RequestPolicy For Firefox Gives You Control Over Cross-Site Connections

The majority of websites make connections to other domains when you connect them. Examples are a site that is using Google Analytics for web statistics or Google Adsense for monetization, embeds videos from YouTube, or uses a content distribution network. Sometimes these requests are needed to use all of a site’s functionality. Amazon for instance loads contents from images-amazon.com. While it is still possible to use the site, part of the site’s functionality is not available until you permit that connection.

RequestPolicy for the Firefox web browser has been designed to put you back in control over the connections the browser makes. It works in this regard similar to the popular NoScript add-on, but with the difference that it does not prevent onsite scripts from running.

When you first install the add-on, you can add sites to the whitelist. The developer has prepared international and location specific lists.

The majority of suggestions allow connections between sites by the same company. Examples are to allow google.com connections when you are on gmail, or fbcdn.net connections when you are on Facebook. These can significantly reduce issues that users encounter after enabling the add-on in the browser. It is however not necessary to add any site combination to the whitelist.

This whitelist approach is different from NoScripts whitelisting approach, as NoScript allows connections from that domain on all websites, whereas RequestPolicy only allows them on one specific site.

RequestPolicy adds an icon to the Firefox status bar that acts as a control panel and indicator at the same time. A red flag indicates that connections have been blocked on a website. A click on the flag displays information about those connections, and options to temporarily or permanently allow those connections to be made on the current site.

The page is automatically reloaded if you allow connections to be made.

The preferences let you manage the whitelist, export or import settings, and modify the strictness of the add-on. The add-on by default uses base domains, e.g. ghacks.net to allow same-site requests. You can change that to full domain names, e.g. www.ghacks.net, or full addresses instead.

What I personally like most about RequestPolicy is the granular whitelisting which allows you to run the same scripts on some sites but not on others (for instance to show Adsense ads on Ghacks, but not on other sites). It is also less intrusive than NoScript if the whitelisting suggestions are added during setup.

NoScript Links to Security and Privacy Information

The Firefox NoScript add-on is one of the best, if not the best, web browser security extensions. NoScript’s core functionality, the blocking of all scripts on all websites, protects the user from script based web attacks. Additional functionality has been integrated into the add-on over years, including anti-XSS protection, Application Boundaries Enforcer or the inclusion of external filter lists. One of the things that is currently missing are suggestions, or at least additional information, about scripts and domains that have been blocked by NoScript. The only option up until now was to use a search engine to locate information about a particular domain name manually.

Ghacks reader Jojo just mentioned that he discovered a new NoScript feature that opens a page of security and privacy related links for domains listed in the NoScript domain listing. The method, while stile requiring a few clicks to receive results, is improving this workflow significantly.

A middle-click on a domain name opens a new browser page with links to several privacy and security information.

The page links to the following security and privacy related services and databases: Web of Trust, McAfee Site Advisor, Webmaster Tips Site, Safe Browsing Diagnostic and hpHost Report.

• Web of Trust – Displays trustworthiness, vendor reliability, privacy and child safety ratings as well as user comments.
• McAfee site Advisor – Informs about download safety, online affiliations and possible annoyances.
• Webmaster Tips – Does not load currently.
• Google Safe Browsing – Displays if Google considers the site to be suspicious, if it has distributed or hosted malware, and if pages on the site contained malware during Google bot visits.
• hpHosts – Lists IP, host and server related information about the selected domain.

Direct optional integration of at least one service into the NoScript domain listing would be optimal. It would also be great if links to standard web searches would be displayed on the services page.

---

© Martin Brinkmann for gHacks Technology News | Latest Tech News, Software And Tutorials, 2011. | Permalink |
Add to del.icio.us, digg, facebook, reddit, twitter
Post tags: noscript

ScriptNo, Another NoScript Extension For Chrome

One of the two issues that I identified in yesterday’s review of Opera’s NotScripts extension was that it has not been updated for a long period of time. A script by the same name for Google Chrome, NotScript for Chrome, has also not been updated for almost a year now. Ghacks reader Vineeth just sent me a link to ScriptNo, a NoScript alternative for Chrome users.

