Does Icedragon sandboxing replace need for Noscript

I have been using noscript for a year or two and whilst I appreciate what it is trying to do, it’s a pain to manage. The modern web does not work properly without a lot of scripts enabled. I also use ABP which is a joy to use as it sits there quietly doing what it is “paid” to do, but Noscript is a different animal altogether and I have run our patience with it.

So recently I replaced firefox withe Icedragon. I have also used Dragon but I prefer the firefox addons and way of doing things in Icedragon. I have ABP and noscript installed but I would like to stop using noscript. How much overlap or gap is there between the enhanced security of Icedragon in containing nasties versus noscript. I realise that we are no comparing like for like exactly, but in general terms?

Yes, in theory, running a browser in the sandbox will not be able to cause you grief should you encounter malware. After clearing the sandbox, nothing malicious should remain.

The big problem with NoScript is that it blocks all scripts by default. This is flawed methodology, because the big threat are externally hosted scripts. Unless you’re visiting some very shady websites, the locally hosted scripts (Navigation type Javascript for example) are going to be safe, or the site is likely to be blacklisted. However, externally hosted scripts the site owner has no control over. And if the site owner does indeed mean harm to your system, they can deny responsibility from externally hosted scripts.

If you’re already using ABP, why not block externally hosted scripts? This way, the locally hosted and likely safe scripts are allowed to run, which doesn’t break the majority of the internet the way NoScript does, yet you’re protected from the externally hosted scripts. I’ve run this way for years and have never had a problem.

If you want to try this, add the filter:

*$script,third-party

For sites that have externally hosted content, like YouTube, you can exclude those domains.

*$script,third-party,domain=~youtube.com

You can also exclude multiple domains.

*$script,third-party,domain=~youtube.com|~whatever.com|~whateverelse.com

I find this approach much more logical than the NoScript method. Don’t block all of the scripts, only block those that have the higher chance of being malicious.

Here’s what I’m doing. I actually don’t use anything like NoScript. All browsers I use are just aimed towards protecting my privacy. Here’s why…

As I have CIS installed on my computer, and configured as I describe here I know that for the vast vast majority of cases I am protected against malware. Also, the only thing NoScript really does, besides help with privacy (but as you point out at what usability cost) is protect against drive-by malware attacks and exploits. However, even if something gets on my computer I believe that CIS will stop it. Therefore, I don’t use NoScript type addons and instead use addons geared towards protecting me from phishing websites and privacy risks.

Thanks Guys.

Chiron, thanks for the suggestions. I had a proactive setting on my main business laptop and it was too problematic and I vented off on another thread, but it was really my own fault for not checking.

Heffe, when you mention sandbox, are you referring to the sandboxing within Icedragon or are you refering to using Icedragon within a CAV sandbox session?

The filters that you mention, justs to be 100% sure are to be inserted in ABP? Where exactly and how please? That would be a great solution, thanks.

NoScript and sandboxing do very different things.

Sandboxing is generally utilized to protect your operating system from hijackers. Google Chrome and its open-source counterpart are two of the most secure browsers in the world in that regard because they enforce default-deny with permissions. Each process is given an individual sandbox to render in-the-wild attacks hopeless unless exploited through bugs.

To quote a few lines on NoScript’s benefits:

"The XSS Filter – NoScript’s XSS is kinda the XSS Filter to compare all other XSS Filters to.

ClearClick – Clickjacking is a method used by attackers to trick a user into clicking a hidden or invisible ‘button’ that can lead to an exploit page or even a bank transaction. ClearClick is the only protection for this currently implemented.

CSRF Protection – CSRF is harder to explain. It attacks from the user’s end of the system so it can do things like get into your email account and bypass protections because it all originates from ‘you.’

MITM Protection – Man In The Middle attacks happen when, simply, the attacker is between you and the server. SSL is the typical solution but you can spoof certificates and even hijack SSL communications - or just attack mixed content transmissions. NoScript implements multiple protections here."

For further reading about this topic by one of my favorite techie bloggers:

http://www.insanitybit.com/2012/06/02/the-definitive-guide-for-securing-firefox/
http://www.insanitybit.com/2012/11/19/banking-online-firefox-with-noscript-is-your-best-bet/

I’d argue that sandboxing is more important and less annoying while surfing the web than NS. Alas, NoScript is the only proper way to secure your online sessions in conjunction with an active firewall, and should also be used with Virtual Mode and EMET (on Windows) for best effect.

I actually use Sandboxie as my sandbox.

Yes, it is an ABP filter.

To add a new filter to ABP, press Ctrl-Shift-F, which will open the filter preferences. You can also right-click on the ABP icon and select Filter Preferences.

Click on the Custom Filters tab, and select Ad Blocking Rules. If the rules are hidden, you can press Ctrl-R, or click on the Action button and select Show/hide Filters.

Now click Add filter, and add the filter. If you need to add domains like I suggested in the future, you can just follow this process and click on the filter you’ve added and either press F2, or right-click on the filter and select Edit.

Good points Landpaddle, noted, thanks.

Could someone please answer this? I’m interested in knowing the answer to this one.

Thanks.

Hi Planejumper73, welcome to the forum!

I answered that question in my previous post. I use Sandboxie to sandbox my browsers.