I had asked that question before but never got a response: The XSS filter in Chrome was disabled in earlier versions because of performance considerations. Is there a reference that confirms that it has been re-enabled? I haven't found any.
Okay, I was just pointing to the fact that there are alternatives for WOT. And at least you have the chance to make a decision - you won't if you allow scripting globally. Has this issue been fixed in the meantime?
I can't find a source and I'm going by memory. But since I know Chrome's XSS auditor has been bypassed* it's safe to say that it's on. *The bypass is significantly difficult to pull off and requires the attacker already having partial control over a large part of a page.
Yes it was disabled though in Chrome 4 or 8. I forget which. It was then reintroduced as experimental sometime after (I believe 10 or 11) and then released in 13 but I can't seem to find a note for that.
This was written in Jan. 2010, but that one in Feb - Mar 2010 @Hungry: Yes, I saw the XSS auditor mentioned in some "issues". This indicates that it is re-enabled.
There's this switch: Code: --disable-xss-auditor which I came across here and also Code: --disable-xss-auditor ⊗ Disable WebKit's XSSAuditor. The XSSAuditor mitigates reflective XSS. over here
Maybe, but not really sure. I got an XSS alert from IE when I tried the POC (from the link you provided - they seem to enthusiastically promote FF + NS ) here. BTW, there's an interesting page from Acunetix here: -http://www.acunetix.com/websitesecurity/xss.htm The first copy/paste resilts in the fake login page, but the http...copy/paste results in IE9 alerting to XSS activity.
The same results with Noscript and default settings. However, if I change noscript.injectionCheck to 3 in about:config (check every request, not only cross-site requests), I get an XSS warning also for the first test. EDIT: I do not get any XSS warning in both cases with Chromium 17.
Yes, I do. NoScript is the main reason why I prefer Firefox over other browsers. I don't spend any time whitelisting/blacklisting sites. Basically, I handle all sites as "scripts currently forbidden", if something needs to be allowed, I just allow it temporarily and don't worry about it. I have 10 sites on my whitelist and those are the same sites that were on my whitelist a couple of years ago. I love NoScript and it works great. If some option gets changed by me while browsing, when I close my sandboxed browser, all things related to NS go back to how I have it setup. It can not be any better. Bo
I've been using NoScript for some years. After reading this thread I disabled it as an experiment. I immediately found that cold load time has gone from 16 seconds to 6. The only other annoyance is when I am buying on line and enter my name, address and visa number and click continue. Nothing happens and I fear a frozen screen, only to remember that the NoScript has forbidden the site and I have to temporarily allow it. I guess it's good that happens but It's a PITA. How important is NoScript as opposed to AD Block Plus?
Same here. However, I still have the NoScript Addon with scripts Globally Allowed. Even with scripts Globally Allowed there is still protection against a potential threat. I think that the potential threat is XSS, but I do not remember for sure.
NoScript provides from multiple attacks even when a site is whitelisted. One of those is XSS. Another is ClickJacking.
Exactly the same...NoScript is the obligatory add-on. From my favourite sites: only trusted sites are allowed (not "disabled"), I haven't sites with disabled NS, on all the rest NS can be only temporary "allowed".
I use it in conjunction with requestpolicy add-on. There is some overlap between the two though they effectively nuke anything that has not been predefined by me script wise etc. They are specifically configured to play nice with the websites I trust to visit only on my host OS. All my main surfing is done on my guest Os’s so I tend not to worry about javascript being bad.
I use Globally Allowed with a large personal blacklist (mostly for privacy). Its other features are all enabled, including embedding restrictions for whitelisted sites. Also got it in normal whitelisting mode on netbook to save more resources.
