Windows_Security

Level 23
Verified
Trusted
Content Creator
Hi,

In Chrome it is possible to block scripts by default, adding exceptions for specific websites (e.g. https://[*].com allowing scripts from all com domains). Firefox does not have such an option, but by using an firefox add-on Policy Control it is possible to implement similar protection in three simple steps.

1. Install the add-on Policy Control.

2. Change default settings to (see image below) and click on save button.
1541283948307.png

This blocks third-party requests of fonts, plug-ins, javascript (i)frames, XMLHttpRequests and WebSocket and all requests for Ping and CSP reports. CSO reports give site owners a warning when their site contains illegal scripts. This is a benefit for site owners, not surfers so you don;t reduce your security. Also CSP feature is only less than 10% of the websites.

3. Add allow rules for the domains yoy normally surf.

I live in the Netherlands (.nl country level domain) and normally only visit websites with com, net, org and inf domains. With this restriction I reduce the attack surface while surfing with 60% (when you look at origin of malware). By allowing all stuff from those websites the functional impact of malfunctioning websites is near zero.
1541284417146.png

When you live in Germany you could change https://*.nl to https://*.de or add other german speaking countries like Switzerland and Austria (replace https://*nl with https://*.de, https://*.ch, https://*.at) or when you live in the UK, replace https://*.nl with https://*.co.uk or when you want to add Australia and New Zealand (with https://*.co.uk, https://*.co.au, https://*.co.nz).
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
@DeepWeb : Policy Control is also available as Chrome extension

A more privacy aware setting. Besides security hassle requests to fonts could track visitors (but there are easier ways to track visitors, so personally I find it a bit far fetched). Beacons are listed as other, so in stead allowing other for all high level domains, obe could also simply block them (no idea about the functional impact).

More privacy aware Policy Control settings (blocking third party 'other' = beacons also)
1541326827484.png


And more privacy aware global allow options:
==> https://fonts.*.com (domain with wildcard) applies to fonts.gstatic.com and fonts.google.com
==> r:.*awesome.* (regular expression containing "awesome") to allow any request to font-awesome

1541369234331.png
 
Last edited: