MozillaZine


OLD NoScript 1.1.4, bookmarks and places friendly

Talk about add-ons and extension development.
Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted May 14th, 2005, 4:58 pm

There's a browser safer than Firefox...
...it is Firefox with <a href="http://www.noscript.net" title="Have a safer Firefox with NoScript"/><img alt="NoScript" src="http://www.noscript.net/noscript/logo.png" /></a>!




NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution

Features - Screenshots - FAQ - Download
CHANGELOG

Discussion continues HERE
Last edited by Giorgio Maone on May 20th, 2006, 2:47 pm, edited 28 times in total.

thaythong
 
Posts: 100
Joined: November 25th, 2004, 6:40 pm
Location: Nepean, Ontario, Canada

Post Posted May 14th, 2005, 6:08 pm

I had to remove No Script since it seemed to have caused FF 1.0.4 to go blank except for the site title on top, i.e. right above File-Edit-View-G0, etc. The page also got frozen.

I will wait until bugs in FF1.0.4 and No Script got fixed.

:?
thaythong

TychoQuad
 
Posts: 1263
Joined: December 11th, 2002, 12:30 am
Location: Australia

Post Posted May 14th, 2005, 6:49 pm

TychoQuad wrote:
Giorgio Maone wrote:<a href="http://www.noscript.net" /><img src="http://www.noscript.net/noscript/saferfirefox.png" alt="Have a safer Firefox with NoScript" /></a>If you use FlashGot, you probably visit a lot of web sites. If you visit a lot of web sites, you surely need my new free extension, NoScript! :D


Oh YES YES YES!!!

I don't know how many times I have requested something like this and my thread has just died. I currently use an extension that does this purely with cookies, and it's a godsend for cookie organisation. I've always wanted something like this that could handle any type of dangerous content, including plugins (like Java and Flash)

(the cookie extension I use still works, but only gets "make it work" patches these days. http://basic.mozdev.org/cookiebutton/ )

Urg, I was wondering what the hell was going on... Is there a way you can get it to always allow scripts added by Greasemonkey, but still have it strip out everything else already present in the page?

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted May 14th, 2005, 6:54 pm

TychoQuad wrote:Is there a way you can get it to always allow scripts added by Greasemonkey, but still have it strip out everything else already present in the page?

At this moment I don't see how, since GreaseMonkey basically impersonates a script in the context of the web page, and JavaScript blocking is a per-site policy.
Nevertheless I've installed latest GreaseMonkey and I'll make some test...

therube

User avatar
 
Posts: 20636
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted May 14th, 2005, 7:49 pm

Is NoScript Firefox only, or does it work with Seamonkey.

Is such an extension feasible given the nature of the Internet & how webpages are designed today?

In the old days, Netscape 3, Netscape 4, & before ... I would typically run with JavaScript disabled. But in those days there was also very little need for JS. Today, virtually every webpage you visit uses JS in some fashion or the other. If you were extremely security conscious, I could see where using this would be far easier then manually editing .js or .css files to create your own whitelist.

Today, with Mozilla, 99% of the time, I default to leaving JS on - though only for Navigator alone. I disable all other script options - move & resize windows, raise or lower windows, hide the status bar ... And even with that, I am aware that at certain times, there is functionality that I loose. Like some websites will use the ability to create a "cartoon" like affect with pictures. (I also have that ability, change images, disabled).

Perhaps a nice, & even more beneficial to me, addition would be a small toggle button JSon/JSoff, down on the Status Bar - just like the Online/Offline toggle.

PS, what is your native language? I noticed you gave credit to an Italian translator?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Lanik

User avatar
 
Posts: 606
Joined: August 18th, 2003, 9:34 pm
Location: SF Bay Area, USA

Post Posted May 14th, 2005, 11:33 pm

I think its a great extension I love it. :)

The only thing I would like to do is the disable the status icon on the right. I have status bar clock and I want the NoScript icon to the left of the clock and it refuses to go there. :(

Old incognu
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted May 15th, 2005, 12:57 am

Looks like it works with Mozilla 1.7.x to 1.8b1 (<a href="https://addons.mozilla.org/extensions/moreinfo.php?id=722">info</a>), though I haven't tried it yet. I agree, it's a great idea.

