NoScript 10 Goes WebExtensions for Firefox 57+

Subject: General Tech | November 24, 2017 - 08:39 PM |
Tagged: noscript, mozilla

While I like the flexibility that JavaScript brings to the web, I also like that tools exist to control it. NoScript is a relatively popular Firefox extension that does just that. When Mozilla shifted away from their own extension framework and opted for WebExtensions API, which is supported by both Microsoft and Google, a lot of browser features became immediately unavailable.

NoScript.png

It turns out that Mozilla has enough hooks for a new version of NoScript, however. As such, NoScript 10.x has been released earlier this week. It allows you to disable scripts on a domain by domain basis until they are added to a white list, or given access via the add-on button.

I also don’t really think it’s all the useful as a security tool outside of special use cases – JavaScript doesn’t really have a whole lot of room for malicious use – but its presence does allow things like heuristically tracking individuals and loading content into the handful of plug-ins that still exist. So, like, if you’re the Tor browser, then it makes sense. For the public? I doubt it. I would be more interested in an add-on that lets you just shutdown JavaScript on a tab-by-tab basis, so you can make particularly heavy sites act read-only once they are loaded.

Still, it’s available now.

Source: NoScript

Almost NoScript Exploits Whitelist Vulnerabilities

Subject: General Tech | July 6, 2015 - 07:01 AM |
Tagged: noscript, javascript, firefox

I do not really believe in disabling JavaScript, although the ability to control or halt execution would be nice, but you can use an extension to remove it entirely if you want. I say this because the upcoming story talks about vulnerabilities in the NoScript extension, which locks down JavaScript and other, non-static content. By “vulnerabilities”, we mean the ability to execute JavaScript, which every major browser vendor defaults on because they consider it safe for their users on its own.

NoScript.png

This is like a five-year-old figuring out how to unlock a fireworks case full of paper crackers.

Regardless, there are two vulnerabilities, both of which have already been updated. Both of them take advantage of the whitelist functionality to ignore malicious code. By default, NoScript trusts a handful of domains, because blocking every script ever would break too much of the internet.

The first problem is that the whitelist has a little cruft, some of which including domain names that are useless, and even some that have expired into the public domain for sale. To prove a point, Matthew Bryant purchased zendcdn.net and used it to serve his own JavaScript. The second problem is similar, but slightly different. Rather than finding a domain that expired, it found some whitelist entries, such as googleapis.com, that had sub-domains, storage.googleapis.com, which is a service that accepts untrusted user scripts (it is part of Google's Cloud Platform).

Again, even though JavaScript is about as secure as you can get in an executable language, you should be allowed to control what executes on your machine. As stated, NoScript has already addressed these issues in a recent update.