ScriptSafe former ScriptNo: Discussion

Discussion in 'other software & services' started by andryou, Nov 15, 2011.

  1. andryou
    Offline

    andryou Registered Member

    Hi,

    I'm the author of ScriptNo, the Chrome extension that seeks to bring some "NoScript-like" features to Chrome (but not all due to current limitations in the Chrome API).

    Feel free to ask questions, post comments, and discuss ScriptNo here.

    I'll start off with the first question:

    This is related to me, but I didn't submit the story (I'm not Vineeth) and no shady financial deals went down to get the story published ;) I didn't know about that article up until now!

    Andrew
  2. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    Keep in mind that most of the issues with it will be solved with the WebRequest API, and an experimental version is already out:

    http://code.google.com/p/scriptno/wiki/ScriptNoExperimentalVersion

    To use that version you must go to about:flags and enable Experimental Extensions API. Restart the browser and then add the experimental version.

    There are still open issues and the developer has been away - he's back now (or soon) and apparently back to work (or soon to be.)

    EDIT: Oh you're the dev? .... lol whoopsies

    No questions really. I'm sure others will have some. Thanks for the project.
  3. guest
    Offline

    guest Guest

    Re: ScriptNo: Discussion

    Now that was funny. Lol. o_O
  4. m00nbl00d
    Offline

    m00nbl00d Registered Member

    Re: ScriptNo: Discussion

    That's what happens when a person is starving... They lose focus. :shifty:
  5. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    Any hints as to where development is going/ features to expect? Or is it a matter of focusing on currently open issues?
  6. andryou
    Offline

    andryou Registered Member

    Re: ScriptNo: Discussion

    Currently focusing on the WebRequest and ContentSettings APIs to bring reliable blocking methods into ScriptNo, and cleaning up code as I go along as well (I'm always for optimization) ;) I was contacted by Mike West of Google recently, who told me that the WebRequest and ContentSettings APIs have been drastically improved in the last month or two (while I was away), so right now I'm taking a look at them again.

    I'm also focusing on currently open issues, but the major and reproducible ones.

    Feature-wise, there may be a few more additional features to leverage the cookie/plugin/popups/notifications-blocking features provided by the ContentSettings API, but I will have to see how the API actually works in real scenarios.
  7. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    Sounds great.

    Hopefully WebRequest doesn't get pushed back to 18 and we see it stable by December for Chrome 17.
  8. andryou
    Offline

    andryou Registered Member

    Re: ScriptNo: Discussion

    Some good news: ContentSettings is out of Experimental (which is why some features such as referrer and user-agent spoofing were broken (which will be fixed today in a new experimental version)).

    EDIT: v1.0.5.48 Experimental released, which fixes the spoofing/cookie-blocking features, and I've also developed and included the ability to block cross-domain XML HTTP Requests: https://code.google.com/p/scriptno/downloads/list
    Last edited: Nov 15, 2011
  9. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    Awesome - thanks.
  10. ShirleyUGeste
    Offline

    ShirleyUGeste Registered Member

    Re: ScriptNo: Discussion

    noscript forum challenged ScriptNo. here's part:

    and more, there were links about the various features listed:
    the whole thing is here:
    http://forums.informaction.com/viewtopic.php?f=8&t=7475

    care to comment, Sir or Madam? all ears here.... tnx
  11. vasa1
    Offline

    vasa1 Registered Member

    Re: ScriptNo: Discussion

    While I don't use ScriptNo, the posts by Shirley whatever is one more reason I prefer not to use NoScript in Firefox.
  12. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    I commented in that forum about this.

    Shirley, I think it's been obvious from the beginning that ScriptNo is a work in progress and is in no way a definitive replacement for NoScript - there are limitations.

    There are definitely areas of NoScript not recreated in ScriptNo and it's possible that they simply can't be at this time.

    That said, Chrome has XSS auditing built in and in terms of protecting from exploits there's nothing that will protect you on the level of Chrome.
  13. dw426
    Offline

    dw426 Registered Member

    Re: ScriptNo: Discussion

    Aww, are fans getting their feelings hurt? Why do people feel the need to not only defend a freakin piece of software like it's a member of their family, but also attack others who are trying to make their own mark and help out as well? ScriptNo is a Chrome project, NoScript is Firefox. Nobody is hurting either ones' precious little extension. News flash, the people that use either extension and the guys developing them should be on the same team. ~Comment removed~
    Last edited by a moderator: Nov 21, 2011
  14. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    I agree that they should be working on the same team.

    I think Tom was actually having a discussion though and I'm glad that he responded.

    I'm happy when Firefox gets an idea from Chrome and I'm happy when Chrome gets an idea from Firefox - in the end the community benefits.
  15. Daveski17
    Online

    Daveski17 Registered Member

    Re: ScriptNo: Discussion

    Yes, you are quite right, it is ridiculous. Well, just as long as no one has insulted SeaMonkey, otherwise it will be definite aggro & fisticuffs outside, or possibly pistols at dawn. ;)
  16. Daveski17
    Online

    Daveski17 Registered Member

    Re: ScriptNo: Discussion

    Which kind of brings us back to whether Firefox with NoScript is as safe as Chrome.

    AAAAAAAaaaaaaaaaaaaaaaaaaaagggggggggggggggggghhhhhhhhhhhhhhh!

    Sorry, I'll get my coat. ;)
  17. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    Right, which is why in the topic on that forum I said it's a silly discussion for that forum - the question isn't about security it's about capability in the extension.

    I'm all for having that conversation (as you know! =p) but I'm not going to derail another topic about it.
  18. Daveski17
    Online

    Daveski17 Registered Member

    Re: ScriptNo: Discussion

    Yes, so ... back to ScriptNo. I have no idea why it caused me so many problems. The question you could ask is that if Chrome is pretty safe 'out of the box' what security advantages does ScriptNo actually give?
  19. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    Blocking unwanted content is nice though I'm not sure it's working.

    Blocking cookies from known ad/ malware domains.

    Removing social widgets/ buttons will help stop tracking.

    I personally use it mostly because I like these next two features:
    1) User-Agent spoof - I have it say I'm on Firefox 5 Linux 64bit.

    2) Referrer spoof.

    I also have it block <object> <iframe> and <noscript> tags. That way most sites aren't broken and don't need to be whitelisted but those tags, which I rarely see, aren't shown.

    I don't really think it adds any serious protection by blocking tags.

    If I were to snap my fingers and add to Chrome security it would be to add a vetting system to extensions.
  20. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    Most extensions will basically add superfluous security.
  21. Daveski17
    Online

    Daveski17 Registered Member

    Re: ScriptNo: Discussion

    I think that Google are going to have to develop some form of vetting system pretty soon. I'm not holding my breath though.

    I'm not sure how useful a UA spoofer is with Chrome. Chrome/Iron breaks very few pages for me. You're going to have to explain to me what a referrer spoof is & why it's useful ;) .
  22. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    I like the idea of an exploit page thinking I'm on Linux =p

    and referrer spoofing, i believe, means that if im on wilders and i get linked to abc.com abc.com will not see that i was just on wilders but that i was on abc.com all along.
  23. guest
    Offline

    guest Guest

    Re: ScriptNo: Discussion

    rofl.

    As long as you don't attack SmartScreen, I agree. :argh:
  24. Daveski17
    Online

    Daveski17 Registered Member

    Re: ScriptNo: Discussion

    LOL!

    OK, yeah I can see why that could be a privacy issue.
  25. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: ScriptNo: Discussion

    Yep.

    Not exactly huge issues.

    I would really like to see an XSS auditor built in if possible since I don't love Chrome's.