Hm, that site writes: While I generally agree to keep the list of whitelisted sites as short as possible that quoted assertion is a bit overblown because: Nevertheless the whole story is another evidence why the scope-based approach in uMatrix is clearly superior: If you allow, e.g., googleapis.com in the domain-specific scope for xyz.com, it remains blocked for all other sites. This reduces the attack surface considerably.
If user doesn't want the default whitelist in NoScript then place this line into your prefs.js file located in the browser profile folder. user_pref("noscript.default", ""); All other entries (e.g.) about:addons, about:memory, etc. with this line: user_pref("noscript.mandatory", ""); Now you should see no entries listed in NoScript's Whitelist.
First the "Phone home" story and now this, it is definitely worrisome signs and an indicator on the direction NoScript seems to be heading. On the subject which one offers a better security, well that's still debatable since many claim that uMatrix and the likes are just a replacement of NoScript's most basic features and nothing more. (Anti-XSS, ABE, Clickjacking, XSLT etc)
Sorry, I forgot to reply. But I was talking about tools like MBAE and HMPA, who are designed specifically to block exploits. I wouldn't rely on script-blockers like NoScript for the simple reason that they will always break stuff. You're better off with tools like Adblock Plus and Ghostery, they will block most third party trackers and ads, that are often used in exploit attacks, so called "malvertising".
Thanks! I see this differently, though. Most sites which I open are sites which I visit frequently. It's no problem to configure my blocker (uMatrix) to not break them. Otherwise I prefer a default-deny policy as ABP and Ghostery are using lists that cannot be comprehensive enough by all means. And blocking unknown/new threats at their root is better than relying on 3rd party tools, IMHO.
Ghostery and AdBlock Plus also break stuff, just not as harshly as NoScript or Request Policy/UBlock Origin do... if an addon doesn't break something along the line, then it's not being utilised to its full potential (similar to the saying, "unused RAM is wasted RAM"). It all comes down to how hands-on you wish to be and how much trust you place in the stuff you use... Ghostery and AdBlock Plus - bottom of the barrel, good enough for the novice... NoScript, Request Policy, UBlock Origin - more for the hands-on user... EDIT: seriously, who uses default whitelists nowadays... with all the addons people are installing, using VPNs, getting hooked on anti-x programs... and then to leave a default whitelist untouched? Come on... drop the ball much?
Yes correct. But as soon as you browse to other sites than your favorites, it will start to become annoying, especially to "normal" users. The only reason why I'm using script-blockers is for speed, not for security. Because at some point, you will always have to allow some script to run, just to make stuff work. That's why I said that you can rather rely on anti-exploit tools.
Correct, but you can't compare them with script-blockers, who will block all third party scripts (depending on configuration), and break a whole lot more. And weeks ago, a couple of popular Dutch news sites (that I visit every day), were serving malware, guess what, I didn't notice a thing (I was using FF), even without running any anti-exploit tool. This means that ABP and Ghostery most likely took care of the problem.
Correct me if I'm wrong, but I don't think this statement is true at all. The point of the anti-exploit tools is to prevent exploits from working on programs. But javascript in a web page is not affected by EMET or MBAE. While yes, they are running inside a program that could be hardened, the purpose of XSS isn't necessarily to break through your browser. If a malicious user stumbles upon a blogging site (say blog.com) that isn't sanitizing the inputs of the comment feature, and then injects some script tags and javascript into the comment and submits it, that javascript will now run for anyone who visits that page (say blog.com/blogpost). If the attacker has only done something simple like inject an alert, that code will run in every situation except for when you are blocking all scripts on that domain (blog.com). While there isn't much harm being done with my example, it shows that anti-exploit tools like EMET and MBAE don't protect you (and even script blockers, depending on how you have them set up). The real danger from XSS is if instead of injecting simple javascript, they load scripts from external sites (say baddie.com) that allow them to do more like log your login credentials. In this case, if the domain (blog.com) is whitelisted then the script at (baddie.com) will not execute. This is where tools like uMatrix and NoScript help you and EMET and MBAE still don't. Now whether or not you can break out of a browser using javascript (I'd imagine there's probably ways) I'm not sure but in that case that is when EMET or MBAE would probably help you.
OK...so it looks that it shouldn't be scary due to explanation in NoScript's FAQ... https://noscript.net/faq#qa1_5 An interesting find on NS forum https://forums.informaction.com/viewtopic.php?f=10&t=17066&start=15 BTW...an interesting thread and interesting ideas because I'm "long-time user" of NS which is for me the most important Firefox's addon.
As I stated in my post, The point of my post was to explain at a basic level how script injection works and why programs like EMET and MBAE are irrelevant in terms of script control.
I'm not sure what you mean with that. But to clarify, I'm using an old version of both FF and Flash, and my security tools also didn't alert about a thing. So the chance is quite big that ABP and/or Ghostery took care of the problem.
I wasn't talking about attacks like XSS, I was talking about scripts that are being used to exploit browser vulnerabilities. When it comes to "malvertising" then ABP and Ghostery will do the trick. When it comes to malicious scripts trying to corrupt browser memory in order to make it execute malicious apps, then you can choose between more "aggressive" script-blockers like NoScript, or you can simply use anti-exploit tools, without having to worry about breaking web-pages.
