3 replies to this topic

[ShyWriter]

The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.

NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...

• You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon , or using the contextual menu, for easier operation in popup statusbar-less windows.
  
• Watch the "Block scripts in Firefox" video by CNET.
  
• Features
  
• Screen Shots
  
• FAQ

Product Info: NoScript


Special THANKS to hayc59 for anchor page concept..and format.

[ShyWriter]

.

Script Surrogates Quick Reference

Posted by: Giorgio

Since their introduction, NoScript’s Script Surrogates (or “Surrogate Scripts”) have grown both in reliability and flexibility. NoScript 2.1.3 introduced two new types of surrogates (“Before script” and “After script”), so it’s a good time to recap.

Script Surrogates replace a blocked script or complements existing scripts which would not work as expected because of NoScript.

A Script Surrogate is defined by a pair about:config string entries:

• “noscript.surrogate.surrogate_name.replacement” contains the JavaScript code to be executed.
  
• “noscript.surrogate.surrogate_name.sources” is a URL pattern matching the origin(s) of the scripts to be replaced or complemented.

Various built-in surrogates can be looked up for reference by opening about:config and typing noscript.surrogate. inside the filter box.

Source URL patterns may be prefixed with one or more special characters (<, >, @ and !), which determine the type and behavior of the matching surrogate.

Here’s a quick reference of the available surrogate types grouped by source prefix, courtesy of long time contributor al_9x:

• no prefix
  - blocked script surrogate
  
  • matches blocked scripts
    
  • runs only if page is script allowed
    
  • runs when the blocked matched script would have
• ‘<’
  - before script surrogate
  
  • matches allowed scripts
    
  • runs only if page and script are allowed
    
  • runs just before the matched script executes
• ‘>’
  - after script surrogate.
  
  • matches allowed scripts
    
  • runs only if page and script are allowed
    
  • runs just after (load event) the matched script executes
• ‘@’
  - script allowed page (html document) surrogate
  
  • matches script allowed pages
    
  • runs only if the page is script allowed
    
  • runs before HTML parsing starts
• ‘!’
  - script blocked page surrogate
  
  • matches script blocked pages
    
  • runs only if the page is script blocked
    
  • runs on DOMContentLoaded
• ‘!@’
  - page surrogate
  
  • matches pages
    
  • runs on both script allowed and script blocked pages
    
  • runs on DOMContentLoaded

Source: http://hackademix.ne...uick-reference/

Cheers,
Steve

[ShyWriter]

.

NoScript 2.6.6.5 Final
Available June 9th, 2013

Note: Author of NoScript posted 2.6.6.3rc1 on May 28th

and then went quiet on development page until he released

2.6.6.5 final today, June 9th. No explanation for non-posted

releases shown in changelog... Programmer's prerogative??

V. 2.6.6.5 - Friendly Security

If you find any bug or you'd like an enhancement, before reporting here or here, please check if it's fixed in latest development build. Many thanks!

Main good news

• Restored Nighlty compatibility recently broken.
  
• Improved "fixable" JavaScript links detection (thanks "asdf" for RFE).
  
• More usable embedding placeholders, e.g. for Youtube movies on Facebook.
  
• Fixed incompatibility with Tab Mix Plus on Firefox 21 and above.
  
• Enhanced site compatibility of the anti-XSS filter.
  
• Improved per-window private browsing support.
  
• Improved out-of-the-box compatibility with Microsoft's email services (thanks Raùl Duràn of Microsoft for help).
  
• Google Analytics web bugs are blocked automatically, unless google-analytics.com has been explicitly whitelisted (better than No Google Analytics, because NoScript blocks every cross-site request to GA, no matter the type or the file name).
  
• Mark as untrusted button on the site info page (thanks SwissBIT for RFE)
  
• Allow/Forbid/Mark as untrusted icons on the site info buttons.
  
• Several XSS filter enhancements, thanks to Masato Kinugawa's research.
  
• New "Security Downgrade Warning" suggests blacklist mode as a better option than uninstalling, in order to retain scripting-unrelated protections.
  
• Improved Google Analytics Surrogate, makes more sites work correctly with google-analytics.com blocked.
  
• ClearClick accuracy improvements.
  
