OLD NoScript 1.1.4, bookmarks and places friendly

[ARC-4919]

"Giorgio Maone" wrote

: Can you send me (Private Message) a copy of your "prefs.js" file
: (you will find it in you profile directory) as it is after you allow
: 192.168.1.1 and secureserver.net (I'm mostly interested in the
: noscript.* and capability.* entries).

Confused ... it appears to be *empty* ... (viewed in plain text, below)

It smells of bad permissions...
Are you running Firefox using an unprivileged user and a browser profile which was not created by/for this user?
Please check if user you run Firefox with has write permissions on prefs.js.
Apparently Firefox is not able to write preferences back when they are changed... definitely not a normal situation

I am running as the built-in XP Pro *Administrator Account*,
with full permissions and it is the only account on the computer.
(the Guest is disabled and the other Admin account was deleted)

[Giorgio Maone]

"Giorgio Maone" wrote

: Can you send me (Private Message) a copy of your "prefs.js" file
: (you will find it in you profile directory) as it is after you allow
: 192.168.1.1 and secureserver.net (I'm mostly interested in the
: noscript.* and capability.* entries).

Confused ... it appears to be *empty* ... (viewed in plain text, below)

It smells of bad permissions...
Are you running Firefox using an unprivileged user and a browser profile which was not created by/for this user?
Please check if user you run Firefox with has write permissions on prefs.js.
Apparently Firefox is not able to write preferences back when they are changed... definitely not a normal situation

I am running as the built-in XP Pro *Administrator Account*,
with full permissions and it is the only account on the computer.
(the Guest is disabled and the other Admin account was deleted)

prefs.js is where Firefox saves every user preference deviating from the default values.
Every time you change permissions in NoScript, one or more preferences are changed accordingly.
Even if you've never changed a preference by yourself (which is very unlikely), the simple fact you're running NoScript makes it impossible an empty prefs.js, at least under normal circumstances.
Can you try to edit some preference in about:config and see if values are preserved across sessions (and reflected in the prefs.js file)?
Can you also double-check the profile where you found the empty prefs.js file is the one you're actually using?

Thank you for your help...

[jaygo]

Basic question from NoScript Newbie (couldn't find the answer on the NoScript FAQ page).

I have FF 1.0.4 running NoScript Ver 1.0.9. Should the checkbox for Javascript (using FF menus: Tools/Options/Web Features) be checked? My intuition is that it should not be since then there would be a clash between the operation of FF's native javascript handling and the operation of the NoScript extension. Could someone confirm? TIA. Jay

[Giorgio Maone]

Basic question from NoScript Newbie (couldn't find the answer on the NoScript FAQ page).

I have FF 1.0.4 running NoScript Ver 1.0.9. Should the checkbox for Javascript (using FF menus: Tools/Options/Web Features) be checked? My intuition is that it should not be since then there would be a clash between the operation of FF's native javascript handling and the operation of the NoScript extension. Could someone confirm? TIA. Jay

It has to be checked (enable JavaScript).
If not, JavaScript wouldn't work even in pages where it is "allowed" by NoScript.
I'll put it in the FAQ ASAP, thank you

[jaygo]

Thanks for the speedy reply and clarification. Now I have a follow up question:

In order for NoScript to work optimally and for my prudent surfing protection, is the conventional wisdom to, in the "Advanced" section opposite the checkbox in question, leave the default settings?

Presently, I see that the Advanced JavaScript Options box has six checkboxes, and at this time four are checked (the top 3 boxes and the very last box). In other words, at this time the only checkboxes that are not checked are: "Hide the status bar" and "Change status bar text." I presume these are the default settings that FF 1.0.4 is programmed to have, "out of the box."

The $64,000 question is, should I maintain my existing settings as to these 6 checkboxes in the Advanced javaScript Options box, in conjunction with using NoScript? jay

[ARC-4919]

"Giorgio Maone" wrote

: Can you send me (Private Message) a copy of your "prefs.js" file
: (you will find it in you profile directory) as it is after you allow
: 192.168.1.1 and secureserver.net (I'm mostly interested in the
: noscript.* and capability.* entries).

Confused ... it appears to be *empty* ... (viewed in plain text, below)

It smells of bad permissions...
Are you running Firefox using an unprivileged user and a browser profile which was not created by/for this user?
Please check if user you run Firefox with has write permissions on prefs.js.
Apparently Firefox is not able to write preferences back when they are changed... definitely not a normal situation

I am running as the built-in XP Pro *Administrator Account*,
with full permissions and it is the only account on the computer.
(the Guest is disabled and the other Admin account was deleted)

prefs.js is where Firefox saves every user preference deviating from the default values.
Every time you change permissions in NoScript, one or more preferences are changed accordingly.
Even if you've never changed a preference by yourself (which is very unlikely), the simple fact you're running NoScript makes it impossible an empty prefs.js, at least under normal circumstances.
Can you try to edit some preference in about:config and see if values are preserved across sessions (and reflected in the prefs.js file)?
Can you also double-check the profile where you found the empty prefs.js file is the one you're actually using?

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ypq9xrx6.default

{firefox.exe}
Full Control X
Modify X
Read & Execute X
Read X


{prefs.js Properties}

Full Control X
Modify X
Read & Execute X
Read X


I have found 2 different prefs.js files ... here is the one
with path from the Administrator and it has ENTRIES, but
it still does *not* work:

# Mozilla User Preferences

/* Do not edit this file.
*

* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("app.update.autoUpdateEnabled", false);
user_pref("browser.formfill.enable", false);
user_pref("browser.preferences.lastpanel", 2);
user_pref("browser.search.selectedEngine", "Google");
user_pref("browser.shell.checkDefaultBrowser", false);
user_pref("browser.startup.homepage", "about:blank");
user_pref("browser.startup.homepage_override.mstone", "rv:1.7.8");
user_pref("capability.policy.maonoscript.javascript.enabled", "allAccess");
user_pref("capability.policy.maonoscript.sites", "192.168.1.1 dell.com flashgot.net gmail.google.com googlesyndication.com hotmail.com informaction.com maone.net mozilla.org mozillazine.org msn.com noscript.net passport.com passport.net passportimages.com secureserver.net chrome: http://dell.com http://flashgot.net http://googlesyndication.com http://informaction.com http://maone.net http://noscript.net http://secureserver.net https://dell.com https://flashgot.net https://googlesyndication.com https://informaction.com https://maone.net https://noscript.net https://secureserver.net jar:");
user_pref("capability.policy.policynames", "maonoscript");
user_pref("extensions.disabledObsolete", true);
user_pref("extensions.lastAppVersion", "1.0");
user_pref("extensions.update.autoUpdateEnabled", false);
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1, UTF-8");
user_pref("javascript.enabled", false);
user_pref("network.cookie.cookieBehavior", 2);
user_pref("network.cookie.prefsMigrated", true);
user_pref("noscript.temp", "");
user_pref("security.OCSP.URL", "");
user_pref("security.OCSP.signingCA", "Builtin Object Token:IPS CLASE1 root");
user_pref("security.enable_java", false);
user_pref("security.warn_entering_secure", false);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.rememberSignons", false);
user_pref("xpinstall.enabled", false);
user_pref("xpinstall.whitelist.add", "");
user_pref("xpinstall.whitelist.C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ypq9xrx6.defaultadd.103", "");

[ARC-4919]

It looks like the default entries that you have in the
prefs.js file run scripts ok, but any *new* entries that
are added do not work -- even though they are saved.

Even Dell.com does not run scripts and it's in prefs.js

[jaygo]

I have another newbie question about NoScript; perhaps the subject matter can be considered for FAQ inclusion. It concerns, in the Appearance tab of the NoScript Options window, the checkboxes under the Contextual menu heading. Presently, I have all 4 boxes checked for maximum options.

