Cross Site Scripting is the main vulnerability caused by javascript hosted on trusted sites. The problem there is that a hacker has managed to inject javascript onto the page (perhaps by submitting a comment that the server fails to encode for HTML) allowing the script to gather information provided in the version of the page associated with my login, and send that information to the hacker’s server. NoScript does provide some protection against this, but this is by suppressing the methods the injected script uses to report back to the hostile server. It only helps by disabling JavaScript when the injected attack loads a script from a (non white listed) hostile domain.
Cross Site Forgery, on the other hand, is an attack by JavaScript hosted on a random untrusted site I visit, perhaps by Stumbling. NoScript provides excellent protection against this simply by turning of JavaScript.
You can still have XSRF attacks without javascript though… so they are not caused by javascript but facilitated. Harder but doable, and you might protect yourself from some in the wild by turning off javascript.
Reading up about this a bit more it does appear that noscript does help against XSRF even those that don’t use javascript, by changing post requests from untrusted sites to empty gets.
Reading up about this a bit more it does appear that noscript does help against XSRF even those that don’t use javascript, by changing post requests to untrusted sites to empty gets.
Neat. Though I think you meant “changing post requests from untrusted sites to trusted sites to empty gets”, as would be expected to protect against Cross Site Forgery.
Cross Site Scripting is the main vulnerability caused by javascript hosted on trusted sites. The problem there is that a hacker has managed to inject javascript onto the page (perhaps by submitting a comment that the server fails to encode for HTML) allowing the script to gather information provided in the version of the page associated with my login, and send that information to the hacker’s server. NoScript does provide some protection against this, but this is by suppressing the methods the injected script uses to report back to the hostile server. It only helps by disabling JavaScript when the injected attack loads a script from a (non white listed) hostile domain.
Cross Site Forgery, on the other hand, is an attack by JavaScript hosted on a random untrusted site I visit, perhaps by Stumbling. NoScript provides excellent protection against this simply by turning of JavaScript.
You can still have XSRF attacks without javascript though… so they are not caused by javascript but facilitated. Harder but doable, and you might protect yourself from some in the wild by turning off javascript.
Reading up about this a bit more it does appear that noscript does help against XSRF even those that don’t use javascript, by changing post requests from untrusted sites to empty gets.
More details can be found on the noscript developers blog,
Editted: Made correction suggested by child post of JGWeismann,
Neat. Though I think you meant “changing post requests from untrusted sites to trusted sites to empty gets”, as would be expected to protect against Cross Site Forgery.