ScriptSafe former ScriptNo: Discussion

[andryou]

Hi,

I'm the author of ScriptNo, the Chrome extension that seeks to bring some "NoScript-like" features to Chrome (but not all due to current limitations in the Chrome API).

Feel free to ask questions, post comments, and discuss ScriptNo here.

I'll start off with the first question:

Quote:

Originally Posted by vasa1

Hi!

Is this related to you?
according to ghacks' Martin.

This is related to me, but I didn't submit the story (I'm not Vineeth) and no shady financial deals went down to get the story published I didn't know about that article up until now!

Andrew

[Hungry Man]

Keep in mind that most of the issues with it will be solved with the WebRequest API, and an experimental version is already out:

http://code.google.com/p/scriptno/wi...imentalVersion

To use that version you must go to about:flags and enable Experimental Extensions API. Restart the browser and then add the experimental version.

There are still open issues and the developer has been away - he's back now (or soon) and apparently back to work (or soon to be.)

EDIT: Oh you're the dev? .... lol whoopsies

No questions really. I'm sure others will have some. Thanks for the project.

Quote:

Originally Posted by Hungry Man

Keep in mind that most of the issues with it will be solved with the WebRequest API, and an experimental version is already out:

http://code.google.com/p/scriptno/wi...imentalVersion

To use that version you must go to about:flags and enable Experimental Extensions API. Restart the browser and then add the experimental version.

There are still open issues and the developer has been away - he's back now (or soon) and apparently back to work (or soon to be.)

EDIT: Oh you're the dev? .... lol whoopsies

No questions really. I'm sure others will have some. Thanks for the project.

Now that was funny. Lol.

[m00nbl00d]

Quote:

Originally Posted by guest

Now that was funny. Lol.

That's what happens when a person is starving... They lose focus.

[Hungry Man]

Any hints as to where development is going/ features to expect? Or is it a matter of focusing on currently open issues?

[andryou]

Quote:

Originally Posted by Hungry Man

Any hints as to where development is going/ features to expect? Or is it a matter of focusing on currently open issues?

Currently focusing on the WebRequest and ContentSettings APIs to bring reliable blocking methods into ScriptNo, and cleaning up code as I go along as well (I'm always for optimization) I was contacted by Mike West of Google recently, who told me that the WebRequest and ContentSettings APIs have been drastically improved in the last month or two (while I was away), so right now I'm taking a look at them again.

I'm also focusing on currently open issues, but the major and reproducible ones.

Feature-wise, there may be a few more additional features to leverage the cookie/plugin/popups/notifications-blocking features provided by the ContentSettings API, but I will have to see how the API actually works in real scenarios.

[Hungry Man]

Sounds great.

Hopefully WebRequest doesn't get pushed back to 18 and we see it stable by December for Chrome 17.

[andryou]

Quote:

Originally Posted by Hungry Man

Sounds great.

Hopefully WebRequest doesn't get pushed back to 18 and we see it stable by December for Chrome 17.

Some good news: ContentSettings is out of Experimental (which is why some features such as referrer and user-agent spoofing were broken (which will be fixed today in a new experimental version)).

EDIT: v1.0.5.48 Experimental released, which fixes the spoofing/cookie-blocking features, and I've also developed and included the ability to block cross-domain XML HTTP Requests: https://code.google.com/p/scriptno/downloads/list

[Hungry Man]

Awesome - thanks.

[ShirleyUGeste]

noscript forum challenged ScriptNo. here's part:

Quote:

Quote:

Whereas Giorgio Maone has 20 years, not months, in developing, and freely gives his real name, e-mail address, company address and telephone number. You would trust an anonymous person to take complete control of your browser? What is he so afraid of?

and more, there were links about the various features listed:

Quote:

"A 'NoScript-like' extension"... Really? Aside from the name rip-off, does it have NoScript's level of:

XSS protection?
Clickjacking protecton?
CSRF protection and WAN-LAN boundary protection?
Ability to force HTTPS security on sites that should have it (your bank), but may carelessly send insecure cookies?

Note that all of the above work even if you allow scripting globally.

the whole thing is here:
http://forums.informaction.com/viewtopic.php?f=8&t=7475

care to comment, Sir or Madam? all ears here.... tnx

[vasa1]

While I don't use ScriptNo, the posts by Shirley whatever is one more reason I prefer not to use NoScript in Firefox.

[Hungry Man]

I commented in that forum about this.

Shirley, I think it's been obvious from the beginning that ScriptNo is a work in progress and is in no way a definitive replacement for NoScript - there are limitations.

There are definitely areas of NoScript not recreated in ScriptNo and it's possible that they simply can't be at this time.

That said, Chrome has XSS auditing built in and in terms of protecting from exploits there's nothing that will protect you on the level of Chrome.

[dw426]

Aww, are fans getting their feelings hurt? Why do people feel the need to not only defend a freakin piece of software like it's a member of their family, but also attack others who are trying to make their own mark and help out as well? ScriptNo is a Chrome project, NoScript is Firefox. Nobody is hurting either ones' precious little extension. News flash, the people that use either extension and the guys developing them should be on the same team. ~Comment removed~

[Hungry Man]

I agree that they should be working on the same team.

