ScriptSafe former ScriptNo: Discussion

Re: ScriptNo: Discussion

I think it is fair to note that:

XSS and CSRF are built into Chrome by default. Thankfully the WebRequest API will take care of HTTPS forced requests and we'll see how clickjacking gets taken care of in the future if at all.

 

Re: ScriptNo: Discussion

The latest experimental version is working very well now. No more "aw snap" browser crashes on certain sites.

One thing I like is how all the options are on one page instead of tabs as in NoScript. Maybe the options page could be made wider to fit on a wide screen monitor.

 

Re: ScriptNo: Discussion

You're not helping with that attitude, lol. Smartscreen isn't Gods' gift to security or anything magical, it's just software. It can succeed and it can fail, and has failed numerous times.

 

Re: ScriptNo: Discussion

ShirleyUGeste sounds very much like Surely You Guessed (who I am) maybe after a couple of pints to get the slurry stuff right. Anyway, it's ironic to see an anonymous poster attack a software dev for not being known

 

Re: ScriptNo: Discussion

Oh, hm, I thought it was Surely you Jest because their post was hilarious.

 

Re: ScriptNo: Discussion

I went with the other one because posting with another id has been done on the AdBlock Plus forum in the past. There, they, the ABP guys, pointed it out with details.

 

Re: ScriptNo: Discussion

http://forums.informaction.com/viewtopic.php?f=8&t=7475

The creator put hours of work into his responses and we were PMing as well. I think lots of Wilders might be interested in reading our back and forth and I'm sure there will be more tomorrow.

 

Re: ScriptNo: Discussion

And has succeeded more times than failed, arguably.

@Hungry Man

Tom T isn't Noscript's creator. Giorgio Maone is the creator and Tom T is only a moderator/support team member/whatever name you give to a dedicated fanboy that works for free.

And I saw this on your last post: "I read this a lot - my hacker friends and my security researcher friends have very very different ideas about security haha I'm not always sure that this statement is quite right."

Elaborate, please.

 

Re: ScriptNo: Discussion

Agh, I'm very tired. I definitely know he's not a dev and is just a mod.

My hacker friends look at a hack very differently than my researcher friends. They have different standards for what's legit and what isn't.

Having the know-how for attacking doesn't mean you're the best man to defend. Having the know-how for defending doesn't mean you're the best man to attack.

They're different games played on the same field.

 

Re: ScriptNo: Discussion

And who succeeds more often?

 

Re: ScriptNo: Discussion

Hi,

In response to the quoted statement, attacking or degrading a developer who invests time and effort into creating and maintaining a project (for free with no guarantee of donations) based on his or her age does not help any cause and in fact lowers the morale of the developer. It is a form of discrimination (ageism), and the skills/qualities/integrity of a developer cannot be judged on age alone. I'm not attacking Georgio or NoScript by mentioning this (I truly respect the man) but can anyone remember "NoScript's Black Friday", the time where obfuscated code was inserted into a NoScript release in order to disable part of Adblock Plus' filtering capabilities? http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

I, for one, had forgiven Georgio right after I had read his apology a couple of years ago and believe he is an excellent developer and that NoScript is a great contribution to the Internet.

I've taken a deep breath and clicked on the link to read more, and here's what immediately follows Tom T.'s little blurb above (I've read through the rest of the topic and was glad that there were no more personal attacks):

I prefer to keep my privacy because while I am responsible for ScriptNo, I am cognizant of many different possibly scenarios if I did put my real name, e-mail address, address and telephone number out there. I can think of one based on some responses and reactions to the ScriptNo project so far => hate messages/mail.

I have put my best into ScriptNo, and I strongly believe in: transparency (hence why I put the entire source code for each new release available for scrutiny on Google Code), communication (timely and detailed), and service (why I created this topic and why I respond to questions via email, forums, or the webstore frequently).

As for the second question, ScriptNo is limited by Chrome's API (as we all know), and as mentioned, some of them are integrated in Chrome itself. I've been in touch with a Chrome developer who is directly involved with the WebRequest and ContentSettings APIs.

 

Re: ScriptNo: Discussion

Hey, don't worry and don't get discouraged by some anonymous attacks. Your code is open and that's what matters. I don't understand the sharp reaction from these anonymous sources who obviously don't want competition from anyone even if it's for a browser that isn't covered by them.

