Adblock Plus and NoScript = Security Issue?

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
It seems as if the two script authors have had a little bother with each other lately and harsh words have been said by either side. Here is a little from the adblock site

Recently I wrote about how not giving extension developers a good way to earn money might lead to very undesirable effects. The recent events give an impression of the kind of effects we should expect here. This is going to be about the popular NoScript extension which happens to make its money from ads. And to make sure that somebody sees these ads it goes pretty far. For example, it opens the changelog webpage (full of ads of course) on every single update of the extension, even though the NoScript FAQ claim that it happens only on major updates (yes, if you dig into it you will find the preference to disable this behavior – but how many people do that?). And updates coming roughly each week ensure that this page is opened fairly often. A problem is of course that NoScript will usually disable scripting and consequently also most advertising. That problem is being worked around by putting NoScript’s domains, Google AdSense and a few others on NoScript’s default whitelist (again, the overwhelming majority of users won’t go hunting for bogus entries in their whitelist). Given that NoScript proudly calls itself a security extension this means putting users at risk — for example, a while ago I demonstrated how an XSS vulnerability on a NoScript domain can be used to run JavaScript from any website, despite NoScript. This was countered by implementing anti-XSS measures rather than removing anything unnecessary from the whitelist.

And here is NoScripts response

IMPORTANT UPDATE FOR ADBLOCK PLUS USERS: NoScript 1.9.2.6 automatically and permanently removes the controversial "NoScript Development Support Filterset", with no questions asked.
I sincerely apologize with those ABP users who missed the information about it given on the AMO install page, on this site's install page, on the release note landing page (shown on updates) and in the FAQ http://noscript.net/faq#qa3_21
Not including a prompt asking for permission beforehand from the start has been a very wrong thing to do, and I want all the ABP users who felt betrayed to know how much I'm sorry for that. As a sign of good will, current NoScript 1.9.2.6 completely removes the filterset itself, if found there, on startup with no questions asked. Thanks for your patience.
-- Giorgio

So i dont know about you but i havent used NoScript in a while, and after this maybe with good reason, It appears the damage maybe already done for NoScript as there are a lot of one star reviews of the addon on the mozilla addon site - https://addons.mozilla.org/en-US/firefox/reviews/display/722
 
That was complete BS by the No script devs. I will not trust them. sounds fishy.


adblock+ FTW!
 
I don't mind the ads that the author of No Script puts on his extension but I do mind if he modifies other extensions like Adblock to make it corrupt. That is very shady and wrong to do!
 
I love people that use NoScript and other solutions, they get to see my pages without the proper mark-up (making it useful and easy to read), without the usability's and other things I have programmed into many of my websites since they don't want to run JavaScript.

In Google Chrome there is not even an setting you can use to turn of JavaScript, you have to manually add a command line argument.

JavaScript is going to become even bigger in HTML 5, with Canvas support, SVG support and CSS 3, the ability to store data client side in a database using SQL like syntax will allow developers to build bigger applications that rely less on storing the data on their servers but instead stores it locally, and all the transforming of data is done locally.

One cool service that does this: https://www.buxfer.com/, they allow you to manage your financial accounts and watch them and whatnot, but all of the data is stored client side as much as possible using Google Gears.

NoScript is supposed to make it harder for XSS to work, and while it accomplishes this, at the same time it is the wrong solution to a problem that lies elsewhere. Developers of websites need to make sure they do proper input handling. Users disabling JavaScript makes it that much harder for us other developers that won't to use JavaScript to do good, or add certain services to our websites that are not possible without scripting.
 
It's not that I don't want to run Javascript... it's that I don't trust EVERY web developer out there to not only not code their site maliciously, but to code it expertly and with the best security practices.

If I'm going to visit a site regularly, it goes on the whitelist. If I'm visiting a site for a one-time visit, and it doesn't work properly, then I make a decision about whether to temporarily allow scripts.

I very much prefer that -I- have the choice in the matter... it's the one thing that I really dislike about Chrome... no plugins and no way to turn scripts on and off. :(
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back