Q: What does NS have (or will have) that uBo+uM don't

[Thorin-Oakenpants]

Question: I still do not fully understand what NS offers that uBo+uM don't.

• Something about XSS (isn't that covered or is this some special NS thing)
• Something about ABE
• Something about ClearClick
• inclusion type checking?

People have suggested (eg reddit, and here) that you can use NS in global allow mode but leave those four items above as active. Personally I never got an XSS warning from NS (maybe one a year), and the new WebExt version (not sure where they are at) I do not really want to touch with a barge pole (yet, if ever)

Aren't these things in uBo/uM - if not, why not?

@gorhill @Atavic excuse my ignorance, ELI5

[Atavic]

uMatrix - NoScript
Related: gorhill/uMatrix#297
NoScript info in italian.

[Thorin-Oakenpants]

XSS

To answer earthlng's q in the other thread - https://noscript.net/features#xss & also https://noscript.net/faq#qa4_1 . This is obviously the legacy version. I tend to just use XSS as a term to cover all third party scripts and I control it by default denying 3rd parties in uBo etc, and with uM.

In all my years of NS (which always got the requests first before uBo etc), I have only ever had a couple of warnings for this XSS

ClearClicking

https://noscript.net/faq#qa7_1

ABE

https://noscript.net/faq#qa8_1

[Thorin-Oakenpants]

A lot of this info is old. AFAIK clickjacking is nigh impossible now?

[claustromaniac]

I think you don't have to worry much about clickjacking if you deny third-party frames (and/or javascript, of course).

EDIT: IIRC it was also tackled at browser-level at some point. Now I just have to remember where I read that...

EDIT 2: Well, yes and no. What I read was about the X-Frame-Options HTTP header which has been around for about 8 years (according to Wikipedia). Firefox did adopt this header, but it's only a server-side solution.

[Thorin-Oakenpants]

EDIT: IIRC it was also tackled at browser-level at some point

Yeah, I remember reading a couple of bugzillas that covered this. As for denying 3rd party iframes - that's just the first level of defence .. some sites you may need to allow those which means you are at risk (you cannot trust any site is my motto - its not IF but WHEN they get hacked)

[theWalkingDuck]

Sorry, I haven't used Noscript for a long time but are there any Noscripts ABE rules which can not be handled using uMatrix ?

for example the following is the default, may be the only and mostly used, ABE rule in Noscript.

# Noscript
# Prevent Internet sites from requesting LAN resources.

Site LOCAL
Accept from LOCAL
Deny

We can rewrite it easily in the uMatrix way:

[Source]              * -> any external resource 
[Destination] 127.0.0.1 -> which tries to access the localhost or local resources
[Content]             * -> whatever the request or the requested content is ..
[action]          block -> should be BLOCKED

# uMatrix
# Prevent Internet sites from requesting LAN resources.

* 127.0.0.1 * block
* localhost * block    
* [::1]     * block       // block access to ipv6 localhost
* 192.168   * block       // block access to LAN 192.168.x.x

The best practice is to use a separate browser for accessing local resources or using a temporary allow if needed ... but for those who need it permanently

# uMatrix
# Accept from LOCAL

127.0.0.1 127.0.0.1 * allow
localhost localhost * allow
[::1]     [::1]     * allow
192.168   192.168   * allow

btw, don't forget to remove the matrix-off: localhost true rule.

[gorhill]

don't forget to remove the matrix-off: localhost true rule

I have no idea why I added this built-in rule. I will remove it.

[Atavic]

Look for types of XSS here. OWASP has many info about it, mainly server-side.
Look at this PDF on page 24 for info about ABE Rules.

[Atavic]

Also here for OWASP info.

[Thorin-Oakenpants]

56743 .. warning! 17 years old 😁 - bit of a moot ticket for uM users => * * frame block

[Thorin-Oakenpants]

OK, this is good: http://vojtechruzicka.com/preventing-clickjacking/

[claustromaniac]

@Thorin-Oakenpants very nice, thanks!

[Thorin-Oakenpants]

FYI: what does uM have that NS doesn't? rhetorical question

add ability to block web workers on a per-site basis

• gorhill/uMatrix@deeb211

[Thorin-Oakenpants]

FYI: note, I can't link to the individual review/reply (its on AMO's NS reviews page), so here's a cropped screenie

HOWEVER, if you're after security, you cannot rely on uMatrix over NoScript. For instance, even if you're blocking scripts with uMatrix on a site you don't trust, it can execute JavaScript by exploiting cross-site request vulnerabilities on a site you trust. This is prevented by NoScript's anti-XSS filter.

I still fail to see what NS's so called anti-XSS offers that uMatrix (with all 3p blocked by default) doesn't. It is some special XSS type attack detection to block sh*t even when you allow it by default (I have no idea what NS's defaults are, but I would assume little breakage and not in a hard mode)