ScriptSafe former ScriptNo: Discussion

Hi,

I'm the author of ScriptNo, the Chrome extension that seeks to bring some "NoScript-like" features to Chrome (but not all due to current limitations in the Chrome API).

Feel free to ask questions, post comments, and discuss ScriptNo here.

I'll start off with the first question:

This is related to me, but I didn't submit the story (I'm not Vineeth) and no shady financial deals went down to get the story published I didn't know about that article up until now!

Andrew

 

Re: ScriptNo: Discussion

Keep in mind that most of the issues with it will be solved with the WebRequest API, and an experimental version is already out:

http://code.google.com/p/scriptno/wiki/ScriptNoExperimentalVersion

To use that version you must go to about:flags and enable Experimental Extensions API. Restart the browser and then add the experimental version.

There are still open issues and the developer has been away - he's back now (or soon) and apparently back to work (or soon to be.)

EDIT: Oh you're the dev? .... lol whoopsies

No questions really. I'm sure others will have some. Thanks for the project.

 

Re: ScriptNo: Discussion

Now that was funny. Lol.

 

Re: ScriptNo: Discussion

That's what happens when a person is starving... They lose focus.

 

Re: ScriptNo: Discussion

Any hints as to where development is going/ features to expect? Or is it a matter of focusing on currently open issues?

 

Re: ScriptNo: Discussion

Currently focusing on the WebRequest and ContentSettings APIs to bring reliable blocking methods into ScriptNo, and cleaning up code as I go along as well (I'm always for optimization) I was contacted by Mike West of Google recently, who told me that the WebRequest and ContentSettings APIs have been drastically improved in the last month or two (while I was away), so right now I'm taking a look at them again.

I'm also focusing on currently open issues, but the major and reproducible ones.

Feature-wise, there may be a few more additional features to leverage the cookie/plugin/popups/notifications-blocking features provided by the ContentSettings API, but I will have to see how the API actually works in real scenarios.

 

Re: ScriptNo: Discussion

Sounds great.

Hopefully WebRequest doesn't get pushed back to 18 and we see it stable by December for Chrome 17.

 

Re: ScriptNo: Discussion

Some good news: ContentSettings is out of Experimental (which is why some features such as referrer and user-agent spoofing were broken (which will be fixed today in a new experimental version)).

EDIT: v1.0.5.48 Experimental released, which fixes the spoofing/cookie-blocking features, and I've also developed and included the ability to block cross-domain XML HTTP Requests: https://code.google.com/p/scriptno/downloads/list

 

Re: ScriptNo: Discussion

Awesome - thanks.

 

Re: ScriptNo: Discussion

noscript forum challenged ScriptNo. here's part:

and more, there were links about the various features listed:

the whole thing is here:
http://forums.informaction.com/viewtopic.php?f=8&t=7475

care to comment, Sir or Madam? all ears here.... tnx

 

Re: ScriptNo: Discussion

While I don't use ScriptNo, the posts by Shirley whatever is one more reason I prefer not to use NoScript in Firefox.

 

Re: ScriptNo: Discussion

I commented in that forum about this.

Shirley, I think it's been obvious from the beginning that ScriptNo is a work in progress and is in no way a definitive replacement for NoScript - there are limitations.

There are definitely areas of NoScript not recreated in ScriptNo and it's possible that they simply can't be at this time.

That said, Chrome has XSS auditing built in and in terms of protecting from exploits there's nothing that will protect you on the level of Chrome.

 

Re: ScriptNo: Discussion

Aww, are fans getting their feelings hurt? Why do people feel the need to not only defend a freakin piece of software like it's a member of their family, but also attack others who are trying to make their own mark and help out as well? ScriptNo is a Chrome project, NoScript is Firefox. Nobody is hurting either ones' precious little extension. News flash, the people that use either extension and the guys developing them should be on the same team. ~Comment removed~

 

Re: ScriptNo: Discussion

I agree that they should be working on the same team.

I think Tom was actually having a discussion though and I'm glad that he responded.

I'm happy when Firefox gets an idea from Chrome and I'm happy when Chrome gets an idea from Firefox - in the end the community benefits.

 

Re: ScriptNo: Discussion

Yes, you are quite right, it is ridiculous. Well, just as long as no one has insulted SeaMonkey, otherwise it will be definite aggro & fisticuffs outside, or possibly pistols at dawn.

 

Re: ScriptNo: Discussion

Which kind of brings us back to whether Firefox with NoScript is as safe as Chrome.

AAAAAAAaaaaaaaaaaaaaaaaaaaagggggggggggggggggghhhhhhhhhhhhhhh!

Sorry, I'll get my coat.

 

Re: ScriptNo: Discussion

Right, which is why in the topic on that forum I said it's a silly discussion for that forum - the question isn't about security it's about capability in the extension.

I'm all for having that conversation (as you know! =p) but I'm not going to derail another topic about it.

 

Re: ScriptNo: Discussion

Yes, so ... back to ScriptNo. I have no idea why it caused me so many problems. The question you could ask is that if Chrome is pretty safe 'out of the box' what security advantages does ScriptNo actually give?

 

Re: ScriptNo: Discussion

Blocking unwanted content is nice though I'm not sure it's working.

Blocking cookies from known ad/ malware domains.

Removing social widgets/ buttons will help stop tracking.

I personally use it mostly because I like these next two features:
1) User-Agent spoof - I have it say I'm on Firefox 5 Linux 64bit.

2) Referrer spoof.

I also have it block <object> <iframe> and <noscript> tags. That way most sites aren't broken and don't need to be whitelisted but those tags, which I rarely see, aren't shown.

I don't really think it adds any serious protection by blocking tags.

If I were to snap my fingers and add to Chrome security it would be to add a vetting system to extensions.

 

Re: ScriptNo: Discussion

Most extensions will basically add superfluous security.

 

Re: ScriptNo: Discussion

I think that Google are going to have to develop some form of vetting system pretty soon. I'm not holding my breath though.

I'm not sure how useful a UA spoofer is with Chrome. Chrome/Iron breaks very few pages for me. You're going to have to explain to me what a referrer spoof is & why it's useful .

 

Re: ScriptNo: Discussion

I like the idea of an exploit page thinking I'm on Linux =p

and referrer spoofing, i believe, means that if im on wilders and i get linked to abc.com abc.com will not see that i was just on wilders but that i was on abc.com all along.

 

Re: ScriptNo: Discussion

rofl.

As long as you don't attack SmartScreen, I agree.

 

Re: ScriptNo: Discussion

LOL!

OK, yeah I can see why that could be a privacy issue.

 

Re: ScriptNo: Discussion

Yep.

Not exactly huge issues.

I would really like to see an XSS auditor built in if possible since I don't love Chrome's.