ScriptSafe former ScriptNo: Discussion

Re: ScriptNo: Discussion

He had another response. Got to it.

Feel free to read/ discuss haha

 

Re: ScriptNo: Discussion

Thanks for the precisions Hungry Man.
Do you know how webrequest api will takes care about https forced ?
And clickjacking will be protected by scriptno (via webrequest api) or by chrome itself ?

 

Re: ScriptNo: Discussion

I'm fairly certain I've said it explicitly stated by Chromium devs that it would allow for force-https by extensions. By seeing the "http" request before it's made you can make it an https request as it's sent rather than a redirect.

Neither.

Or well... not so elegantly as with NoScript.

NoScript uses what's called clearclick to stop clickjacking. It's a very nice way to do it.

ScriptNo and Chrome don't offer this.

Still, if you block iframe tags and javascript you won't have clickjacking. The issue is that if you allow/ trust a site it will be able to clickjack.

NoScript will protect you whether it's whitelisted or not.

 

Re: ScriptNo: Discussion

I've found something about chromium and https : chrome://net-internals/#hsts
We can add a list of sites we want to connect on https.

About clearclick and blocking iframe, ghostery scans current page for iframe (in firefox), if it can help for security perhaps it will be present in the chrome version when webrequest api will be stable.
Perhaps chrome will implement a function for clickjacking in the future...

 

Re: ScriptNo: Discussion

Have you tested that page?

It's possible that Chrome will implement that function in the future but I'm not sure.

Webrequest API won't help with clickjacking in terms of a solution similar to clearclick.

 

Re: ScriptNo: Discussion

If you add a domain it works, i've tried it quickly.
You can find more informations here : http://dev.chromium.org/sts
I'm disapointed for clearclick :s

 

Re: ScriptNo: Discussion

I don't know whether it's a bug or not, but these last days I upgraded Chromium, and HSTS will no longer remember the domains I entered. Once the session ends they will be discarded.

I searched Chromium forums for issues, and I've seen one from August, where a user reported it and he/she was told that it is by design now... Kinda pointless, isn't it? I mean, we got to hope that webmasters will do it for us...

-https://code.google.com/p/chromium/issues/detail?id=94894

 

Re: ScriptNo: Discussion

the HSTS may not be meant to hold info past a session

 

Re: ScriptNo: Discussion

Well, it used to. For a long time... I wonder why they've decided to kill the way it worked.

There's no point in having to manually force domains to use https, every single session. Is there?

 

Re: ScriptNo: Discussion

Not that I know of. It may simply be a glitch with your particular Chromium build.

 

Re: ScriptNo: Discussion

I thought about that. But, according to the issue thread over Chromium's forums, the functionality was taken away in August. I truly don't remember how long I kept my previous build; so I can't tell for sure when this started.

But, a Chromium developer did answer to that person, back then, that it was meant to work this way now.

I'm going to report it as well and see what they say about it. It's really a freakish situation.

 

Re: ScriptNo: Discussion

I suppose it's mroe for testing purposes and it can cause conflicts with extensions/ websites... idk.

 

Re: ScriptNo: Discussion

Opera's got all of 5 users though so it's not really time well spent haha

I like the antisocial bit as well. All of my privacy settings are on and Unwanted Content is "Strict" with referrer spoof to "Same Document."

 

Re: ScriptNo: Discussion

What's all that with Opera? Did you just wake up from a bad dream?

 

Re: ScriptNo: Discussion

Yeah, although that may boost to six or seven with some decent security extensions LOL.

It's early days yet & I shall have to spend some time fiddling about & playing with it. Oh no, I think I've become a security extension geek. Well, I'll have fun anyway. If I can get on well with it I'll try it on my desktop computer as well. That's running Win 7 64 bit as opposed to Vista 32. I doubt that the OS will really matter. I think I'm using the same extensions on both machines. It's a shame about the slight incompatibility with Iron. Although I have a couple of different extensions on Iron compared to Chrome. That may be a factor. I'll have to get more familiar with it on Chrome first & see what's happening there. Chrome isn't my default so I can afford to use it for more experimental surfing, so to speak.

 

Re: ScriptNo: Discussion

lol I was responding to another topic but it was more relevant to post it here

Haha perhaps that's the deciding factor...

It needs some tweaking on the devs side. Getting extensions compatible with it is probably what I'd focus on as a next step. We'll see.

 

Re: ScriptNo: Discussion

Well, it's a fairly new extension I suppose. So far, I much prefer it to any other of the similar extensions (that aren't NoScript). I think in some ways it is more user friendly than NS. The overall interface design is well thought out & not as intimidating as NS can be (especially to those new to it).

From the many discussions & threads here I think it is a given thing that Chrome is the most secure 'out of the box'. Iron is probably equal or close behind. Probably because of the flash sandboxing, Chrome has the edge on Iron. I am not sure if there are any swings & roundabouts. Firefox has a load of good security extensions of course.

However, most Opera users seem to be convinced that it is secure enough alone without anything else. I very much doubt this. I wouldn't use it as my default browser, that's for sure. It's difficult enough to adblock properly on it as it is.

 

Re: ScriptNo: Discussion

A little ot question, but it seems like a logical place to ask: I notice Googlepack is discontinued, so does this mean installing Chrome is limited to user space, or is there an alternative method for installing into program files directory? I'm thinking of dropping IE9 and going with chrome and this ScriptNo extension.

 

Re: ScriptNo: Discussion

WTH? This coming from you?

There you go... -https://support.google.com/installer/bin/answer.py?hl=en&answer=126299

 

Re: ScriptNo: Discussion

You should be able to install Chrome from portableapps.com virtually anywhere. When I was on Windows, I used that version of Chrome quite happily.

I'm typing this from memory and so it may not be correct but the only caution seems to be to have a short path like drive:/PortableApps/Your_particular_apps. This last folder will be created by the installation procedure once you point to drive:/PortableApps.

The last I know was that the portableapps.com version didn't have the (much hated by some) updater. And so I would have to update depending on news here.

 

Re: ScriptNo: Discussion

LOL! yeah, so much for my allegience to IE Thank you for that link!

Excellent, another option. Thanks!

 

Re: ScriptNo: Discussion

And no registry entries to worry about, AFAIK. Everything will be in the PortableApps folder.

 

Re: ScriptNo: Discussion

 

Re: ScriptNo: Discussion

Maybe you'll be interested in the following:

-https://support.google.com/a/bin/answer.py?hl=en&answer=187206
-http://www.chromium.org/administrators/policy-list-3

 

Re: ScriptNo: Discussion

Incredible how much granularity is afforded in the policy. Thanks m00nbl00d!

BTW, I'm using Chrome now with ScriptNo. Now that I've got a handle on how it (ScriptNo) works, I'm really liking it