I2P_Developers/i2p.firefox
3
0
Fork 1
Code Issues 14 Pull Requests Actions 5 Packages Projects Releases Wiki Activity

Is there something better/more intuitive than NoScript? #31

New Issue
Closed
opened 2025-04-21 14:31:18 -04:00 by idk · 4 comments
idk commented 2025-04-21 14:31:18 -04:00
Owner
Copy Link

NoScript is trying, but it's still pretty obscure for most internet users. More importantly, in normal operation the more you actually use NoScript the more information sites can figure out about how you use NoScript. If I'm the attacker, what I do is gather a list of Javascript's from various sites. These sites fall into 2 categories, sites which I'm interested in learning about visitors to, and "control" sites which are sites I own, possibly inside of I2P, which exist solely to load scripts which NoScript then blocks. When you visit my site, I load all the Javascripts from my probe list, and set up some event to go off when each Javascript is loaded which communicates back with my server. I use the control sites to determine your likely baseline NoScript configuration, and anything that looks different(i.e. any scripts that you have un-blocked in NoScript) corresponds to a script from a site which you have visited. This is why Tor Browser hides NoScript and instead exposes "Coarse" settings which affect all pages and not just one page or set of scripts on an origin at a time, to avoid NoScript becoming a source of fingerprint granularity. For clearnet accesses, sites that make especially heavy use of CDN's are kind of just doing this by accident.

Perhaps a better approach is available via another Firefox plugin, which more closely emulates the three-tier coarse settings intended to reduce granularity?

NoScript is trying, but it's still pretty obscure for most internet users. More importantly, in normal operation the more you actually use NoScript the more information sites can figure out about *how* you use NoScript. If I'm the attacker, what I do is gather a list of Javascript's from various sites. These sites fall into 2 categories, sites which I'm interested in learning about visitors to, and "control" sites which are sites I own, possibly inside of I2P, which exist solely to load scripts which NoScript then blocks. When you visit my site, I load all the Javascripts from my probe list, and set up some event to go off when each Javascript is loaded which communicates back with my server. I use the control sites to determine your likely baseline NoScript configuration, and anything that looks different(i.e. any scripts that you have un-blocked in NoScript) corresponds to a script from a site which you have visited. This is why Tor Browser hides NoScript and instead exposes "Coarse" settings which affect *all* pages and not just one page or set of scripts on an origin at a time, to avoid NoScript becoming a source of fingerprint granularity. For clearnet accesses, sites that make especially heavy use of CDN's are kind of just doing this by accident. Perhaps a better approach is available via another Firefox plugin, which more closely emulates the three-tier coarse settings intended to reduce granularity?
idk self-assigned this 2025-04-21 14:31:18 -04:00
idk closed this issue 2025-04-21 14:31:18 -04:00
idk commented 2025-04-21 14:31:19 -04:00
Author
Owner
Copy Link

Resolved on master.

Resolved on master.
idk commented 2025-04-21 14:31:19 -04:00
Author
Owner
Copy Link

Tentative plan is to enable this via a "Usability Mode" option which alters the Firefox extension loadout. #8

Tentative plan is to enable this via a "Usability Mode" option which alters the Firefox extension loadout. #8
idk commented 2025-04-21 14:31:20 -04:00
Author
Owner
Copy Link

Jshelter's Network Boundary enforcement is somewhat appealing. We enforce network boundaries by other means, namely, we restrict the browser profile to interacting with only http://localhost:7657 and forcibly isolate requests that leave the network boundary. Jshelter would complement this by providing a notification whenever a service attempted to breach a network boundary.

Jshelter's Network Boundary enforcement is somewhat appealing. We enforce network boundaries by other means, namely, we restrict the browser profile to interacting with only `http://localhost:7657` and forcibly isolate requests that leave the network boundary. Jshelter would complement this by providing a notification whenever a service attempted to breach a network boundary.
idk commented 2025-04-21 14:31:20 -04:00
Author
Owner
Copy Link

Yes, looks like it: https://jshelter.org/ first glance pros it doesn't break most sites, cons it's very new, like nobody's written the configuration docs yet.

Yes, looks like it: https://jshelter.org/ first glance pros it doesn't break most sites, cons it's very new, like nobody's written the configuration docs yet.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
echelon idk zzz
No Assignees idk
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: I2P_Developers/i2p.firefox#31
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?