By the way, is <a href="http://www.noscript.net/faq">"Jesse the JavaScript Worm, an extra-dimensional menace trapped by NoScript"</a> any relation to the <a href="http://cryptoworld.co.uk/">Mongolian Deathworm</a>? :lol:
Joined: 15 Feb 2005

viveff
 
Posts: 6
Joined: May 15th, 2005, 1:11 am

Post Posted May 15th, 2005, 1:20 am

It does not work with certain french on-line banking sites. I'll be pleased to name the sites if you wish. These sites are Verisigned/high grade encryptation RC54-128 bits. One of these worked with FF1.0 but not with the later versions. Works only with IE (I'd like to avoid).
Anyway the sites are : banque-accord.fr & videoposte.com
Can you fix this ?

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted May 15th, 2005, 1:26 am

therube wrote:Is NoScript Firefox only, or does it work with Seamonkey.

Works with both :)
therube wrote:Is such an extension feasible given the nature of the Internet & how webpages are designed today?

Absolutely yes!
When a cross-scripting vulnerability is discovered (and they are very dangerous in Firefox because they often lead to a privilege excalation too, dued to the central role JavaScript plays in the Mozilla architecture) you're urged to disable JavaScript waiting for a patch.
This extension lets enable persistently JavaScript on sites you trust and where you feel you would loose functionality without it, e.g. gmail.

therube wrote:If you were extremely security conscious, I could see where using this would be far easier then manually editing .js or .css files to create your own whitelist.

It is exactly the point. Using NoScript you can edit your policy contextually, visually and on the fly, driven by your immediate needs. It's just a matter of clicking on the statusbar and selecting the ready to be clicked "allow gmail.google.com" menu item 8)
Your casual browsing happens in the safest way possible, and you're protected even against not disclosed yet vulnerabilities - it's not a joke, did you read the childish way the guys who found latest Firefox hole close this report?
Greyhats Security wrote:Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple of tricks up our sleeves...

Knowing that, you should really keep JavaScript disabled forever ;)
Luckily, thanks to NoScript, enabling a trusted site is one-click away, and after that you don't have to be bothered for that site (during this session or in the future) unless you decide it is not safe anymore.
Perhaps a nice, & even more beneficial to me, addition would be a small toggle button JSon/JSoff, down on the Status Bar - just like the Online/Offline toggle.

Maybe I could change the current behaviour to "left click=global toggle, right-click=menu", but I feel this can be dangerous (accidental enabling) and unfair to Mac users.

PS, what is your native language? I noticed you gave credit to an Italian translator?

Dante Alighieri, tha author of the "Divina Commedia", helped me with Italian translation, as William
Shakespeare did for the English one :D

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted May 15th, 2005, 1:39 am

viveff wrote:It does not work with certain french on-line banking sites. I'll be pleased to name the sites if you wish. These sites are Verisigned/high grade encryptation RC54-128 bits. One of these worked with FF1.0 but not with the later versions. Works only with IE (I'd like to avoid).
Anyway the sites are : banque-accord.fr & videoposte.com
Can you fix this ?

I've browsed videoposte.com - white page.
Then I choose from "allow videoposte.com" from the NoScript menu - it reloaded OK, but cried about cookies not enabled (I've them disabled by default).
I enabled cookies from videobank.com for the session, reopened the main page videobank.com (don't reload the error page, you'd keep seeing the error) and the login form has been correctly displayed.
I'd say it works, as long as you enable cookies - can't say what happens when you login ;)

Talking about banque-accord.fr, I've not been able to see your problem, probably because I've not the credentials to login. Can you be more precise?

Thank you for your report...

TheOneKEA

User avatar
 
Posts: 4864
Joined: October 16th, 2003, 5:47 am
Location: Somewhere in London, riding the Underground

Post Posted May 15th, 2005, 2:06 am

What will you think of next sir? ;)

I personally don't have much use for this, but I may know someone who will!
Proud user of teh Fox of Fire
Registered Linux User #289618

vhable
 
Posts: 33
Joined: January 21st, 2003, 9:28 am
Location: Germany

Post Posted May 15th, 2005, 3:28 am

Hello!
Thank you for making this cool extension! Would it be possible, that the icon in the status bar shows in any way if there is any script blocked on the current page? Then you wouldn't have to try switch noscript on and off to see if it's the reason if any site doesn't work... That would be great!
Also an option "allow script temorarely for current site" I would consider as a good feature so that the white list doesn't become too long with (save) sites you don't think to visit again...
Best regards from Germany (thanks for the German translation of noscript ;-)),
Volker

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted May 15th, 2005, 4:16 am

vhable wrote:Hello!
Thank you for making this cool extension!

