= Welcome to the noXSS project = == Description == noXSS is a [http://www.mozilla.com/en-US/firefox/ Firefox] extension that protects against [http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent reflective XSS]. It is based on a technology [http://www.informatik.uni-hamburg.de/SVS/papers/2008_ACSAC_johns_Engelmann_Posegga_XSSDS.pdf proposed] by [http://www.martinjohns.com/ Martin Johns], [http://www.fim.uni-passau.de/en/fim/faculty/chairs/it-sicherheit/staff/posegga.html Joachim Posegga] and [mailto:bjoern@noxss.org Björn Engelmann]. The actual implementation was done by [mailto:jr@noxss.org Jeremias Reith]. Details on it can be found [wiki:Internals here]. == Releases == The last public release is available on [https://addons.mozilla.org/en-US/firefox/addon/9136 addons.mozilla.org]. * [wiki:ChangeLog 0.1.1] [[http://www.noxss.org/releases/noxss-0.1.1-windows-x86.xpi Windows], [http://www.noxss.org/releases/noxss-0.1.1-macosx-universal.xpi MacOS X] (Universal Binary), [http://www.noxss.org/releases/noxss-0.1.1-linux-x86.xpi Linux]] 2008-11-23 * 0.1 [[http://www.noxss.org/releases/noxss-0.1-windows-x86.xpi Windows], [http://www.noxss.org/releases/noxss-0.1-macosx-x86.xpi MacOS X] ([http://www.noxss.org/releases/noxss-0.1-macosx-universal.xpi Universal Binary]), [http://www.noxss.org/releases/noxss-0.1-linux-x86.xpi Linux] ([http://www.noxss.org/releases/noxss-0.1-linux-x86_64.xpi x86_64])] 2008-10-05 == Design Goals == * Detection of reflective and most DOM based XSS * Ease of use * Should be an "install and forget" extension * False positive rate should be near zero * Should be unobtrusive until a XSS attack is detected * Main target audience are people who do not even know what XSS is * Should work with the official Firefox release (i.e. no patching) * Should not slow down the browser considerably * Should not break existing web pages * Developer mode where everything is scanned == Current Limitations == There is still a lot of work to do before noXSS can match [http://noscript.net/ NoScript]'s XSS Filter in practice. But we are confident that noXSS we will be able to offer comparable protection while maintaining a smaller false positive rate once the following things are done: * Full frame support (#2) * Scanning of POST data and relevant headers (#11) * Sub sequence matching (#3) * Emulation of [http://www.mozilla.org/js/spidermonkey/ SpiderMonkey]'s new line handling and code transformations (#14, #24) * Cross Site Data Tainting (#8) * Scanning HTML for markup injection (#33) == License == noXSS is licensed under the [http://www.mozilla.org/MPL/MPL-1.1.html MPL]/[http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt GPL]/[http://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt LGPL] triple license which is the same license as [http://www.mozilla.org/ Mozilla]'s [http://www.mozilla.com/en-US/firefox/ Firefox] is distributed with. == Source code == The full source code will be available via Subversion as soon as Jeremias Reith's master thesis about this extension is finished.