Yesterday I stumbled upon an article about a bypass for NoScript, the author had discovered that one of the domains that is whitelisted/trusted per default in NoScript wasn’t registered. He simply paid the $10 it cost to register the domain, pointed it to his own server and was able to bypass NoScript.
While this in itself is cool, what really got my attention is that he said subdomains of whitelisted domains are also whitelisted. If x.com is whitelisted, so is y.x.com. This was new information for me and something I wanted to act on.
I downloaded the said plugin to Firefox and exported the list with default domains. My first thought was to try to find some interesting subdomain to any of these domains, such as an old forgotten domain still pointing to a service online.
But, when reading through the list I saw googleapis.com as one of the domains whitelisted. As all subdomains also are whitelisted, I understood storage.googleapis.com would work just fine. See where this is heading?
storage.googleapis.com is the domain you get to host files at when you’re using Google Cloud Storage. I shared my idea with Mathias Karlsson who immediately registered an account, uploaded an HTML file and confirmed my thoughts.
The file, just containing the code below, is hosted here:
Reported to NoScript