NoScript is darned good...

Hi malware fighters,

I made up this suspect browser request, and NoScript sanitized it like this:


[NoScript XSS] Sanitized suspicious request. Original URL [http://www.google.nl/firefox?client=firefox-a&rls=org.mozilla:en-US:officialHTTP/1.0%20302%20FoundLocation:%20http://www.google.nl/Cache-Control:%20privateSet-Cookie:%20PREF=ID=d93abbee521b109e:TM=1211661480:LM=1211661480:S=WMFEwe2-sVNtEYcq;%20expires=Mon,%2024-May-2010%2020:38:00%20GMT;%20path=/;%20domain=.google.comDate:%20Sat,%2024%20May%202008%2020:38:00%20GMTContent-Type:%20text/html;%20charset=UTF-8Server:%20gwsContent-Length:%20218Connection:%20Close%3CHTML%3E%3CHEAD%3E%3Cmeta%20http-equiv=%22content-type%22%20content=%22text/html;charset=utf-8%22%3E%3CTITLE%3E302%20Moved%3C/TITLE%3E%3C/HEAD%3E%3CBODY%3E%3CH1%3E302%20Moved%3C/H1%3EThe%20document%20has%20moved%3CA%20HREF=%22http://www.google.nl/%22%3Ehere%3C/A%3E.%3C/BODY%3E%3C/HTML%3E] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://www.google.nl/firefox?client=firefox-a&rls=org.mozilla%3Aen-US%3AofficialHTTP%2F1.0%20302%20FoundLocation%3A%20http%3A%2F%2Fwww.google.nl%2FCache-Control%3A%20privateSet-Cookie%3A%20PREF=ID=d93abbee521b109e%3ATM=1211661480%3ALM=1211661480%3AS=WMFEwe2-sVNtEYcq%3B%20expires=Mon%2C%2024-May-2010%2020%3A38%3A00%20GMT%3B%20path=%2F%3B%20domain=.google.comDate%3A%20Sat%2C%2024%20May%202008%2020%3A38%3A00%20GMTContent-Type%3A%20text%2Fhtml%3B%20charset=UTF-8Server%3A%20gwsContent-Length%3A%20218Connection%3A%20Close%20HTML%3E%20HEAD%3E%20meta%20http-equiv=%20content-type%20%20content=%20text%2Fhtml%3Bcharset=utf-8%20%3E%20TITLE%3E302%20Moved%20%2FTITLE%3E%20%2FHEAD%3E%20BODY%3E%20H1%3E302%20Moved%20%2FH1%3EThe%20DOCUMENT%20has%20moved%20A%20HREF=%20http%3A%2F%2Fwww.google.nl%2F%20%3Ehere%20%2FA%3E.%20%2FBODY%3E%20%2FHTML%3E#2179525120284196272].

Yes NoScript is really protecting your browser whatever online threat, the proof is in the pudding,

polonus

In this respect it is great, but there are times when it is a pain in the rear. I have had issues with the XSS sanitization on a number of occasions, to the point I have unchecked the sanatize suspicious requests.

On the occasions they have been on-line stores passing data to payment processing and that kills the legitimate use.

Some time ago I reported this issue to the author I was requesting a means of accepting the suspect XSS (in the right click menu) but I fear it went right over his head. I wanted to only do this for a specific site and not disable the Sanitise cross-site suspicious requests for all XSS.

Hi DavidR,

Yes in these particular cases NoScript will not discriminate between a real danger or a crafted thing that resembles it. It even thinks of things that have not come around the corner. As you experience this it is a weakness, but searching for the exception with Google you see a reason for it. And yes NoScript is tweakable, I can imagine that people do not want to have Flash on board and only allow it when needed, you can set NoScript even to your mood.
Still think it is the best thing that happened to Firefox to make it Firefox + NoScript. Especially as I am trying it out with the HackBar extension and SQL-Me add-on. And then to those that still hesitate. Try to let it work to your advance, and that it is slowing down the browser is a myth, it rather speeds the loading because the page loads without a lot of whatever scripts you have.

polonus

I’d like to know for sure: is NoScript worth installing if I use Avast + Spywareterminator, and Vista itself asks me for permissions to launch almost any program?

I'd like to know for sure: is NoScript worth installing if I use Avast + Spywareterminator, and Vista itself asks me for permissions to launch almost any program?
it's an add-on extension to the firefox browser and well worth it- not a realtime protection installed program like avast! and etc. http://noscript.net/

http://i28.tinypic.com/15nk3ds.jpg

I would say it is an absolute requirement when using firefox, it makes firefox even more secure, stopping something from running is preferable to trying to detect/stop it if it is malicious. You soon get used to it and your more frequent site visits will soon be allowed by you so it doesn’t get in the way much (for me).

You soon get used to it and your more frequent site visits will soon be allowed by you so it doesn't get in the way much (for me).
Pretty much like the annoyance of a new firewall. ;D We all got used to all those questions too and have gotten past most of the annoyances. :)

Im a long time user of noscript and wouldnt be without it or adblock . Im also looking at flashblock and wondering wether anyone has any opinion on its merits https://addons.mozilla.org/en-US/firefox/addon/433

Both of them are good when we’d like to have, at least, general idea on what we are doing even we don’t have special knowledge on programing.

If you are using NoScript, you shouldn’t/need not to use FlashBlock. Check the addon related issue at MozillaZine knowledge base.

NoScript blocks JavaScript, which is required by FlashBlock
Do not use both FlashBlock and NoScript together (NoScript includes Flash-blocking functionality)

Off Topic
Just in case some people be wondering why I copy/quote information on the net so often. I have a few reason for doing this:

  1. I don’t have knowledge on programing and have to rely on as good sources as possible.
  2. Due to the lack of knowledge, there is a chance that I may have misinterpreted these sources and, if so, I’d like to point it out by more knowledgeable readers.
  3. I’d like to encourage people to use search engines and help themselves to find answers for their questions on the net since it spare lot of time for them.

Some scientific-minded people may find my approach is way heavier on text than on strict and direct experiments but as a non-specialist, I find cannot have this compromise. After all, we cannot expect others to be professional in our own fields since we don’t come across many of masters of knowledge such as Aristotle or Davinich so often even in our history. Ars longa vita brevis…especially in this age of information… :stuck_out_tongue: