One of the minor inconveniences of Noscript has always been the use of bookmarklets. Typically, if you’re trying to bookmark or clip a page using a bookmarklet, you must first whitelist the underlying site. This usually means adding at least one extra click and one page reload before you can save the page. This is annoying, but it’s a reasonable tradeoff, given the enormous security advantages Noscript delivers.
A more recent Noscript / Bookmarklet conflict involves a different Noscript feature: protection against cross-site-scripting attacks or (XSS). This feature is a more sophisticated defense, designed to meet a more complicated foe: hackers that can exploit a loophole in a trusted site, and inject malicious code that can fleece you of your cookies including your stored web mail or bank passwords. These attacks are more insidious than traditional phishing attacks because you can’t prevent them just with anti-phishing smarts. The code is loaded without you knowing. Here’s how Wikipedia introduces the subject:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss.
Obviously, it’s good to have some protection against these attacks. And while Firefox 3 and IE8 offer some protection, Noscript claims to offer a more complete defense. Unfortunately, Noscript’s XSS features can interfere mightily with the function of many otherwise useful bookmarklets. Tim, a Web designer at FastSpot, explains how bookmarklets can be adversely affected by well-meaning XSS defenses:
The great thing about the web is that it’s inter-connected, and even with all the security measures that have been put in place, a great deal of things can still be accomplished with web mash-ups. We’ve done quite a few cool things with Google Maps, eBay, Yahoo, and other web APIs. But we had server access to all the sites we’ve incorporated those cool features on. What if you want to share a cool feature with someone else just by passing them some code to paste into their website, or better yet, simply a bookmark to click?
Bookmarklets are fairly new to the web, but already there are tons of useful ones! Take a gander at X-Ray (a bookmarklet for inspecting elements of a website), Firebug Lite (an awesome debugging tool for Internet Explorer), and even a bookmarklet for downloading videos off of YouTube and other video sites. You simply drag the link to your bookmarks bar or right click to add the bookmark, visit any website, click the bookmark, and cool things happen on the current site you’re at.
Here’s an example of what Tim’s talking about, using a bookmarklet for Microsoft’s Thumbtack web-clipping app.
But you can choose to perform an unsafe reload, and it will work just fine.
Sadly, if you choose to continue using Thumbtack, you’ll have to perform an unsafe reload each time you use the bookmarklet, even if both Thumbtack and the underlying site are whitelisted. If you like doing patently unsafe things over and over again, this option is for you.
There are two other things you can do:
- Create an XSS exception. Go to Options >> XSS. You will see three built-in exceptions for Wikipedia, Google, and Yahoo. The syntax is complicated, and for other sites you’ve got to figure it out yourself. I tried making one for Evernote by copying the examples, but I could never get it to work. Evernote’s Bookmarklet would always require an unsafe reload. It’s worth noting that Google Notebook probably never had to worry about Noscript’s XSS filter, due to the already included exception.
- Wait until your favorite site can work out its differences with Noscript. In Evernote’s case, this appears to have finally worked. Noscript announced today that the add-on now works with Evernote’s Web Clipper. I have no doubt that Evernote was aware of the conflict and worked closely with Noscript on a behind-the-scenes fix, although I’ve not seen either company mention it.