sync - load external whitelist for firefox noscript plugin

25
2014-03
  • zako42

    I'd like to have the noscript whitelist stored in dropbox (or sync'ed somehow) so I can have multiple computers sync'ed off the same whitelist. Does anyone know how I could configure this? I don't know where the whitelist file is stored, but if it's not possible to configure noscript to use an external file, then maybe it could be symlinked or possibly put into a git repo, etc. I would just like to avoid manually exporting and then importing the file on multiple computers.

    • Answers
  • zako42

    (For my own reference, since no one answered)

    The Noscript whitelist information is stored in the Firefox profile. I found some (somewhat old) information about sync'ing a Firefox profile using dropbox here:

    sync Firefox using Dropbox

    This solution uses symlinks to redirect the Firefox profile to Dropbox. You would need to create symlinks on all computers which need to be synchronized. On Windows, it looks like you use the MKLINK command, which may require administrator privileges. I will try this solution out when I get the chance.

    It also looks like you could use the built in Firefox sync. There is a Noscript setting in Firefox -> about:config called "Noscript.sync.enabled". It is set to false by default. Enabling this will presumably allow the Noscript settings to be synchronized by Firefox sync. Interestingly, it is possible to create your own Firefox sync server. This would probably be overkill but seems like it would be fun to try.


    • Related Question

    browser addons - Is Firefox less vulnerable to exploit when running NoScript?
  • Questioner

    The article titled "iPhone, IE, Firefox, Safari get stomped at hacker contest" at The Register website discusses that Firefox can be exploited.

    I wonder if NoScript protects against the kind of exploits written about; or whether the browser can be exploited regardless of having the extension loaded.

    Any opinions? Might make this a community wiki given that it's not simple problem/solution post.


    • Related Answers
  • Area 51

    The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScripts.

    NoScripts blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.

    The other area to consider of course is that the attack could target NoScripts itself. There is certainly a chance that NoScripts has bugs that allow remote code execution.

    Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, and as soon as this is done you might as well not be running NoScripts.