The ScriptNo extension adds an icon to the Chrome address bar. The icon acts as a notifier that informs the user about the number of scripts that have been blocked on the current page. The icon color indicates blocked scripts (red), temporarily allowed scripts (blue), whitelisted parent pages but blocked scripts (white) or if the extension is disabled on that particular page (grey).

A left-click on the icon displays all blocked resources, the domain name and links to options and a quick start guide.

All script elements are blocked by default. Users now have options to change the preferred action for a particular script or domain.

• Allow: Whitelists the specific domain which does not necessarily have to be the root domain. E.g. whitelist www.ghacks.net but not de.ghacks.net.
• Trust: Whitelist the entire domain and all of its subdomains
• Distrust: Adds the current domain to the blacklist.
• Temp: Depending on the default mode the domain will either be allowed for the current session (if default mode is set to block) or allowed (if default mode is set to allow).

When you change a script’s state, e.g. from blocked to allow, the page will be reloaded to take that into account. If you click on the icon again you will then see that the script is listed under Allowed Resources and no longer under blocked resources. A clear button is added to those scripts to undo the preference change.

The options of the ScriptNo extension offer customizations. Here you can set the default mode of operation (block or allow) and allow or block specific HTML elements. The latter could be interesting for users who always want to see noscript contents on the page or audio and video contents. There is even an option to block images from being loaded automatically.

The options list four additional settings to configure the extension. Privacy Settings allow the user to configure the following features:

• Block Unwanted Content: (Default: enabled; remove unwanted content from known ad / malware domains; domains gathered from MVPS HOSTS, hpHOSTS (ad / tracking servers), Peter Lowe’s HOSTS Project, MalwareDomainList.com, and DNS-BH – Malware Domain Blocklist)
• Unwanted Content Mode: (Default: Relaxed; Relaxed = whitelisted domains will not be blocked; Strict = domains in the unwanted domain list will be blocked even if whitelisted)
• Antisocial Mode: (Default: disabled; always remove social widgets/buttons, even if whitelisted)
• Remove Webbugs: (Default: enabled; remove “invisible” third-party elements)
• Block Click-Through Referrer: (Default: enabled; blocks referrer information when clicking on external links)

Behavior Settings include the following options:

• Page Link Opening Behaviour: (Default: -Unchanged-; modifies how all links are opened)
• Respect Same-Domain: (Default: disabled; preserve same-domain elements)
• Auto-Refresh Page: (Default: enabled; auto-refresh page after list change)
• Show Rating Button: (Default: enabled; if ticked, adds rating button under domains in tab popup)
• Classic Options Mode: (Default: disabled; if ticked, closes tab options everytime an option is clicked)
• Sort by Domain: (Default: enabled; sorts URL lists by domains)

The remaining settings include a whitelist and blacklist where all previously added domains are listed (with options to remove), and import and export settings.

New users should take a look at the quick start guide. The guide needs a bit of revamping considering that it uses terms that are no longer found in the extension. But that’s not a big issue.

The extension is hosted both on the Chrome Web Store and on Google Code where the source code can be downloaded and analyzed. Google Chrome users who want NoScript like protection for their web browser should definitely take a look at ScriptNo, it is awesome.

---

© Martin Brinkmann for gHacks Technology News | Latest Tech News, Software And Tutorials, 2011. | Permalink |
Add to del.icio.us, digg, facebook, reddit, twitter
Post tags: block scripts, google chrome, google chrome extensions, google chrome security, noscript, scriptno

NotScripts Brings Firefox NoScript Protection To Opera

When it comes to add-ons, the noScript add-on for the Firefox web browser is my favorite one. It basically blocks script from running on domains until I allow them to run. NoScript offers more functionality than that like XSS protection among a plethora of others. I have covered the Google Chrome extension NotScript in the past which offers a somewhat limited NoScript experience on that browser. And Swapnil (thanks) just informed me that Opera too has a NotScript extension available.

NotScripts is available for Opera 11.10 or newer. the installation process is a bit on the complicated side. Here are the instructions on how to install NotScripts correctly.

