ScriptSafe former ScriptNo: Discussion

Discussion in 'other software & services' started by andryou, Nov 15, 2011.

  1. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    Re: ScriptNo: Discussion

    I see now, it is blocking while prerendering but icon doesn't count or show. I had a look at Chrome's internal "JavaScript Exception" option page, it was blocking scripts. You can see real time interesting orange color blocking :thumb:
     
  2. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    Re: ScriptNo: Discussion

    this is a great addon and easy to use.

    all i have to protect me from myself on the internet is Chrome's own sandbox and UAC at maximum.

    the browser is often the most vulnerable target and this is where where the war should be fought.
    right at the gates ;)

    i was up and running within 15 minutes after the Quickstart.
    very well done! :)
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Re: ScriptNo: Discussion

    I'm not even sure Chrome needs something like NoScript/ScriptNo but it's not a bad idea to put it on anyways. You never know when some 0day for Chrome might popup.
     
  4. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    Re: ScriptNo: Discussion

    right.

    i also like that it help with security and privacy as well.
    it's almost like Ghostery is built-in as well
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Re: ScriptNo: Discussion

    Yeah I think the best part about ScriptNo is the blocked content area like the social widgets, ads, and mdl. I also really like the referrer spoof.

    edit: I have really no reason to use it on my ChromeOS CR48 - there's no Java and I don't have to worry about Flash (Pepper Flash by default) or Chrome exploits or even Windows exploits.

    But I still use ScriptNo for the privacy features.

    With ScriptNo, HTTPS-Everywhere, and proxy-extensions that can force TOR I don't see Firefox as being the definitive "privacy-oriented" browser anymore. Or, at the very least, the gap between them is quickly being bridged.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Re: ScriptNo: Discussion

    I'm wondering if ScriptNo will prevent SVG filter keyloggers.
     
  7. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    Re: ScriptNo: Discussion

    I said "Latest version is really fast." I am taking my word back. ScriptNo shows some interesting behaviors. First opening of any page is slow. It is fast If page is loading with google prerendering, but slow with clicking bookmark or new tab page. After first load, second click in internal page link loading is fast. And ScriptNo shows more script blocking first load. Let's say it shows 12 script blocking after first load, but it shows 3 after second load and second load is fast. I hope you can understand me!

    Edit: I will give more example. I created a new profile and installed ScriptNo. If i enter wired.com, it counts script blocking and shows internal Chrome script block icon in omnibox. In my default profile it doesn't show any blocking script, it only shows internal Chrome script block icon. Isn't it supposed to be like that? Let's say i enter a site that i have never entered before. ScriptNo shouldn't show any count. But it shows. Am i right?
     
    Last edited: Feb 21, 2012
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: ScriptNo: Discussion

    I've been having problems between ScriptNo and -https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?path=Win/

    Every single time I open that link, the tab freezes. I can't even scroll down. If I disable ScriptNo and they reopen the link, then after a few, normal, seconds, the page loads.

    Can anyone reproduce it?

    I'm on Chromium Developer Build 123706. But, it happened with other previous builds, as well. I'm downloading the latest build right now.

    Another question. There's a test page for the extension NotScripts -http://optimalcycling.com/other-projects/notscripts/

    I tested it with ScriptNo, and it wasn't able to block the pop-up windows. I'm not sure if ScriptNo should be blocking these? I'm new to it. :D


    Thanks
     
  9. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    Re: ScriptNo: Discussion

    it works fine here on Chrome Portable 17 stable with ScriptNo engaged.

    i tried here and ScriptNo blocked those scripts.
    you sure you haven't whitelisted that site by mistake?

    off to bed for now but i'll check in tomorrow.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: ScriptNo: Discussion

    Maybe a thing between Chromium and ScriptNo... I suppose it comes with the territory. :D

    I'll test it again. Will report back. Maybe, just like the other issue, most likely incompatibilities with Chromium... :doubt:


    Thanks!
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: ScriptNo: Discussion

    -edit-

    It cannot block those pop-ups. :( Nothing is being allowed, except the fact I had to allow JavaScript in the browser itself, for the test to work. Other than that, I didn't allow anything in ScriptNo.

    I suppose it just doesn't work properly in Chromium. :doubt:

    In the Options, the only thing I'm not block is <img>; everything else is blocked. There's nothing in the whitelist either.
     
  12. tlu

    tlu Guest

    Re: ScriptNo: Discussion

    Giorgio Maone thinks otherwise ;)
     
  13. Narxis

    Narxis Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    477
    Re: ScriptNo: Discussion

    Very good extension. This is what i needed when i moved from Firefox to Chrome.
     