I think Tom was actually having a discussion though and I'm glad that he responded.

I'm happy when Firefox gets an idea from Chrome and I'm happy when Chrome gets an idea from Firefox - in the end the community benefits.

[Daveski17]

Quote:

Originally Posted by dw426

Why do people feel the need to not only defend a freakin piece of software like it's a member of their family ... ?

Yes, you are quite right, it is ridiculous. Well, just as long as no one has insulted SeaMonkey, otherwise it will be definite aggro & fisticuffs outside, or possibly pistols at dawn.

[Daveski17]

Quote:

Originally Posted by Hungry Man

I commented in that forum about this.

Shirley, I think it's been obvious from the beginning that ScriptNo is a work in progress and is in no way a definitive replacement for NoScript - there are limitations.

There are definitely areas of NoScript not recreated in ScriptNo and it's possible that they simply can't be at this time.

That said, Chrome has XSS auditing built in and in terms of protecting from exploits there's nothing that will protect you on the level of Chrome.

Which kind of brings us back to whether Firefox with NoScript is as safe as Chrome.

AAAAAAAaaaaaaaaaaaaaaaaaaaagggggggggggggggggghhhhhhhhhhhhhhh!

Sorry, I'll get my coat.

[Hungry Man]

Right, which is why in the topic on that forum I said it's a silly discussion for that forum - the question isn't about security it's about capability in the extension.

I'm all for having that conversation (as you know! =p) but I'm not going to derail another topic about it.

[Daveski17]

Quote:

Originally Posted by Hungry Man

Right, which is why in the topic on that forum I said it's a silly discussion for that forum - the question isn't about security it's about capability in the extension.

I'm all for having that conversation (as you know! =p) but I'm not going to derail another topic about it.

Yes, so ... back to ScriptNo. I have no idea why it caused me so many problems. The question you could ask is that if Chrome is pretty safe 'out of the box' what security advantages does ScriptNo actually give?

[Hungry Man]

Blocking unwanted content is nice though I'm not sure it's working.

Blocking cookies from known ad/ malware domains.

Removing social widgets/ buttons will help stop tracking.

I personally use it mostly because I like these next two features:
1) User-Agent spoof - I have it say I'm on Firefox 5 Linux 64bit.

2) Referrer spoof.

I also have it block <object> <iframe> and <noscript> tags. That way most sites aren't broken and don't need to be whitelisted but those tags, which I rarely see, aren't shown.

I don't really think it adds any serious protection by blocking tags.

If I were to snap my fingers and add to Chrome security it would be to add a vetting system to extensions.

[Hungry Man]

Most extensions will basically add superfluous security.

[Daveski17]

Quote:

Originally Posted by Hungry Man

Blocking unwanted content is nice though I'm not sure it's working.

Blocking cookies from known ad/ malware domains.

Removing social widgets/ buttons will help stop tracking.

I personally use it mostly because I like these next two features:
1) User-Agent spoof - I have it say I'm on Firefox 5 Linux 64bit.

2) Referrer spoof.

I also have it block <object> <iframe> and <noscript> tags. That way most sites aren't broken and don't need to be whitelisted but those tags, which I rarely see, aren't shown.

I don't really think it adds any serious protection by blocking tags.

If I were to snap my fingers and add to Chrome security it would be to add a vetting system to extensions.

I think that Google are going to have to develop some form of vetting system pretty soon. I'm not holding my breath though.

I'm not sure how useful a UA spoofer is with Chrome. Chrome/Iron breaks very few pages for me. You're going to have to explain to me what a referrer spoof is & why it's useful .

[Hungry Man]

I like the idea of an exploit page thinking I'm on Linux =p

and referrer spoofing, i believe, means that if im on wilders and i get linked to abc.com abc.com will not see that i was just on wilders but that i was on abc.com all along.

Quote:

Originally Posted by dw426

Aww, are fans getting their feelings hurt? Why do people feel the need to not only defend a freakin piece of software like it's a member of their family, but also attack others who are trying to make their own mark and help out as well? ScriptNo is a Chrome project, NoScript is Firefox. Nobody is hurting either ones' precious little extension. News flash, the people that use either extension and the guys developing them should be on the same team. It's not a peeing contest (there ya go, JR, no need to remove any more of my text because of "clever alterations", lol).

rofl.

As long as you don't attack SmartScreen, I agree.

[Daveski17]

Quote:

Originally Posted by Hungry Man

I like the idea of an exploit page thinking I'm on Linux =p

LOL!

Quote:

Originally Posted by Hungry Man

and referrer spoofing, i believe, means that if im on wilders and i get linked to abc.com abc.com will not see that i was just on wilders but that i was on abc.com all along.

OK, yeah I can see why that could be a privacy issue.

[Hungry Man]

Yep.

Not exactly huge issues.

I would really like to see an XSS auditor built in if possible since I don't love Chrome's.