ScriptSafe former ScriptNo: Discussion

Re: ScriptNo: Discussion

Layers are nice. No one can really say "X feature is better than Y" and be 100% objectively correct. Security features just can't be compared like that especially when you start taking "real-world" security into account with an ever-changing threat landscape.

The sandbox has its specific purposes and they don't have much to do with XSS. For that Chrome has an XSS filter, which works fine.

 

Re: ScriptNo: Discussion

You're absolutely right when you say that it isn't a solution against everything. But, there's a difference between saying that and saying that's overrated.

Otherwise, if we look at it from Maoni's perspective, then anyone could say As useful as XSS protection is, it does nothing to minimize the damage that can be done by attacks that exploit browser and plugin vulnerabilities.

Correct? So, I think we agree that all of these mitigation techniques, XSS protection, sandboxing, etc are all very welcome.

 

Re: ScriptNo: Discussion

We do

 

Re: ScriptNo: Discussion

Scriptno Bugs? By Design? or just plain broken?

Scriptno Version: 1.0.6.X (latest) Chrome: 18 beta

Assume empty whitelist, default everything block in settings.

1) Visit Google homepage from address bar or from clicking bookmark.

www.google.com

Expectation: No script on google homepage should be allow to execute.

Result: Google homepage black bar drop down menu work. (Script execute)

Further testing, seem as long as any site load from address bar or bookmark, it would not block majority of the script, script execute like business as usual. Only a 2nd refresh will block all those script.

While the menu, shown all still blocked.

2) Confirmed all script for a site is blocked including all 3rd party script.
Temp Allowed current site domain.

Result: Almost all script is execute including majority 3rd party reference script.

Example: http://www.soyacincau.com/2012/03/19/samsung-galaxy-s-iii-to-feature-quad-core-exynos-4412-possible-1-5ghz-clock-speed/

All kind of 3rd party script also execute, ads, social widget, and the most visible part, the commenting platform also load.

Seem almost all script including 3rd party is execute.

While the menu icon only shown current domain is allowed, and all detected 3rd party script/domain blocked.

3) An extreme simple pages using javascript and jquery host on dropbox.
https://dl.dropbox.com/u/6589730/test.html

Contain inline script and reference a Google host jquery code

Basically it just change text color from red to green.

it can demo problem 1) and 2)

Firefox + Noscript = OK work as expected
Chrome + Notscript (long not updated) = also OK work as expected

Blocked till allowed both inline script and reference script.

Chrome + Scriptno is not working as expected at all.
Either in situation 1 or situation 2.
The text color keep changing from red to green.
While the menu icon still shown incorrect feedback.

Prior version problem is mainly on the unreliable problem 2).

Latest version with web request api cause the problem 1) and 2) even worst.

Scriptno is a very nice extension for chrome, but unless i miss somethings it is broken badly for now.

 

Re: ScriptNo: Discussion

Make a bug report?

 

Re: ScriptNo: Discussion

@ lipsin:

welcome to the forum and thanks for the heads up!

i've been using ScriptNo for a few weeks.
i don't think i could have spotted these issues as i simply don't understand enough about how these things work.

thanks again for pointing this out!

 

Re: ScriptNo: Discussion

https://code.google.com/p/scriptno/issues/list

Issue 84, 85, 91.

Ping the developer on twitter.

not much progress.

 

Re: ScriptNo: Discussion

Scriptno popularity grow day by day.

Many tech site, show promote this as the noscript alternative for chrome, even aggressive as the www now so sensitive to privacy or security things.

The UI and control it present, for me is much more nicer than firefox noscript.

But if this defect is true, it just can't be trusted, too scary.

The result is not what user expect and maybe even provide false expectation to user.

for me this is not just yet another bugs like usual, but this almost made the extension useless, the user can't be sure the extension run as what it shown to user.

 

Re: ScriptNo: Discussion

Just wait until this summer and noscript will incoming

 

Re: ScriptNo: Discussion

Insider news? Firefox NoScript chrome port?

 

Re: ScriptNo: Discussion

I'm not sure when Maone will port it. If we consider ScriptNo at the very least a successful POC (I would call it more than that as it's actively improved) than NoScript could come at any time.

That said Maone may not want to bring NoScript to Chrome unless he can bring every feature, including XSS and ABE to Chrome, which won't happen.

