate content filters will allow this b-itch
right through without even questioning if it's valid data.
Point: Using a properly configured WebWasher, this exploit will *never*
reach the workstation.
Sure sounds like he has not whitelisted the domains hosting netgear
content (there may be more than netgear.com) which is the ultimate fix.
No, and NoScript is still buggy as hell.
Eh? I've used netgear.com and have no issues, what do you mean by "no"
vs. what I have said?
I'm not quite sure I understand what you mean here...?
I've months ago attempted a dialouge with the NoScript author,
revealing several bugs, but no luck so far. He responds to email, but
plays the ignorance card. No hope ;)
Bugs such as? Even buggy it's better than surfing naked if it blocks
most otherwise active content.
I will not, at any time, reveal any bug that I've posted to any
programmer, unless hopelessly ignored.
But, sure, better partly safe than completely naked, agreed.
I'm also sure that Giorgio M. is addressing everything possible as we
speak.
Seems like today it's all about profiling and mining data, not
supporting it.
I contacted him about an issue with wildcard domain whitelist patterns
not working and got a response within 24hrs. Of course I went through
the forums not email, so YMMV.
Yep, as you say, there are issues, and those are being dealt with, as
far as I know.
For a quick NoScript fix you can use Ctrl+Shift+Backslash to toggle
whitelisting of current domain (netgear.com for example).
Brian Weeden wrote:
If you go into the NoScript options there is a place where you can set
exactly what it blocks, and Flash is one of them.
I leave it blocked because it kills a lot of annoying ads but you
can easily
allow Flash and still keep scripting disabled.