• Install the extension. You can install the latest NotScripts version right from the Opera Extensions repository.
• Close the Opera window and re-open Opera.
• Click the NotScripts button in the Opera toolbar.
  It would show you a message saying you to set User JS Storage Quota to 5000. Click the message and it will take you to the ‘User JS Storage Quota’ setting.
• Change the value of the setting from 0 to 5000.
• Click the Save button. You might need to scroll down to find the Save button.
• You may need to restart the Opera browser before the changes take effect.

Opera’s Notscript, unlike NoScript comes with three different script blocking mode. The default mode is whitelist which blocks all scripts except those that are run from whitelisted domains. Blacklist, the other option allows all scripts by default and blocks only scripts on a user maintained blacklist (much like the Firefox add-on YesScript). The last mode Whitelist + Same Origin uses the whitelist approach to block all scripts but allows scripts running on the same domain the user is on automatically.

So more choice in this regard which is really nice. When you visit a site you need to click on the NotScript icon to display the list of blocked scripts. There is no indicator that scripts where blocked which is probably the biggest usability issue. A click on the icon displays the scripts which options to allow, block or temporarily allow them individually.

If you run the blacklist mode (allow all scripts except selected ones) then you see a script listing similar to that on the screenshot above. The blue action is the current one for that script on that particular site. Just like with NoScript you can allow all scripts, globally allow all temporarily until revoked or temporarily allow the shown scripts.

NotScript seems to work considerably well. I have two big gripes with it. First the missing notification as it is a guess game if a script has been blocked or not and second that the developer has not updated the script in a while (the last update dates back to April 2011).

The extension itself works and that’s the most important aspect obviously. It is not a 100% port of NoScript but a port that brings the most important feature of the Firefox security extension to Opera. For that, it is highly recommended to be installed.

An alternative to that is the Opera NoScript Alternative BlockIt which I have reviewed in the linked article.

---

© Martin Brinkmann for gHacks Technology News | Latest Tech News, Software And Tutorials, 2011. | Permalink |
Add to del.icio.us, digg, facebook, reddit, twitter
Post tags: noscript, notscript, Opera, opera extension, opera security, web browser

Feature-Complete NoScript Add-on Now Available For Firefox Mobile

If there is one Firefox add-on that I don’t want to live without it is the NoScript extension. It is a security add-on that will block all scripts by default which are one of the main attack vectors on today’s Internet. Users can whitelist scripts on specific domains temporarily, e.g. for a browsing session, or permanently.

A side effect of this is that most advertisements and other script driven objects and elements will be blocked as well by the extension.

NoScript offers more than just script blocking and whitelisting though. It comes with additional modules to enforce HTTPS usage, Cross-Site Scripting filters, Clickjacking protection and a firewall like component that the developer calls Application Boundaries Enforcer.

The developer of NoScript has been working for quite some time on a Firefox Mobile port of the extension. The recently released NoScript 3 Alpha 9 version is the first feature-complete version of the security add-on for Firefox Mobile on Android and Maemo devices.

NoScript Mobile in particular offers the following major security features that the desktop version of the add-on offers:

• A domain based content permission management for scripts
• Anti-XSS (cross-site scripting) filtering options
• Clickjacking protection called ClearClick
• The web application firewall App Boundaries Enforcer

NoScript Mobile furthermore introduces permission presets that can be configured after installation and later on in the extension’s options.

The developer has added four different permission presets to the add-on.

• Easy Blacklist – The user picks the sites where JavaScript and plugins are blocked on
• Click to Play – Plugins are automatically blocked until activated with a click by the user
• Classic Whitelist – The standard setting on NoScript for desktop Firefox versions. Blocks all scripts automatically and will only run whitelisted scripts.
• Fortress – Like the Classic Whitelist setting but all contents are blocked even on whitelist sites until clicked on.

Another interesting feature that will be implemented eventually is the ability to synchronize NoScript settings between desktop and mobile versions.

Users interested in running NoScript on mobile devices can download the latest version from the NoScript Anywhere project website.

---

© Martin Brinkmann for gHacks Technology News | Latest Tech News, Software And Tutorials, 2011. | Permalink |
Add to del.icio.us, digg, facebook, reddit, twitter
Post tags: Firefox, firefox add-ons, noscript, Security, web security