XSS in NoScript

Discussion in 'other security issues & news' started by Firebytes, Jun 3, 2007.

Thread Status:
Not open for further replies.
  1. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    If NoScript is set to "Allow scripts globally" does this setting negate the protection NoScript offers from XSS "cross site scripting" or would that protection still be in place? I find that having to check allow for scripting on every site I might choose to visit is a hassle but I would like to know that the sites I choose to trust and visit are safe(r) from potential cross site scripting by using the XSS protection in NoScript.

    I looked through what info I could find concerning NoScript use but never found an answer to my question. Of course I am sure most users of NoScript don't want to turn off it's main functionality like that anyway.

    Also I guess I should ask...do you think the XSS protection in NoScript is even an effective addition to online security?

    Thanks.
     
  2. coolbluewater

    coolbluewater Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    268
    Location:
    next door to Redmond
  3. chachazz

    chachazz Updates Team

    Joined:
    Apr 23, 2004
    Posts:
    840
  4. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Ok, thanks for the information chachazz & coolbluewater. I was hoping I could use NoScript only for blocking XSS but still automatically allow all other scripting originating in any site I visited intentionally.

    Blocking scripts injected from other sites into legitimate sites was all I really wanted to stop. Oh, well :'(
     
  5. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    There's a middle ground, actually.
    You could activate the "Temporarily allow top-level sites by default" NoScript "General" option, which enables scripts for any site you intentionally navigate (the one displayed in your location bar) but not for 3rd party scripts loaded, for example, in hidden iframes, and for sites you explicitely marked as untrusted.
    If you also turn the "noscript.xss.trustTemp" to "false", you've got this setup where places you visit have most of their legit scripts enabled, but potential XSS requests are still filtered even if they start from a temporarily allowed site.

    Notice that such a configuration is still safer than a plain web browser, but not nearly as safe as default NoScript settings.

    My friendly advice, since default permit is really really the dumbest idea in computer security, try to use NoScript as it is meant to be used (default deny).

    Permanently whitelist the sites you really trust (so you don't need to repeat your choices on next session), and temporarily allow the others you intentionally navigate but you're not sure about, but only if JavaScript is really required there and you can't live without the site.

    Staying in control of your browser is not that bad and hard thing all those crazy and lazy web designers want you to believe: I've been doing so for more than one year now, and I'm happy & safe.
     
  6. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Thanks a million elio! I will try it the way you suggested. Like you said, it won't be as safe as the default settings in NoScript but maybe I can reach a good compromise between additional security and ease of use.
     
  7. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
  8. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Mike, I apologize :oops:
    I do not use Firekeeper, because NoScript the way I use it (Java/Flash/plugins blocked, anti-XSS protection from untrusted and temporarily allowed sites, very short permanent whitelist) is enough. Firekeeper would be unnecessary overhead slowing down page loads.

    But in this specific case, with a "watered-down" setup, recommending Firekeeper is a must :thumb:
     
  9. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Hmmm... OK

    When I install NoScript, here are the only things I change from the factory defaults...
    1. General Tab - NO CHG
    2. Whitelist Tab - remove all except about*, chrome, and resource
    3. Appearance Tab - Uncheck √ "Allow scripts Globally" (Since I will NEVER use that, remove it from the menu.)
    4. Notifications Tab - NO CHG
    5. Advanced Tab
      • Untrusted Tab - √ Forbid Flash, √ Forbid other plugins (now all five are √)
      • Advanced Tab/Trusted Tab - NO CHG
      • Advanced Tab/XSS Tab - NO CHG
    Right? OK? Correct?

    I have also experimented with noscript.contentBlocker
    But, it messed with Secunia Software Inspector, so it is not enabled at the moment (just have not had the time to figured out exactly why).

    Understand.

    Mike
     
  10. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Perfect setup. The only difference with mine (aside contentBlocker) is that I go in about:blank and turn the noscript.xss.trustTemp to false, as explained here.
    As for the Secunia Software Inspector VS contentBlocker issue, did you submit it to the NoScript author?
    This preference, however, is more an annoyance/noise reducing feature than a security plus (I use it as a low-overhead replacement for AdBlocks).
    From a security POV you're already OK, IMHO.
     
Loading...
Thread Status:
Not open for further replies.