  14. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    Re: ScriptNo: Discussion

    use Chrome then.
    i think the 'exploit' shown in the link you posted ---http://optimalcycling.com/other-projects/notscripts/ was an eye opener for me.

    i'm no expert, but if a javascript can open popup windows, it could do something more destructive.

    the battle has to be waged at the front-line, and that's the browser...
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: ScriptNo: Discussion

    That could be an option, yes. I'm afraid I'm too addicted to Chromium, though. o_O I get to use the newest* enhancements, after all. :D Anyway, I can have JavaScript disabled globally, as I've been using anyway.

    I know I could use Google Chrome Canary as well. But, with Chromium I only have to download the zip file and extract where I want it, without having to install it. I could do that with Google Chrome as well, but if the installer is protected the same way the stable version installer is, then it's no easy deal to extract the contents. I never tried to use the Canary version, though. I also like the fact that, because Chromium isn't digitally signed, in my configuration it won't be able to self-elevate. I like that.

    :thumb:
     
  16. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    Re: ScriptNo: Discussion

    some websites won't even work properly if you cut all javascripts.

    how do you go on then when in some case you can't even navigate the site without javascripts?
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: ScriptNo: Discussion

    I allow JavaScript temporarily to the websites that need it. ;) Any important service, such as e-mails, etc are used in separate, very restricted profiles under different user accounts and all that stuff. o_O :D

    Yep, I know that whitelisting JavaScript for a domain could result in those kind of pop-ups, though. Just not that much worried about it. It would be nice if ScriptNo worked with Chromium, I don't deny... :)

    Who knows if will start working, at some point... :D
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: ScriptNo: Discussion

    Hmmm...

    What does one thing have to do with the other? One thing is a sandbox to help protect against unknown/known vulnerabilities (that should be the aim, specially against unknown ones ;) not to help lazy developers :ouch:). Another thing is protection against things like XSS, etc

    So, no... sandboxes are not overrated. Nor is XSS protection. How about having all that? ;)
     
  19. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    Re: ScriptNo: Discussion

    and how is that done?

    do you have to click on the Wrench/Options/Under the Hood/Content Settings/Javascripts Manage Exceptions/ and enter that manually?

    every times? o_O
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: ScriptNo: Discussion

    No. :argh: When you block JavaScript globally, you'll see the JavaScript icon in the address bar, which means JavaScript is being blocked. If I really need to allow, I just right-click it and choose Allow JavaScript on <domain name>.

    One thing I like about Chromium (I don't know if it's working this way in Google Chrome stable/developer/canary versions.), is that, if running in Incognito session, then the whitelist will only be good for the current session.

    Any website I know before hand I'll need to allow JavaScript every time, I simply add it to the settings, without applying it to the Incognito session. This way the whitelist is kept.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Re: ScriptNo: Discussion

    And I'm sure we disagree about much much more lol
     
  22. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    Re: ScriptNo: Discussion

    i see.
    u had me worried there, for a moment! :D

    anyway, i highly recommend you give ScriptNo a try when you have the times.
    it's a very nice utility to have around. :thumb:

    what i like about it is that even when you whitelist a site it will still block the 'unwanted' scripts.
     
  23. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Re: ScriptNo: Discussion

    The quote, to which Maone agreed, was followed by another sentence in that Ars Technica article which puts the quote into (your) perspective;

    'As useful as sandboxes are in restricting potentially buggy code to a small part of the operating system, they do nothing to minimize the damage that can be done by attacks that exploit universal XSS flaws, researchers said.

    "Adobe and Google, when they create their sandboxes, they're designing them to stop memory corruption vulnerabilities," Chris Rohlf of Leaf Security Research told Ars. "To their credit, the sandboxes do a good job of stopping memory corruption vulnerabilities, but they're simply not designed to stop these sorts of things."
    ' link
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Re: ScriptNo: Discussion

    The sandbox in Chrome/ IE/ Flash is basically designed to stop malware from being persistent on the system/ being able to read/write to files they don't need.

    Maone was not the first to say "Hey, can't malware just work within the sandbox?" Yep, it can.

    It's not like Chrome relies on the sandbox and doesn't have an XSS filter - it does.
     
  25. tlu

    tlu Guest

    Re: ScriptNo: Discussion

    Agreed. However, I sometimes have the impression that some people here think that the Chrome sandbox is the solution against nearly any internet related threat and everything else is second-rank. It's not, IMHO.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.