 

Re: ScriptNo: Discussion

@andryou

I think that you are probably wise in not revealing too much about your identity, exactly for the reasons you state.

I would also like to say that I admire your attempt at a NoScript type extension for Chrome. Although my knowledge of computers is a trifle basic, I am also aware of some of the problems of making an exact NoScript equivalent for Chrome.

Unfortunately ScriptNo didn't work for me when I tried it & eventually it crashed & burned Chrome. Because of that, I will admit to being guilty of calling it a few rude names at the time LOL! ...

However, I fully understand that it is in many respects experimental & I think eventually it could be pretty good, I liked the UI & overall look. I think it was an improvement on 'NotScripts' & I would consider trying ScriptNo again in the future after more development.

Good luck for the future.

Dave

 

Re: ScriptNo: Discussion

Thanks vasa1 and Daveski.

@Daveski: ScriptNo not working for someone is the last thing I want to hear! What OS are you using and what symptoms occurred? And no worries.

 

Re: ScriptNo: Discussion

I tried it on my Belnea o.book (Notebook) running Vista (32 bit). ScriptNo just didn't block any scripts, almost as if it was not working. I then uninstalled ScriptNo & re-installed after initiating Experimental Extension APIs in about:flags.

Then Chrome just kept crashing, in fact I had to make a clean install of Chrome. It didn't work on SRWare Iron either.

I had other extensions, if that is significant. ABP, Flashblock, Ghostery, Google Dictionary, IE Tab, Readability, WOT & Trust My Web.

I tried disabling these one by one & there was no effect on ScriptNo not working.

I am at a loss as to why it was such a problem.

 

Re: ScriptNo: Discussion

I'm not, your computer is always having some sort of issue. Yahoo kept you down a good long while Your system and mine are probably two of the pickiest systems on this big chunk of rock we call a planet (Just a note, I'm not having issues with ScriptNo myself, just having a little fun with Dave here)

 

Re: ScriptNo: Discussion

Yeah, but everyone has problems with Yahoo!, that's nothing unusual.

Maybe we're jinxed in some way?

 

Re: ScriptNo: Discussion

Which extensions offers this possibilities please ?

 

Re: ScriptNo: Discussion

They're built in. No extensions necessary for XSS and CSRF.

 

Re: ScriptNo: Discussion

Most hackers don't become defense guys. Most defense guys don't become hackers.

And I think your privacy should be respected. That's what I told Tom as well - we can see your code and that's what's important. I don't see accountability as a security necessity, in my experience it doesn't work.

He later elaborated that his issue is that ScriptNo shares a very similar name to NoScript while not providing the full feature set and he thinks users might get confused.

 

Re: ScriptNo: Discussion

Psychiatrists exist for a reason - to help people solve their issues.

That aside, I came to realize that a conversation between web developers can be quite cumbersome.

This would be a possible dialog:

Developer A: Do you think I should use noscript?
Developer B: Why not? It works great.
Developer B: It blocks scripts, Java and a few other stuff. It also forces https.
Developer A:
Developer B:
Developer A: Are you joking with me?
Developer B: No...
Developer A: I think you are...
Developer B: Well, I'm not. Noscript does all that. What's your doubt?
Developer A: I just didn't realize the noscript tag allowed all that.

So, who came up first with the term noscript?

 

Re: ScriptNo: Discussion

I suppose. But when most people see an extension called ScriptNo they don't think "oh it's like those tags" they think "oh it's like that other extension called NoScript." I can see his issue with it.

Still, like I told him the ScriptNo page makes no claims to provide all of the protections available to NoScript and it merely states that it borrows some concepts.

 

Re: ScriptNo: Discussion

Don't know. Don't care. But we've all seen this:
http://www.w3schools.com/html/html_scripts.asp

 

Re: ScriptNo: Discussion

But there wasn't need for the ad hominem stuff.

 

Re: ScriptNo: Discussion

Just to give you company, I've put my beloved Privoxy aside and installed this much-maligned ScriptNo. And ... no crashes, no hangs so far. Though it must be said I have a poor record as far as browser instability goes. Fx and Chrome just can't be bothered troubling me.


Plus there's the stability of Linux gratuitous plug here When are you joining us on the dark side, Daveski