Status update (CSS PP0 + NSCL merge + naming contribution)

[Giorgio Maone]

Hello folks,

since IIRC Ruben told us we would skip today's scheduled dev team meeting (and in fact I've just double checked on BBB and nobody's here), a quick status update:

1. As I've anticipated on last week, I've been working on an experimental mitigation for the CSS Prime + Probe (PP0) attack. Even though I've already released two preview iterations in NoScript 11.4.2rc1 and rc2, the countermeasure is not ready for prime time yet: in facts, as it stands it can be used safely only in conjuction with script blocking (which is kinda OK for NoScript, much less for JS Shield), otherwise the current CORS work-around to examine cross-site stylesheets is itself at risk of being exploited for cross-site information leaks by malicious pages on Chromium (the trick I've found for Firefox is much less problematic, instead). At this very moment I'm starting to see the light at making the 3rd iteration Chromium-proof via ad-hoc CSSStyleSheet wrapping.
2. As soon as I'm done with the above and can release it in the stable NoScript 11.4.2, I'll be right back on refactoring the injection/wrapping code of JS-Shield (or Armadillo? or something else? see below ;) to take advantage of the NoScript Commons Library. I had hopes to be ready to merge this week, but I had to postpone because #1 took much more effort than expected and it's not done yet. On the bright side, #1 itself is going to become a JS Shield feature almost automatically, since it's implemented in a NoScript-agnostic way in the NSCL itself.
3. Talking about names, what about "Con-DOM" (meaning we're cheating JS with a fake DOM and execution environment, and also conveying an obvious sense of protection)?

I'll keep you posted on this list, especially when #2 becomes an actual PR.

Cheers

-- 
Giorgio Maone
https://maone.net