Comments on: X-Content-Type-Options, NoScript and Browserscope

By: Giorgio

Giorgio — Mon, 03 Jan 2011 10:12:24 +0000

@James:
Test #17 is bound to fail on Fx 3.6.x in default configuration (you could turn off visited link feedback from about:config, though), while Firefox 4 has a clever and permanent fix by default (AFAIK is the only browser implementing it).

By: James

James — Mon, 03 Jan 2011 08:18:40 +0000

I also failed test #17 - block visited link sniffing. I notice above this has already been reported, but I’m happy to mail you my Export Settings dump if you’d like.

By: Giorgio

Giorgio — Mon, 27 Dec 2010 14:25:24 +0000

@jason:
Could you please reinstall NoScript just once and use the “Report” button on the ClearClick dialog when the problem happens, then mail me one or more report IDs for me to analyze?
Thank you.

By: jason

jason — Mon, 27 Dec 2010 12:44:13 +0000

noscript USED to be a good program. but now it annoys the shit out of me when im on facebook. it will NOT allow 95% of the clicks on ANY of the games because of some "hijack attempts" notice.
ive uninstalled it.
IF i hear that it works PROPERLY again, i MAY consider reinstalling it. Until such time, i WILL be recommending people find a different program to use.

By: Giorgio

Giorgio — Fri, 12 Nov 2010 15:59:55 +0000

@p0deje:
The original IE8 implementation does not make sense, in fact, because Firefox doesn’t sniff top-level documents.

However the stricter IE9/NoScript implementation, which restricts also script execution to correctly typed script files only, is actually useful to prevent file hosting services and public CMS platforms from being to deliver script-based attacks.

By: p0deje

p0deje — Fri, 12 Nov 2010 15:47:54 +0000

I don’t understand what’s the deal of X-Content-Type-Options header for Firefox. AFAIK the only exploitation way, which it mitigates is IE MIME-sniffer bug, but there isn’t any like it in Firefox.

By: Giorgio

Giorgio — Sat, 30 Oct 2010 19:22:31 +0000

@Thomas Ludwig:
Origin could, but AFAIK is the one which is more likely to be implemented soon as a Firefox built-in.
Sandbox is much more problematic, because it’s technically prohibitive for an extension and, on the other hand, there may be resistance to introduce it in Firefox since it overlaps to some extent with CSP.

By: Thomas Ludwig

Thomas Ludwig — Sat, 30 Oct 2010 18:04:20 +0000

@Giorgio: Thanks - understood!
BTW: You mentioned "HTTP Origin Header and the HTML 5 Sandbox Attribute, which are not implemented yet by Firefox nor by NoScript." Could both be implemented in Noscript, and if so are you planning it?

By: Giorgio

Giorgio — Sat, 30 Oct 2010 17:55:41 +0000

@Thomas Ludwig:
Maybe there’s a misunderstanding, you do not need to disable XSS protection in order to take the test (quite the contrary).

Actually, you’re getting 13 and 14, but you should get 12 and 13 because XSS protection is turned off: there’s a bug in the test awarding you 1 point more than due on Firefox, as I told in the article.

By: Thomas Ludwig

Thomas Ludwig — Sat, 30 Oct 2010 17:48:07 +0000

Just re-ran the test with FF 4.0b8pre. Result: 14/16

Failed tests: Sandbox attribute, Origin header.