Assume hypothetically I'm on a webpage, http://www.dogs.cats.com, and NoScripts gives me choices for allowing permanently or temporarily, scripts for the following:

1. cats.com

2. admg.cats.com

3. dogs.cats.com

4. http://www.dogs.cats.com

5. http://www.admg.cats.com

6. http://www.cats.com

7. www.dogs.cats.com

8. www.admg.cats.com

9. www.cats.com


Which one of the numbered items above do I select if I want "maximum" scripts permission for any page in this website? In other words, is there any one choice in the above list of nine entries that would "include" the other eight?

Would choosing #6 include #4 and #5?

What is the difference between allowing scripts for cats.com versus www.cats.com versus http://www.cats.com?

Does permitting scripts for cats.com permit scripts for subdomains such as dogs.cats.com or cats.com/kittens/felixthecat.asp?

I admit I don't have a good understanding of this area and need the rules concerning this subject matter. If the treatment of the rules isn't appropriate for an FAQ or forum explanation, please don't hesitate to direct me to a webpage or other source that might help to get me up to speed. Jay

[Giorgio Maone]

user_pref("javascript.enabled", false);

OK, we've found it!!!
As I already anwered per jaygo question, Tools|Options|Web Features|Enable JavaScript option must be checked (true), otherwise JavaScript is disabled everywhere even if allowed by NoScript

Definitely a valuable FAQ item...

[Giorgio Maone]

If the treatment of the rules isn't appropriate for an FAQ or forum explanation, please don't hesitate to direct me to a webpage or other source that might help to get me up to speed.

You're welcome here for any question.

The specific matter is treated here: http://www.noscript.net/features#site_matching

Please tell me if it's clear enough, of it's too synthetic and some other explaination/sample is needed.

Thanks

[ARC-4919]

user_pref("javascript.enabled", false);

OK, we've found it!!!
As I already anwered per jaygo question, Tools|Options|Web Features|Enable JavaScript option must be checked (true), otherwise JavaScript is disabled everywhere even if allowed by NoScript

Definitely a valuable FAQ item...

I'm happy this has been solved, since I always thought it would allow
Jscripts to run globally if I enabled it in Firefox (even with NoScript)!

Excellent learning XPerience

[jayvdb]

The UI for allowing/disallowing javascript in jar files displays "Allow jar:", with no description of what will be allowed if clicked on. a screenshot here ... http://zeroj.hda0.net/noscript-jar.jpg

Lotus Domino Web Access uses scripts contained in a jar file; here is the html for it:

<script>document.writeln('<iframe style="display:none;" src="jar:' + BKg(CWI() + '/iNotes/Forms6.nsf/GeckoSignedScripts.jar?OpenFileResource') + '!/GeckoSignedScripts.html"><' + '/iframe>');</script>

[jaygo]

The features page answers my question; thanks Giorgio for pointing me to it; somehow I overlooked it; learned more new stuff about NoScript too!. Jaygo

[TychoQuad]

I would recomend that NoScipt enable javascript when installed, and grey out the checkbox in the prefs to prevent tampering.

[Giorgio Maone]

The UI for allowing/disallowing javascript in jar files displays "Allow jar:", with no description of what will be allowed if clicked on. a screenshot here ... http://zeroj.hda0.net/noscript-jar.jpg

Lotus Domino Web Access uses scripts contained in a jar file; here is the html for it:

<script>document.writeln('<iframe style="display:none;" src="jar:' + BKg(CWI() + '/iNotes/Forms6.nsf/GeckoSignedScripts.jar?OpenFileResource') + '!/GeckoSignedScripts.html"><' + '/iframe>');</script>

Thank you for your report.

A bug in the nsScriptSecurityManager.LookupPolicy() Firefox method currently prevents jar: URLs from being allowed/forbidden individually. As you correctly figured out, you can only allow all them (jar:) or none, while it would be nice if user could say "Allow jar://http://somedomain.com/somedirectory/some.jar!/"...

I'm looking for a work-around, but my fear is that I will have to find some time to patch the Firefox code by myself in the end (NoScript is casting light over too many Firefox bugs)...

EDIT:
I've reported this jar: bug to Mozilla and trying to fix it - https://bugzilla.mozilla.org/show_bug.cgi?id=298823