I'm flattered :)
vhable wrote:Would it be possible, that the icon in the status bar shows in any way if there is any script blocked on the current page? Then you wouldn't have to try switch noscript on and off to see if it's the reason if any site doesn't work... That would be great!

It depends on how much precise do you need this info to be...
Scanning loaded page for <script> tags is not a big issue, but you should also examine every link for "javascript:" URLs and - worse - almost every tag for onXyz event handlers; it's a bit nightmarish, and I'm not sure this would even complete the job...
vhable wrote:Also an option "allow script temorarely for current site" I would consider as a good feature so that the white list doesn't become too long with (save) sites you don't think to visit again...

This is a very reasonable feature. Not very easy to be implemented, but I'll make my best efforts :)
vhable wrote:Best regards from Germany (thanks for the German translation of noscript ;-))

You have to thank my friend Thomas Weber, a fine Swissman which translates FlashGot as well.
BTW, have you got the slighlest idea of why I'm receiving in my mailbox a ton of (apparently) racist oriented German spam since yesterday?
Things like...
ese selbst:
http://www.npd.de/npd_info/deutschland/ ... 05-13.html
Neue Dokumente:
http://www.rp-online.de/public/article/ ... land/87647
Botschafter in Kiew beschwerte sich noch 2004:
http://www.rp-online.de/public/article/ ... land/85735
Traumziel Deutschland:
http://www.berlinonline.de/berliner-zei ... index.html
Kanzler erleichtert Visaverfahren für Golfstaaten:
http://www.spiegel.de/spiegel/vorab/0,1 ... 62,00.html
Ohne Deutsch nach Deutschland:
http://www.aufenthaltstitel.de/zuwg/0618.html
Vorbildliche Aktion:
http://www.npd.de/npd_info/deutschland/ ... 04-24.html

I can't speak German, but I've nonetheless a bad feeling about how this stuff has been put together :evil:

vhable
 
Posts: 33
Joined: January 21st, 2003, 9:28 am
Location: Germany

Post Posted May 15th, 2005, 5:25 am

Hello Giorgio!
Thanks for your quick reply!
Giorgio Maone wrote:It depends on how much precise do you need this info to be...
Scanning loaded page for <script> tags is not a big issue, but you should also examine every link for "javascript:" URLs and - worse - almost every tag for onXyz event handlers; it's a bit nightmarish, and I'm not sure this would even complete the job...

I think at least the scan for <script> would be an good thing!
Giorgio Maone wrote:This is a very reasonable feature. Not very easy to be implemented, but I'll make my best efforts :)

Cool, thank you!
Giorgio Maone wrote:BTW, have you got the slighlest idea of why I'm receiving in my mailbox a ton of (apparently) racist oriented German spam since yesterday?
Things like...
ese selbst:
http://www.npd.de/npd_info/deutschland/ ... 05-13.html
Neue Dokumente:
http://www.rp-online.de/public/article/ ... land/87647
Botschafter in Kiew beschwerte sich noch 2004:
http://www.rp-online.de/public/article/ ... land/85735
Traumziel Deutschland:
http://www.berlinonline.de/berliner-zei ... index.html
Kanzler erleichtert Visaverfahren für Golfstaaten:
http://www.spiegel.de/spiegel/vorab/0,1 ... 62,00.html
Ohne Deutsch nach Deutschland:
http://www.aufenthaltstitel.de/zuwg/0618.html
Vorbildliche Aktion:
http://www.npd.de/npd_info/deutschland/ ... 04-24.html

Sorry, no idea, I haven't received any spam like that. But you are right, NPD (1st link) is a far-right party, most of the other links are news (most of them about a visa affair in Germany) collected by someone who also seems to be far-right... No good!
Many greetings,
Volker

Old incognu
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted May 15th, 2005, 5:43 am

Giorgio Maone wrote:...
BTW, have you got the slighlest idea of why I'm receiving in my mailbox a ton of (apparently) racist oriented German spam since yesterday?
...

Could be Sober spam ... apparently, a wave of it is just starting. Discussed here: http://www2.broadbandreports.com/forum/remark,13410941
Joined: 15 Feb 2005

Return to Extension Development


Who is online

Users browsing this forum: No registered users and 1 guest