Monday, January 26, 2009

Noscript’s uneasy relationship with bookmarklets

imageWhenever I install Firefox for the first time, my first add-on is always the venerable Noscript extension. If you’re unfamiliar with it, Noscript basically enforces a no-javascript zone for all web sites you encounter, except for those you trust (i.e., sites you add to your whitelist). In today’s Web world, nearly every Web site worth visiting uses javascript to implement the whiz-bang functionality and awesomeness we users demand. Unfortunately, not everyone can be trusted to use that power for good. Noscript is your weapon against such unscrupulous programmers. 

When I first started using Noscript, I found it was a more efficient and more nuanced pop-up / ad blocker, because I could reliably stuff rogue ad-servers while whitelisting the core site. It also protected me from surreptitious malware agents, which silently utilize javascript to take advantage of browser-based vulnerabilities. Noscript allowed me to surf within a trusted Web, while forcing new sites to earn that trust with good behavior.

One of the minor inconveniences of Noscript has always been the use of bookmarklets. Typically, if you’re trying to bookmark or clip a page using a bookmarklet, you must first whitelist the underlying site. This usually means adding at least one extra click and one page reload before you can save the page. This is annoying, but it’s a reasonable tradeoff, given the enormous security advantages Noscript delivers.

A more recent Noscript / Bookmarklet conflict involves a different Noscript feature: protection against cross-site-scripting attacks or (XSS). This feature is a more sophisticated defense, designed to meet a more complicated foe: hackers that can exploit a loophole in a trusted site, and inject malicious code that can fleece you of your cookies including your stored web mail or bank passwords. These attacks are more insidious than traditional phishing attacks because you can’t prevent them just with anti-phishing smarts. The code is loaded without you knowing. Here’s how Wikipedia introduces the subject:

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss.

Obviously, it’s good to have some protection against these attacks. And while Firefox 3 and IE8 offer some protection, Noscript claims to offer a more complete defense. Unfortunately, Noscript’s XSS features can interfere mightily with the function of many otherwise useful bookmarklets. Tim, a Web designer at FastSpot, explains how bookmarklets can be adversely affected by well-meaning XSS defenses:

The great thing about the web is that it’s inter-connected, and even with all the security measures that have been put in place, a great deal of things can still be accomplished with web mash-ups.  We’ve done quite a few cool things with Google Maps, eBay, Yahoo, and other web APIs.  But we had server access to all the sites we’ve incorporated those cool features on.  What if you want to share a cool feature with someone else just by passing them some code to paste into their website, or better yet, simply a bookmark to click?

Bookmarklets are fairly new to the web, but already there are tons of useful ones!  Take a gander at X-Ray (a bookmarklet for inspecting elements of a website), Firebug Lite (an awesome debugging tool for Internet Explorer), and even a bookmarklet for downloading videos off of YouTube and other video sites.  You simply drag the link to your bookmarks bar or right click to add the bookmark, visit any website, click the bookmark, and cool things happen on the current site you’re at.

So what do bookmarklets have to do with cross site scripting and web security?  Well, they’re the most effected feature-wise when it comes to the web paranoia.  There is a cross-domain limit on what Javascript can do in browsers while transmitting data.  For example, “AJAX” requests can’t be transmitted from Javascript hosted on www.google.com to www.yahoo.com.

Here’s an example of what Tim’s talking about, using a bookmarklet for Microsoft’s Thumbtack web-clipping app.

image Clicking the Thumbtack’s bookmarklet gets you a blank slate and an error message:

image

But you can choose to perform an unsafe reload, and it will work just fine.

image 

Sadly, if you choose to continue using Thumbtack, you’ll have to perform an unsafe reload each time you use the bookmarklet, even if both Thumbtack and the underlying site are whitelisted. If you like doing patently unsafe things over and over again, this option is for you.

There are two other things you can do:

image

  1. Create an XSS exception. Go to Options >> XSS. You will see three built-in exceptions for Wikipedia, Google, and Yahoo. The syntax is complicated, and for other sites you’ve got to figure it out yourself. I tried making one for Evernote by copying the examples, but I could never get it to work. Evernote’s Bookmarklet would always require an unsafe reload. It’s worth noting that Google Notebook probably never had to worry about Noscript’s XSS filter, due to the already included exception.
  2. Wait until your favorite site can work out its differences with Noscript. In Evernote’s case, this appears to have finally worked. Noscript announced today that the add-on now works with Evernote’s Web Clipper. I have no doubt that Evernote was aware of the conflict and worked closely with Noscript on a behind-the-scenes fix, although I’ve not seen either company mention it.

No comments: