“The irony of religion is that because of its power to divert man to destructive courses, the world could actually come to an end. The plain fact is, religion must die for mankind to live. The hour is getting very late to be able to indulge in having in key decisions made by religious people. By irrationalists, by those who would steer the ship of state not by a compass, but by the equivalent of reading the entrails of a chicken. George Bush prayed a lot about Iraq, but he didn’t learn a lot about it. Faith means making a virtue out of not thinking. It’s nothing to brag about. And those who preach faith, and enable and elevate it are intellectual slaveholders, keeping mankind in a bondage to fantasy and nonsense that has spawned and justified so much lunacy and destruction. Religion is dangerous because it allows human beings who don’t have all the answers to think that they do. Most people would think it’s wonderful when someone says, “I’m willing, Lord! I’ll do whatever you want me to do!” Except that since there are no gods actually talking to us, that void is filled in by people with their own corruptions and limitations and agendas. And anyone who tells you they know, they just know what happens when you die, I promise you, you don’t. How can I be so sure? Because I don’t know, and you do not possess mental powers that I do not. The only appropriate attitude for man to have about the big questions is not the arrogant certitude that is the hallmark of religion, but doubt. Doubt is humble, and that’s what man needs to be, considering that human history is just a litany of getting shit dead wrong. This is why rational people, anti-religionists, must end their timidity and come out of the closet and assert themselves. And those who consider themselves only moderately religious really need to look in the mirror and realize that the solace and comfort that religion brings you actually comes at a terrible price. If you belonged to a political party or a social club that was tied to as much bigotry, misogyny, homophobia, violence, and sheer ignorance as religion is, you’d resign in protest. To do otherwise is to be an enabler, a mafia wife, for the true devils of extremism that draw their legitimacy from the billions of their fellow travelers. If the world does come to an end here, or wherever, or if it limps into the future, decimated by the effects of religion-inspired nuclear terrorism, let’s remember what the real problem was that we learned how to precipitate mass death before we got past the neurological disorder of wishing for it. That’s it. Grow up or die.”
― Bill Maher, Religulous

As useful as sandboxes are in restricting potentially buggy code to a small part of the operating system, they do nothing to minimize the damage that can be done by attacks that exploit universal XSS flaws, researchers said.

I was already preaching this four years ago: the more our assets move “in the cloud”, the less traditional security measures, meant to protecting just your local system, suffice.

The battlefield is the web now, and there’s no coming back…

@securityhulk
HULK

HULK HAVE DREAM, THAT SOME DAY POPULAR PDF READERS WILL BE WRITTEN IN LANGUAGE THAT KNOW HOW BIG ARRAYS ARE. IT POSSIBLY INDIGESTION THO.

Bro, you may want to try pdf.js…
Just please, if some comic book of yours comes out garbled and unreadable (can you read, BTW?), don’t get mad at me, OK?

This is the first feature-complete mobile version of NoScript. In other words, it provides all the major security features of its desktop counterpart which make sense on a mobile device:

• Easy per-site active content permissions management.
• The first and most powerful anti-XSS (cross-site scripting) filter available in a web browser.
• ClearClick, the one and only effective client-side protection against Clickjacking available on the client side.
• ABE (App Boundaries Enforcer), a true webapp firewall inside your mobile browser to protect your router and web applications against CSRF and DNS rebinding attacks.

Important usability-oriented features — such as Script Surrogates or the ability to emulate JavaScript-only navigation on sites where scripting is blocked — have been ported as well, and other have been developed from scratch. For instance, on first run NoScript offers new users the ability to choose its default configuration among 4 presets which may be changed later:

1. Easy Blacklist (you pick untrusted sites where JavaScript and plugins must be blocked)
2. Click To Play (plugin a and audiovisual content is blocked until you click a placeholder)
3. Classic Whitelist (you pick trusted sites where JavaScript and plugins can run, similar to the default NoScript 2.x setup)
4. Full Protection (like “Classic Whitelist”, but all the embedded content is blocked until you click, even on trusted sites)

Furthermore, while the in-page permission UI has been greatly simplified and optimized for touchscreen consumption, the underlying engine has been redesigned to allow deep per-site customization at the single permission level (e.g. making Flash permanently work by default on site X but not on site Y, even if JavaScript is allowed on both, or causing restrictions on a certain embedded object to depend on its parent page’s address). These fine grained permissions will be configured through a new desktop UI (under development, slated for inclusion in the first cross-device NoScript 3 beta) and synchronized safely via Firefox Sync across all the PCs, tablets and smartphones where NoScript is installed.

Talking about synchronization, you can already share your NoScript settings among your mobile devices (just check the “Enable Remote Sync” option), but you’ll need to wait for the aforementioned cross-device beta to include your PC in the synchronization pool.

Last but not least, NoScript 3 doesn’t require a browser restart on installation and updates, which means that hot fixes for new security threats can be deployed in a more effective, timely and convenient way.

And here we are: NoScript users can now bring to their smartphones and tablets the same secure browsing experience they enjoy on the desktop.

It’s not been easy, and there’s still a lot of work ahead to merge into the desktop version the many under the hood enhancements that this full rewrite of NoScript’s internals brought us as a welcome side effect, but this is probably the most important milestone in NoScript development since the XSS filter invention. So let’s celebrate and thank from the bottom of our heart the people who made it possible: the NLNet foundation which believed in this project since the beginning, and all those individuals, institutions and companies relying on and contributing back to NoScript.

