XSS in NoScript

If NoScript is set to "Allow scripts globally" does this setting negate the protection NoScript offers from XSS "cross site scripting" or would that protection still be in place? I find that having to check allow for scripting on every site I might choose to visit is a hassle but I would like to know that the sites I choose to trust and visit are safe(r) from potential cross site scripting by using the XSS protection in NoScript.

I looked through what info I could find concerning NoScript use but never found an answer to my question. Of course I am sure most users of NoScript don't want to turn off it's main functionality like that anyway.

Also I guess I should ask...do you think the XSS protection in NoScript is even an effective addition to online security?

Thanks.

 

Yes, allowing scripts globally turns off NoScript protection, and yes, NoScript is effective, but use your brain.

Here's a good "primer" thread by elio:
https://www.wilderssecurity.com/showthread.php?t=174195

 

Giorgio Maone has a really good description/tut for the NoScript features and use at his site: http://noscript.net/features; as well as the FAQ: http://noscript.net/faq

 

Ok, thanks for the information chachazz & coolbluewater. I was hoping I could use NoScript only for blocking XSS but still automatically allow all other scripting originating in any site I visited intentionally.

Blocking scripts injected from other sites into legitimate sites was all I really wanted to stop. Oh, well

 

There's a middle ground, actually.
You could activate the "Temporarily allow top-level sites by default" NoScript "General" option, which enables scripts for any site you intentionally navigate (the one displayed in your location bar) but not for 3rd party scripts loaded, for example, in hidden iframes, and for sites you explicitely marked as untrusted.
If you also turn the "noscript.xss.trustTemp" to "false", you've got this setup where places you visit have most of their legit scripts enabled, but potential XSS requests are still filtered even if they start from a temporarily allowed site.

Notice that such a configuration is still safer than a plain web browser, but not nearly as safe as default NoScript settings.

My friendly advice, since default permit is really really the dumbest idea in computer security, try to use NoScript as it is meant to be used (default deny).

Permanently whitelist the sites you really trust (so you don't need to repeat your choices on next session), and temporarily allow the others you intentionally navigate but you're not sure about, but only if JavaScript is really required there and you can't live without the site.

Staying in control of your browser is not that bad and hard thing all those crazy and lazy web designers want you to believe: I've been doing so for more than one year now, and I'm happy & safe.

 

Thanks a million elio! I will try it the way you suggested. Like you said, it won't be as safe as the default settings in NoScript but maybe I can reach a good compromise between additional security and ease of use.

 

I am surprised @elio did not also recommend Firekeeper...

https://www.wilderssecurity.com/showthread.php?p=1002745#post1002745

Mike

 

Mike, I apologize
I do not use Firekeeper, because NoScript the way I use it (Java/Flash/plugins blocked, anti-XSS protection from untrusted and temporarily allowed sites, very short permanent whitelist) is enough. Firekeeper would be unnecessary overhead slowing down page loads.

But in this specific case, with a "watered-down" setup, recommending Firekeeper is a must

 

Hmmm... OK

When I install NoScript, here are the only things I change from the factory defaults...

1. General Tab - NO CHG
2. Whitelist Tab - remove all except about*, chrome, and resource
3. Appearance Tab - Uncheck √ "Allow scripts Globally" (Since I will NEVER use that, remove it from the menu.)
4. Notifications Tab - NO CHG
5. Advanced Tab
   • Untrusted Tab - √ Forbid Flash, √ Forbid other plugins (now all five are √)
   • Advanced Tab/Trusted Tab - NO CHG
   • Advanced Tab/XSS Tab - NO CHG

Right? OK? Correct?

I have also experimented with noscript.contentBlocker

But, it messed with Secunia Software Inspector, so it is not enabled at the moment (just have not had the time to figured out exactly why).

Understand.

Mike

 

Perfect setup. The only difference with mine (aside contentBlocker) is that I go in about:blank and turn the noscript.xss.trustTemp to false, as explained here.
As for the Secunia Software Inspector VS contentBlocker issue, did you submit it to the NoScript author?
This preference, however, is more an annoyance/noise reducing feature than a security plus (I use it as a low-overhead replacement for AdBlocks).
From a security POV you're already OK, IMHO.