LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

No changelog

No changelog

Posted Sep 17, 2008 19:10 UTC (Wed) by matp75 (subscriber, #45699)
In reply to: No changelog by endecotp
Parent article: NoScript 1.8.1 and LWN logins

Hello,

it's seems normal to me that noscript is trying to improve to be able to respond to new attacks.
There are some kinds of situation when there are attacks working exploiting the way sites are using both https and http.
To avoid a cookie leak from https to http, you have to use a browser feature called secure cookies.
ideally, this should be done by web site owners but most web site owner don't know the risk and don't set this option.
In my understanding, noscript try to add a secure by default option to these kind of cookies.
I've no idea why it affected lwn.net which seems to be only a http site (except may be the auth is done via https and switched after to http, which would explain the pb ?)
Some of this is explained in the noscript faq : http://noscript.net/faq#cookiemonster

(Log in to post comments)

No changelog

Posted Sep 17, 2008 21:33 UTC (Wed) by khc (subscriber, #45209) [Link]

it's called noscript, not securemozilla. I could use a extension that blocks scripts, but things like http://noscript.net/faq#qa4_2 makes it annoying to use for the rest of the non-ascii world. Yes I can disable it, but it has a big scary warning. Why must I be a geek to use non-English websites?

No changelog

Posted Sep 17, 2008 22:58 UTC (Wed) by ma1 (guest, #53955) [Link]

It's called NoScript, but it's spelled SecureMozilla ;)

Regarding FAQ 4.2, that entry was very outdated. Currently NoScript's anti-XSS filters sanitize just an handful of characters (the less-than sign, quotes, backslashes), and for untrusted-to-trusted cross site requests only.

Other cross-site requests (trusted-to-trusted) are sanitized exclusively if a relevant fragment of HTML and/or syntactically valid JavaScript is detected, and the false positive rate is very low.

No changelog

Posted Sep 18, 2008 2:53 UTC (Thu) by khc (subscriber, #45209) [Link]

thanks, I see that the faq entry is updated now.

No changelog

Posted Sep 18, 2008 12:01 UTC (Thu) by sitaram (subscriber, #5959) [Link]

yes, and this is LWN, but we do see articles about BSDs and such also.

:-)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds