Using Chrome's build NOSCRIPT functionality

Title says it all, exceptions to enter

[*.]xxx where xxx = COM or NL (high level domains

HTTP://* all HTTP sites

HTTPS://* all HTTPS sites

File:///* allow data

FTP:///* allow FTP

These options can be set to ALLOW, BLOCK, or for SESSION ONLY,

When running INCOGNITO, Chrome add's a temporarely allow (or allow once), beause it offers the extra CURRENT INCOGNITO SESSION setting.

Pictures should explain all

 

No offense meant, Kees, but: If you allow JS in Chrome for a specific site, you also allow all 3rd party scripts. That's why I think that comparing this functionality with Noscript is grossly misleading. You better use ScriptSafe even if it's not 100% reliable due to crappy Chrome APIs. Hopefully this will change with the upcoming chrome.declarativeWebRequest API.

 

Mentioned already... https://www.wilderssecurity.com/showthread.php?t=323783&highlight=noscript

Memory failing? Hope not.

 

Yes, I was also surprised that Kees is presenting this idea once again ...

 

Nope, request to explain with PICTURES

 

TLU, for NOSCRIPT one has to use FireFox. NOSCRIPT is a security improvement, no argueing about that. Please have a look at this: https://www.wilderssecurity.com/showpost.php?p=2165075&postcount=28025 The problem of Noscript is not Noscript, but the application it is running on is the problem.

 

Kees, we are not talking about comparing FF and Chrome in general. We are talking about blocking scripts. My point was that a method that automatically allows all 3rd party scripts once you "whitelist" a specific domain is flawed. Noscript doesn't do that, and that's why suggesting that this functionality is equivalent with Noscript is questionable (to say the least) even if we ignore that Noscript offers a lot more than script blocking.

 

Comparing my history with malwaredomains lists, it seems that if you blocked "foreign" domains/TL along with subs with numbers and hyphens, you would stop tons of attacks and have few breakages.

I have been using Kees1958's rules but without incog because I need my history/reopen tabs. Hasn't been a problem. I very seldom need to allow and it's on sites clearly not running malware eg last.fm or what.cd.

I actually alllow global scripts in NoScript. Just use the XSS engine, safe click, ABE, protect plugins and blacklist scripting poo on sites I frequent to improve page loads and privacy. Otherwise, it's too granular and you are back where you started: just allowing scripts to run because you don't wan't to sort through a huge list.

Admittedly, I like the controls more in NS...especially the ability to not require incog for one-offs, but this is what it is--the closest thing in Chrome to NS that actually works and doesn't slow the browser. The combo of Kees' idea with Chrome's sandbox is very strong daily security, iMO.

 

Well, to be fair to Kees, he never presented the idea before, so... it's the first time he has done it.

 

Sordid, sSame here,

I know Kees has ranted against Sandboxie (which I use) and FF (which I don't use). But let's be honest: in the end Tzuk implemented his critigue and he (kees1958 ) congratulated Tzuk with the low rights improvement, on the other hand Tzuk himself admitted that the appcontainer of windows 8 tiles did not need SBIE.)

Same thing with his (Kees195 rants against FF, he showed me policy templates of NSA advising Chrome (no FF was mentioned), his arguments seems to be underwritten by studies (although one of the institutes doing the research was sponsored by Gooogle ), stilll it makes sense.

I can see some logic in his rants against FF, Noscirpt is a great add-on, pitty it is only available on the (security wise) worst browser of them all.

Not so newby anymore

Newby

 

TLU, you are totally right on the aspect of control granularity. In all fairness, scripts running in Chrome are much more restricted than scripts running in Firefox, so on the aspect of security, the underlying security context should be taken into the equation.

Let's make it simple for others to understand: with Noscript it is possible to control the doors in a building, making difference to french doors (opening left or right door), barn doors (opening top half or whole door), back door, front door etcetera. Trouble with FF it allows you to access all doors (and thus all rooms in the building).

This scripting control in Chrome does not make a difference between diferent type of doors, you either lock it or open it. With Chrome the number or ROOMS a script is allowed to OPEN a door is limited. A page script may (re)direct to it's own room or (in case of third party scripts) to the room of its parent (in case of cross site url's requests). For third part scripts this implies that the stumble-upon script may redirect to the stumble-upon website (when triggered by the user), the face book third party script may redirect to face book website (when triggered by the user), What a scarry script story that is.

 

It's Chrome for me using Scriptsafe and Group Policy control, the latter of which thanks to Kees , but I sure would like to see Scriptsafe get on par with NoScript. I suppose if that API issue, whatever it is, gets fixed then maybe it will be.

 

I wonder than if Chrome can protect from drive by downloads restrict start/run of applications and is it possible to disable downloads in the first place?

 

As tlu above mentions, use Safescript and it's pretty tough to beat, even though it's not perfect. Also minimize the number of extensions and plugins to only those you need.

 

Ok, I'll do that, thanks for the help.

 

To block downloads create a reg file (copy text in notepad and save as All Files with .reg extension, eg. Block_Download.reg)

*********************
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000003

;the 1806 trick

 

To enable downloads create a reg file (copy text in notepad and save as All Files with .reg extension, eg. Allow_Download.reg)

*********************
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000001

;the 1806 trick