Script Surrogates replace a blocked script or complements existing scripts which would not work as expected because of NoScript.

A Script Surrogate is defined by a pair about:config string entries:

1. “noscript.surrogate.surrogate_name.replacement” contains the JavaScript code to be executed.
2. “noscript.surrogate.surrogate_name.sources” is a URL pattern matching the origin(s) of the scripts to be replaced or complemented.

Various built-in surrogates can be looked up for reference by opening about:config and typing noscript.surrogate. inside the filter box.

Source URL patterns may be prefixed with one or more special characters (<, >, @ and !), which determine the type and behavior of the matching surrogate.

Here’s a quick reference of the available surrogate types grouped by source prefix, courtesy of long time contributor al_9x:

• no prefix
  - blocked script surrogate
  • matches blocked scripts
  • runs only if page is script allowed
  • runs when the blocked matched script would have
• ‘<’
  - before script surrogate
  • matches allowed scripts
  • runs only if page and script are allowed
  • runs just before the matched script executes
• ‘>’
  - after script surrogate.
  • matches allowed scripts
  • runs only if page and script are allowed
  • runs just after (load event) the matched script executes
• ‘@’
  - script allowed page (html document) surrogate
  • matches script allowed pages
  • runs only if the page is script allowed
  • runs before HTML parsing starts
• ‘!’
  - script blocked page surrogate
  • matches script blocked pages
  • runs only if the page is script blocked
  • runs on DOMContentLoaded
• ‘!@’
  - page surrogate
  • matches pages
  • runs on both script allowed and script blocked pages
  • runs on DOMContentLoaded

This is a great honor and a spur to keep making the Web a safer place. I feel the urge to thank the committee for recognizing NoScript as a pioneering force in browser security, and the community of contributors, researchers, translators, beta testers, and loyal users who keep this project alive day after day.

The grant will fund the effort to merge the current two development lines, i.e. “traditional” NoScript for desktop environments and NSA (NoScript 3.0 alpha for Android, generously aided by the NLNet Foundation). More specifically, it will support the implementation of a desktop UI, more powerful than the streamlined smartphone optimized one already developed for NSA, but leveraging the same almost entirely rewritten multi-process back-end: this will allow an unified “NoScript Anywhere” package to be installed indifferently on PCs and mobile devices, sharing the same configuration and permissions everywhere via secure remote synchronization.

Thanks to this unexpected help from the Dragon Research Group, we can look with more confidence at the goal of releasing a NoScript Anywhere beta build for Android and desktop Firefox by September.

Update

The official announcement is online.

[…] there are two classes of binary XPCOM components:

1. XPCOM wrappers around 3rd-party binary libraries: We use this model for exposing external binary functionality into JavaScript so add-ons and applications can access the libraries. Using js-ctypes should provide a simple, non-breaking way to expose the libraries. You create a simple JavaScript wrapper in a JavaScript XPCOM component. We need more examples of using js-ctypes to do this, but it works.
2. Pure binary XPCOM components built only using the Mozilla platform: Sometimes the functionality you want to expose is actually locked away in the Mozilla platform itself. Maybe there is no public nsIXxx interface or the existing interface has a [noscript] attribute on a property of method. This model shouldn’t be required anymore, in my opinion. Mozilla is pushing JavaScript based components and we should be exposing as much as possible to chrome JavaScript. I would encourage add-on developers to file bugs and lobby to expose binary-only parts of the Mozilla platform to chrome JavaScript.

I fully subscribe to Mark’s opinion about the second category, but unfortunately this is not just as simple as removing the [noscript] flag from interesting APIs (and introducing some wrapper types to make it possible).

What about subclassing a platform component in JavaScript? Of course you cannot as long as its interface expose any [noscript] member, but you cannot either if it happens to be marked as thread safe. That’s the case of the DNS Service, which can be called from any thread. I’ve considered wrapping it in order to satisfy a strict requirement of ABE’s (intercepting HTTP requests after DNS resolution but before any data is sent to the web server) in a less hackish way than today, but this would currently require building a XPCOM binary for each supported native platform. That’s a trouble I’d gladly spare myself, and Mozilla’s making it unsustainable anyway. So, does Mark’s statement imply that the relatively recent ban on multi-threaded JavaScript might be reconsidered? Is this even possible in this brave JSCompartment new world?

1. Cross-domain content extraction via framed view-source
2. Double-clickjacking (or, as I prefer to call it, Rapid fire cross-site interaction)

Both involve a tiny amount of social engineering (#2 requires JavaScript, too), but as you can see they are totally feasible.

Needless to say, recent NoScript versions neutralize them no matter if JavaScript is enabled or not, thanks to specific enhancements in NoScript’s unique anti-Clickjacking protection module, ClearClick.

NoScript 3.0a3 for Firefox Mobile is out, bringing three of the major “classic” NoScript features to your Android smartphones:

1. Easy per-site active content permissions management.
2. The first and most powerful anti-XSS (cross-site scripting) filter available in a web browser.
3. ClearClick, the one and only effective client-side protection against Clickjackings available on the client side.

Still some road ahead for convergence between the desktop and the mobile versions, but we’re already past the biggest challenges…

A huge thanks to the NLNet foundation, and to many individuals, institutions and companies using NoScript, for their generous support to this project.