Script-blocker NoScript lets in ANYTHING from googleapis.com

Found on The Register on Wednesday, 01 July 2015

The researcher says blanket whitelisting of googleapis.com means he was able to create a script that could pass default NoScript configurations and be executed within user browsers.

"Just by visiting the file JavaScript will execute, even if NoScript with default configuration is installed."

That venture was cut short when he found the whitelisted zendcdn.net was available for purchase at just US$10, so he snapped it up and used it to point at his JavaScript payload.

Since it is called NoScript, that's what it should do by default. To be really sure that no scripts are executed, it is a better solution to just disable Javascript completely:
about:config -> javascript.enabled = false

Browse all articles« Previous « » Next »