Collin Jackson just sent me this email about Browserscope, which I talked about in my previous post:

Hi Giorgio,

Just a quick note to let you know that we've released a new Browserscope security test for Content Security Policy and fixed some bugs in the other tests.

You might want to update the NoScript web site to reflect the new score for NoScript-enabled Firefox.

http://www.browserscope.org/?category=security

Keep up the great work on NoScript...

Collin Jackson

So, Firefox 4 + NoScript (with "Allow Scripts Globally"!) now leads with 15/17, the highest score, on a par with Chrome.
Overtaking waits for a cross-zone CSRF / DNS Rebinding (AKA "Router Hacking Protection") test, for instance :)

4 Responses to “Browserscope Update”

  1. #1 Nicolai says:

    Okay, this is really weird but today I "lost" NoScript from FF!? When I try to install NoScript, then I get this error: http://img691.imageshack.us/img691/575/err0rt.jpg
    It looks like NoScript try to access (or create?) a file in a location it doesn't have access to.

    I'm running: Win7 x64
    Mozilla/5.0 (Windows; U; Windows NT 6.1; da; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

  2. #2 Giorgio says:

    @Nicolai:
    that looks like an Add-Ons Manager corruption.

    Could you try to follow the steps outlined in this article?

    http://kb.mozillazine.org/Firefox_:_Issues_:_Can%27t_Install_Themes_or_Extensions#Corrupt_extension_files

  3. #3 Nicolai says:

    Well, I checked the "extension" folder, and the permissions of one of the folder was weird, so I rebooted my computer into Linux (dualboot; Win7 & Fedora) and deleted the folder, and then NoScript worked again.
    I have no idea, why the permissions changed, but the "problem" is fixed now :-)

    and btw thanks for making the best FF addon!

  4. #4 Tom T. says:

    Why is there no test of Fx with NS *not* Allow Globally, i. e., in its default-deny setting?

    Even old, outdated Fx 2.0.0.20 refused to run the test.
    First, because I deny cookies to all sites unless both the site *and I* decide they need them. ;)

    After allowing cookie, test still wouldn't run, because NS default-deny refuses Browserscope's script - as it refuses any other. So that's 17/17 in my book, not the 3/17 that they report for Fx 2.20. :-D

    Apparently, no one can use any of these methods of attack unless they can convince the user to allow scripting from that site. Perhaps only a small minority of user population uses NoScript, but if the Browserscope people displayed this fact on their site, it might convince more users to use NS who may not even have heard of it before. Can you get them to do that? It would be dramatic. :)

    Cheers!

    P. S. Captcha not showing until google.com is allowed??? Haven't posted here in a while, but why the change?

Bad Behavior has blocked 1271 access attempts in the last 7 days.