NoScript 2.0.4 has been released yesterday, with some bug fixes and one main addition: strict X-Content-Type-Options: nosniff enforcement.

NoScript, for a long time, had already being enforcing content type checks on cross-site Javascript and CSS includes, and recent Firefox versions introduced similar built-in mitigations, albeit limited to stylesheets, in order to mitigate CSS-based data theft.

Nevertheless, X-Content-Type-Options offers a nice opportunity to further hardening, by allowing web sites to opt-in for the strictest checks, on more file types and also same-domain, in a theoretically compatible way.

A side effect of this addition is that Firefox 4 + NoScript now scores 14/16 on Browserscope's Security Test, in "Allow Scripts Globally" mode (i.e., without blocking any JavaScript or active content)!
Browserscope Security Test
For those who don't know it, Browserscope is a project which aims at profiling and comparing browser capabilities, with a special eye for security features.

By comparison, only Google Chrome boasts a higher score of 15/16, because it supports both the HTTP Origin Header and the HTML 5 Sandbox Attribute, which are not implemented yet by Firefox nor by NoScript. For the curious, "vanilla" Firefox 4 nightlies stop at 11/15 (even if you're going to read 12/15 because of a XSS test bug), Firefox 3.6.12 + NoScript is at 13/15, while disabling NoScript makes it fall down to 9/16 (reported as 10/16 because of the aforementioned bug).

However, a fair comparison would need to cover also Content Security Policies, a very powerful and flexible security technology developed by Mozilla (test should be added soon, it seems) and countermeasures for cross-zone CSRF attacks (e.g. against routers), which are currently provided by NoScript and, partially, by Opera (Mozilla is working on something, too)*. If and when these features get tested, Firefox 4 + NoScript will lead at 16/18, followed by Chrome at 15/18.

That said, I'd really love to see Origin and Sandbox implemented natively by Firefox, for a perfect 18/18. Which is, I guess, the real raison d'être of Browserscope: getting good stuff implemented everywhere by the power of childish envy ;)

* I won't advocate including tests for other non-blocking security features provided by NoScript, such as ClearClick anti-Clickjacking, because they're not suitable for web-based automation.

Update 2010-11-13

Firefox 4 + NoScript scores 15/17 now!

14 Responses to “X-Content-Type-Options, NoScript and Browserscope”

  1. #1 Captain Canuck says:

    Mozilla/5.0 (X11; U; Linux i686; en-GB; rv: Gecko/20101026 Firefox/3.6.12

    NoScript version 2.0.4

    I'm getting 11/16.

  2. #2 Captain Canuck says:

    Woops, following-up my comment

    1. PASS postMessage API
    2. PASS JSON.parse API
    3. PASS toStaticHTML API
    4. FAIL httpOnly cookie API
    5. PASS X-Frame-Options
    6. PASS X-Content-Type-Options
    7. FAIL Block reflected XSS
    8. PASS Block location spoofing
    9. PASS Block JSON hijacking
    10. PASS Block XSS in CSS
    11. FAIL Sandbox attribute
    12. FAIL Origin header
    13. PASS Strict Transport Security
    14. PASS Block cross-origin CSS attacks
    15. PASS Cross Origin Resource Sharing
    16. FAIL Block visited link sniffing

  3. #3 Giorgio says:

    @Captain Canuck:
    You're failing "httpOnly cookie", very likely because you're blocking cookies from Cookie Safe or anything like that?

    Also, did you perhaps disable XSS checks (NoScript Options|Advanced|XSS)?
    Could you mail me your NoScript Options|Export output?

  4. #4 Thomas Ludwig says:

    Just tested it with FF 3.6.13pre under Ubuntu with "Allow Scripts Globally", XSS protection disbaled and cookies allowed, Result: 13/16

    Failed tests were: Sandbox attribute, Origin header and Block visiting link sniffing.

  5. #5 Thomas Ludwig says:

    Just re-ran the test with FF 4.0b8pre. Result: 14/16

    Failed tests: Sandbox attribute, Origin header.

  6. #6 Giorgio says:

    @Thomas Ludwig:
    Maybe there's a misunderstanding, you do not need to disable XSS protection in order to take the test (quite the contrary).

    Actually, you're getting 13 and 14, but you should get 12 and 13 because XSS protection is turned off: there's a bug in the test awarding you 1 point more than due on Firefox, as I told in the article.

  7. #7 Thomas Ludwig says:

    @Giorgio: Thanks - understood!
    BTW: You mentioned "HTTP Origin Header and the HTML 5 Sandbox Attribute, which are not implemented yet by Firefox nor by NoScript." Could both be implemented in Noscript, and if so are you planning it?

  8. #8 Giorgio says:

    @Thomas Ludwig:
    Origin could, but AFAIK is the one which is more likely to be implemented soon as a Firefox built-in.
    Sandbox is much more problematic, because it's technically prohibitive for an extension and, on the other hand, there may be resistance to introduce it in Firefox since it overlaps to some extent with CSP.

  9. #9 p0deje says:

    I don't understand what's the deal of X-Content-Type-Options header for Firefox. AFAIK the only exploitation way, which it mitigates is IE MIME-sniffer bug, but there isn't any like it in Firefox.

  10. #10 Giorgio says:

    The original IE8 implementation does not make sense, in fact, because Firefox doesn't sniff top-level documents.

    However the stricter IE9/NoScript implementation, which restricts also script execution to correctly typed script files only, is actually useful to prevent file hosting services and public CMS platforms from being to deliver script-based attacks.

  11. #11 jason says:

    noscript USED to be a good program. but now it annoys the shit out of me when im on facebook. it will NOT allow 95% of the clicks on ANY of the games because of some "hijack attempts" notice.
    ive uninstalled it.
    IF i hear that it works PROPERLY again, i MAY consider reinstalling it. Until such time, i WILL be recommending people find a different program to use.

  12. #12 Giorgio says:

    Could you please reinstall NoScript just once and use the "Report" button on the ClearClick dialog when the problem happens, then mail me one or more report IDs for me to analyze?
    Thank you.

  13. #13 James says:

    I also failed test #17 - block visited link sniffing. I notice above this has already been reported, but I'm happy to mail you my Export Settings dump if you'd like.

  14. #14 Giorgio says:

    Test #17 is bound to fail on Fx 3.6.x in default configuration (you could turn off visited link feedback from about:config, though), while Firefox 4 has a clever and permanent fix by default (AFAIK is the only browser implementing it).

Bad Behavior has blocked 729 access attempts in the last 7 days.