 

Re: ScriptNo: Discussion

Glad to hear that.

Hook on the scriptno extreme detail control to user (UI much more better than noscript)
Too bad the latest version is just a disaster.

Hopefully Scriptno developer resume working on Scriptno soon.

 

Re: ScriptNo: Discussion

I found it on the official forum, forum the developper himself. I've lost the link sorry but i can search it again.

 

Re: ScriptNo: Discussion

the dev is a student at the U of Toronto.

he might be a little busy

 

Re: ScriptNo: Discussion

I was speaking about Giorgio Maone

See this link : http://forums.informaction.com/viewtopic.php?f=8&t=8306&p=36225&hilit=noscript chrome#p36225

 

Re: ScriptNo: Discussion

I wonder what's taken so long. And I'm interested to see what he manages to implement.

 

Re: ScriptNo: Discussion

Recently chrome just enable the webrequest api.

httpseverywhere also surface because of this.

adblock and ghostery also only recently adopt the api。

maybe he just wait the dust settle to start working on it.

beside that his chrome comment usually not that good when compare to firefox. maybe also need to overcome some personal preferences.

 

Re: ScriptNo: Discussion

from his twitter maybe he working now.

he said he would look into it, but seem that is few week ago.

my own opinion. he should take down the latest version for now and push the old version as stop gap measure.

at least the old version still working although not perfect.

while the latest version defect, some time made it function like chrome default javascript blocking feature.

the sad part now is it give false privacy/security expectation to user.

 

Re: ScriptNo: Discussion

I'm not really experiencing any issues, honestly. I can see what scripts are loading on the page and when I block them, they're blocked.

 

Re: ScriptNo: Discussion

Just test with a clean profile. Most of the time other extensions like adblock or ghostery do the jobs of blocking and cloak the situation.

Install scriptno only.

just enter 2 site:
www.google.com
or
http://optimalcycling.com/other-projects/notscripts/

enter those site from address bar.

cannot miss the effect, google black bar drown down menu should not work, and the notscript site test area should not pop up multiple windows when click

and you will see the initial load never block anythings, even you explicit deny or distrust google domain.

only a 2nd refresh will start to block.

scriptno old version does not have this problem.

latest version with webrequest api got this problem and also the old experimental version with webrequest api turn on.

this is just defect 1.

defect 2 describe on above post is even scary.

just test the link in clean profile.

even an explicit distrust of the "IntenseDebate" commenting platform also load the script.

all test in chrome 18 beta in windows, linux and mac platform.

 

Re: ScriptNo: Discussion

The black bar isn't loaded with Javascript. Try clicking any of the linkns - you'll realize that it's just html hyperlinks.

It blocked it fine here.

It may be having some issues, I'll have to look further on a clean profile. But it seems plain that it's blocking scripts on many sites if only because those sites outright break.

 

Re: ScriptNo: Discussion

Google Black Bar Drop Down Menu (on the far right)

Yes Google Home Pages is scripted. If we disable javascript in Chrome itself everything does not work.

Clean Chrome 18 with new profile + Scriptno

Several screenshot attach below with RED region which not suppose to appear if script does not execute or not allowed.

Note:

Applicable to default option (everything blocked by default), but this time i explicit deny/distrust those site to show, it does not honor the settings.

Applicable to new tab, manual input url from address bar or click from bookmarkbar or some weird button or link click.

Not applicable to right click open link, or control - click / command - click on link.

And everything blocked after we refresh the page.

 

Re: ScriptNo: Discussion

This is what NoScript or Scriptno (Old version) result.

Using Firefox noscript as example.

 

Re: ScriptNo: Discussion

See, that's strange because when I go to youtube and ytimg isn't whitelisted it really does block all of those images.

 

Re: ScriptNo: Discussion

Discover new weird behaviour thanks to you.

Setup: Ubuntu 12.04 beta + Chrome 17 stable + Scriptno 1.0.6.2

Usual step:

1) Open Chrome.
2) Manual enter "youtube.com"
3) Observe the result.

Part 1:

Fresh Chrome browser no cache data.

Perform the step.

Indeed no image display.

Close and exit browser.

Part 2:

Reopen Chrome.

Perform the step.

Now it got image display.

and reproduce everytime.