PMOG

Events
FORUMS
MISSIONS
BASICS
NEWS
The Passively Multiplayer Online Game

PMOG Forum

civilized discourse for an uncivilized gameworld



Forums » Community Tools » A Little Thing About NoScript's Anti-XSS


(advertisements appear if you're not logged in or need to create an account)

Author Thread
shiroisenryou


avatar image of shiroisenryou

Level 10
Destroyer Destroyer
Posts: 7

By default, Anti-XSS protection filters all requests from untrusted origins to trusted destinations, considering trusted either "Allow"ed or "Temporary allow"ed sites. If you prefer "Temporarily allow"ed sites to be still considered as untrusted origins from the XSS point of view, you just need to set about:config noscript.xss.trustTemp preference to false.

Furthermore, since version 1.1.4.9 NoScript checks also requests started from whitelisted origins for specific suspicious URL patterns landing on other trusted sites: if a potential XSS attack is detected, even if coming from a trusted source, filters are promptly triggered.

This feature can be tweaked changing the value of the noscript.injectionCheck about:config preference as follows:

0 - never check
1 - check cross-site requests from temporary allowed sites
2 - check every cross-site request (default)
3 - check every request

NoScript's Anti-XSS filters have been deeply tested and proved their ability to defeat every known reflective XSS technique, but their power is a double-edged sword: sometime they may detect a weird looking but legitimate request as a "potential XSS attempt". This should almost never be a show stopper, since the filter most of the time doesn't prevent you from navigating the filtered page, but the aforementioned Unsafe reload command and the XSS Advanced Options are have been made easily accessible so you can work-around if you hit a false positive with side effects. Just please notify me when it happens, possibly reporting the messages NoScript logged, so I can keep tweaking NoScript's "XSS sensibility" as needed.

While Cross-Site Scripting (XSS) vulnerabilities need to be fixed by the web developers, users can finally do something to protect themselves: NoScript is the only effective defense available to "web-consumers", waiting for "web-providers" to clean up their mess.

by shiroisenryou 9 months ago
| Permalink

pixielo


avatar image of pixielo

Level 20
Pathmaker Pathmaker
Posts: 3706

Awesome! Thank you!

by pixielo 9 months ago
| Permalink

soitbegins


avatar image of soitbegins

Level 4
Vigilante Vigilante
Posts: 9

It happens when completing a mission that doesn't have the last stop be a page on PMOG.

by soitbegins 9 months ago
| Permalink

| Back


(advertisements appear if you're not logged in or need to create an account)



PMOG News Weblog

ALLY WITH PMOG!

del.icio.us del.icio.us
Flickr Flickr
Facebook Facebook
Get Satisfaction GetSatisfaction

Google Groups Google Groups
Jaiku Jaiku
Last.fm Last.FM
LiveJournal LiveJournal

Mahalo Mahalo
Twitter Twitter
Wikia Wikia
PRIVACY
TERMS
CONTACT
HELP
ABOUT

© 2008 GameLayers, Inc. - Player-Generated Content is licensed under a Creative Commons Attribution License.
PMOG Version: 1.0.6 (7e61ccc297f83152cdc583ada269bd65ed2384d4) - 2009-01-07 20:20:13 Pacific Time