Using Chrome's build NOSCRIPT functionality

Discussion in 'other anti-malware software' started by Kees1958, Jan 12, 2013.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Title says it all, exceptions to enter

    [*.]xxx where xxx = COM or NL (high level domains

    HTTP://* all HTTP sites

    HTTPS://* all HTTPS sites

    File:///* allow data

    FTP:///* allow FTP

    These options can be set to ALLOW, BLOCK, or for SESSION ONLY,

    When running INCOGNITO, Chrome add's a temporarely allow (or allow once), beause it offers the extra CURRENT INCOGNITO SESSION setting.

    Pictures should explain all
     

    Attached Files:

  2. tlu

    tlu Guest

    No offense meant, Kees, but: If you allow JS in Chrome for a specific site, you also allow all 3rd party scripts. That's why I think that comparing this functionality with Noscript is grossly misleading. You better use ScriptSafe even if it's not 100% reliable due to crappy Chrome APIs. Hopefully this will change with the upcoming chrome.declarativeWebRequest API.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  4. tlu

    tlu Guest

  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Nope, request to explain with PICTURES :p
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    TLU, for NOSCRIPT one has to use FireFox. NOSCRIPT is a security improvement, no argueing about that. Please have a look at this: https://www.wilderssecurity.com/showpost.php?p=2165075&postcount=28025 The problem of Noscript is not Noscript, but the application it is running on is the problem.
     
  7. tlu

    tlu Guest

    Kees, we are not talking about comparing FF and Chrome in general. We are talking about blocking scripts. My point was that a method that automatically allows all 3rd party scripts once you "whitelist" a specific domain is flawed. Noscript doesn't do that, and that's why suggesting that this functionality is equivalent with Noscript is questionable (to say the least) even if we ignore that Noscript offers a lot more than script blocking.
     
  8. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    Comparing my history with malwaredomains lists, it seems that if you blocked "foreign" domains/TL along with subs with numbers and hyphens, you would stop tons of attacks and have few breakages.

    I have been using Kees1958's rules but without incog because I need my history/reopen tabs. Hasn't been a problem. I very seldom need to allow and it's on sites clearly not running malware eg last.fm or what.cd.

    I actually alllow global scripts in NoScript. Just use the XSS engine, safe click, ABE, protect plugins and blacklist scripting poo on sites I frequent to improve page loads and privacy. Otherwise, it's too granular and you are back where you started: just allowing scripts to run because you don't wan't to sort through a huge list.

    Admittedly, I like the controls more in NS...especially the ability to not require incog for one-offs, but this is what it is--the closest thing in Chrome to NS that actually works and doesn't slow the browser. The combo of Kees' idea with Chrome's sandbox is very strong daily security, iMO.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, to be fair to Kees, he never presented the idea before, so... it's the first time he has done it. :D
     
  10. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Sordid, sSame here,

    I know Kees has ranted against Sandboxie (which I use) and FF (which I don't use). But let's be honest: in the end Tzuk implemented his critigue and he (kees1958 ) congratulated Tzuk with the low rights improvement, on the other hand Tzuk himself admitted that the appcontainer of windows 8 tiles did not need SBIE.)

    Same thing with his (Kees195:cool: rants against FF, he showed me policy templates of NSA advising Chrome (no FF was mentioned), his arguments seems to be underwritten by studies (although one of the institutes doing the research was sponsored by Gooogle :thumbd: ), stilll it makes sense.

    I can see some logic in his rants against FF, Noscirpt is a great add-on, pitty it is only available on the (security wise) worst browser of them all.

    Not so newby anymore

    Newby
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    TLU, you are totally right on the aspect of control granularity. In all fairness, scripts running in Chrome are much more restricted than scripts running in Firefox, so on the aspect of security, the underlying security context should be taken into the equation.

    Let's make it simple for others to understand: with Noscript it is possible to control the doors in a building, making difference to french doors (opening left or right door), barn doors (opening top half or whole door), back door, front door etcetera. Trouble with FF it allows you to access all doors (and thus all rooms in the building).

    This scripting control in Chrome does not make a difference between diferent type of doors, you either lock it or open it. With Chrome the number or ROOMS a script is allowed to OPEN a door is limited. A page script may (re)direct to it's own room or (in case of third party scripts) to the room of its parent (in case of cross site url's requests). For third part scripts this implies that the stumble-upon script may redirect to the stumble-upon website (when triggered by the user), the face book third party script may redirect to face book website (when triggered by the user), What a scarry script story that is. :D
     
    Last edited: Jan 13, 2013
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    It's Chrome for me using Scriptsafe and Group Policy control, the latter of which thanks to Kees :) , but I sure would like to see Scriptsafe get on par with NoScript. I suppose if that API issue, whatever it is, gets fixed then maybe it will be.
     
  13. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,206
    I wonder than if Chrome can protect from drive by downloads restrict start/run of applications and is it possible to disable downloads in the first place?
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    As tlu above mentions, use Safescript and it's pretty tough to beat, even though it's not perfect. Also minimize the number of extensions and plugins to only those you need.
     
  15. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,206
    Ok, I'll do that, thanks for the help.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    To block downloads create a reg file (copy text in notepad and save as All Files with .reg extension, eg. Block_Download.reg)

    *********************
    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1806"=dword:00000003

    ;the 1806 trick
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    To enable downloads create a reg file (copy text in notepad and save as All Files with .reg extension, eg. Allow_Download.reg)

    *********************
    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1806"=dword:00000001

    ;the 1806 trick
     
Loading...
Thread Status:
Not open for further replies.