• Added navigator.doNotTrack property support.
  
• Added new fake mimetype placeholder "FRAME" to match FRAMEs and IFRAMES with the noscript.allowedMimeRegExp preference
  for selecting blocking exceptions.
  
• Holding the left mouse button down on an absolutely positioned page element and hitting the DEL key will remove it if scripts are disabled (useful to forcibly kill in-page popups). This feature can be disabled by setting the noscript.eraseFloatingElements about:config preference to false.
  
• Right-clicking on NoScript menu items copy site domains to the clipboard (useful for reporting and investigating sites, thanks Tom T. for RFE)
  
• Browserid.org has been added to the default whitelist.
  
• "Click to play" protection against WebGL exploitation, now also on whitelisted sites (can be enabled in NoScript Options|Embeddings)
  
• Security and Privacy Info page is shown whenever you middle-click on sites exposed by NoScript's UI, either in the menus or in the Whitelist options tab.
  
• Middle clicking NoScript's toolbar button temporarily allows all on current page.

More in the changelog...

Feedback

If you find something wrong about NoScript, read the FAQ page and/or let me know: I'll try to fix it as soon as I can.

You can also discuss about NoScript on this Forum. Have your safest browsing experience! ~~ Giorgio Maone

Steve

[ShyWriter]

.

NoScript 2.6.6.6 Final
Available June 10th, 2013

V. 2.6.6.6 - Friendly Security

If you find any bug or you'd like an enhancement, before reporting here or here, please check if it's fixed in latest development build. Many thanks!

Main good news

• Mimetype whitelisting through the noscript.allowedMimeRegExp preference now work with the WebGL pseudo type (thanks Thrawn for RFE)
  
• Restored Nighlty compatibility recently broken.
  
• Improved "fixable" JavaScript links detection (thanks "asdf" for RFE).
  
• More usable embedding placeholders, e.g. for Youtube movies on Facebook.
  
• Fixed incompatibility with Tab Mix Plus on Firefox 21 and above.
  
• Enhanced site compatibility of the anti-XSS filter.
  
• Improved per-window private browsing support.
  
• Improved out-of-the-box compatibility with Microsoft's email services (thanks Raùl Duràn of Microsoft for help).
  
• Google Analytics web bugs are blocked automatically, unless google-analytics.com has been explicitly whitelisted (better than No Google Analytics, because NoScript blocks every cross-site request to GA, no matter the type or the file name).
  
• Mark as untrusted button on the site info page (thanks SwissBIT for RFE)
  
• Allow/Forbid/Mark as untrusted icons on the site info buttons.
  
• Several XSS filter enhancements, thanks to Masato Kinugawa's research.
  
• New "Security Downgrade Warning" suggests blacklist mode as a better option than uninstalling, in order to retain scripting-unrelated protections.
  
• Improved Google Analytics Surrogate, makes more sites work correctly with google-analytics.com blocked.
  
• ClearClick accuracy improvements.
  
• Added navigator.doNotTrack property support.
  
• Added new fake mimetype placeholder "FRAME" to match FRAMEs and IFRAMES with the noscript.allowedMimeRegExp preference
  for selecting blocking exceptions.
  
• Holding the left mouse button down on an absolutely positioned page element and hitting the DEL key will remove it if scripts are disabled (useful to forcibly kill in-page popups). This feature can be disabled by setting the noscript.eraseFloatingElements about:config preference to false.
  
• Right-clicking on NoScript menu items copy site domains to the clipboard (useful for reporting and investigating sites, thanks Tom T. for RFE)
  
• Browserid.org has been added to the default whitelist.
  
• "Click to play" protection against WebGL exploitation, now also on whitelisted sites (can be enabled in NoScript Options|Embeddings)
  
• Security and Privacy Info page is shown whenever you middle-click on sites exposed by NoScript's UI, either in the menus or in the Whitelist options tab.
  
• Middle clicking NoScript's toolbar button temporarily allows all on current page.

More in the changelog...

Feedback

If you find something wrong about NoScript, read the FAQ page and/or let me know: I'll try to fix it as soon as I can.
You can also discuss about NoScript on this Forum. Have your safest browsing experience! ~~ Giorgio Maone

Steve