[Giorgio Maone]

There's a browser safer than Firefox...
...it is Firefox with <a href="http://www.noscript.net" title="Have a safer Firefox with NoScript"/><img alt="NoScript" src="http://www.noscript.net/noscript/logo.png" /></a>!




NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution

Features - Screenshots - FAQ - Download
CHANGELOG

Discussion continues HERE

[thaythong]

I had to remove No Script since it seemed to have caused FF 1.0.4 to go blank except for the site title on top, i.e. right above File-Edit-View-G0, etc. The page also got frozen.

I will wait until bugs in FF1.0.4 and No Script got fixed.

[TychoQuad]

<a href="http://www.noscript.net" /><img src="http://www.noscript.net/noscript/saferfirefox.png" alt="Have a safer Firefox with NoScript" /></a>If you use FlashGot, you probably visit a lot of web sites. If you visit a lot of web sites, you surely need my new free extension, NoScript!

Oh YES YES YES!!!

I don't know how many times I have requested something like this and my thread has just died. I currently use an extension that does this purely with cookies, and it's a godsend for cookie organisation. I've always wanted something like this that could handle any type of dangerous content, including plugins (like Java and Flash)

(the cookie extension I use still works, but only gets "make it work" patches these days. http://basic.mozdev.org/cookiebutton/ )

Urg, I was wondering what the hell was going on... Is there a way you can get it to always allow scripts added by Greasemonkey, but still have it strip out everything else already present in the page?

[Giorgio Maone]

Is there a way you can get it to always allow scripts added by Greasemonkey, but still have it strip out everything else already present in the page?

At this moment I don't see how, since GreaseMonkey basically impersonates a script in the context of the web page, and JavaScript blocking is a per-site policy.
Nevertheless I've installed latest GreaseMonkey and I'll make some test...

[therube]

Is NoScript Firefox only, or does it work with Seamonkey.

Is such an extension feasible given the nature of the Internet & how webpages are designed today?

In the old days, Netscape 3, Netscape 4, & before ... I would typically run with JavaScript disabled. But in those days there was also very little need for JS. Today, virtually every webpage you visit uses JS in some fashion or the other. If you were extremely security conscious, I could see where using this would be far easier then manually editing .js or .css files to create your own whitelist.

Today, with Mozilla, 99% of the time, I default to leaving JS on - though only for Navigator alone. I disable all other script options - move & resize windows, raise or lower windows, hide the status bar ... And even with that, I am aware that at certain times, there is functionality that I loose. Like some websites will use the ability to create a "cartoon" like affect with pictures. (I also have that ability, change images, disabled).

Perhaps a nice, & even more beneficial to me, addition would be a small toggle button JSon/JSoff, down on the Status Bar - just like the Online/Offline toggle.

PS, what is your native language? I noticed you gave credit to an Italian translator?

[Lanik]

I think its a great extension I love it.

The only thing I would like to do is the disable the status icon on the right. I have status bar clock and I want the NoScript icon to the left of the clock and it refuses to go there.

[Old incognu]

Looks like it works with Mozilla 1.7.x to 1.8b1 (<a href="https://addons.mozilla.org/extensions/moreinfo.php?id=722">info</a>), though I haven't tried it yet. I agree, it's a great idea.

By the way, is <a href="http://www.noscript.net/faq">"Jesse the JavaScript Worm, an extra-dimensional menace trapped by NoScript"</a> any relation to the <a href="http://cryptoworld.co.uk/">Mongolian Deathworm</a>?

[viveff]

It does not work with certain french on-line banking sites. I'll be pleased to name the sites if you wish. These sites are Verisigned/high grade encryptation RC54-128 bits. One of these worked with FF1.0 but not with the later versions. Works only with IE (I'd like to avoid).
Anyway the sites are : banque-accord.fr & videoposte.com
Can you fix this ?

[Giorgio Maone]

Is NoScript Firefox only, or does it work with Seamonkey.

Works with both

Is such an extension feasible given the nature of the Internet & how webpages are designed today?

Absolutely yes!
When a cross-scripting vulnerability is discovered (and they are very dangerous in Firefox because they often lead to a privilege excalation too, dued to the central role JavaScript plays in the Mozilla architecture) you're urged to disable JavaScript waiting for a patch.
This extension lets enable persistently JavaScript on sites you trust and where you feel you would loose functionality without it, e.g. gmail.

If you were extremely security conscious, I could see where using this would be far easier then manually editing .js or .css files to create your own whitelist.

It is exactly the point. Using NoScript you can edit your policy contextually, visually and on the fly, driven by your immediate needs. It's just a matter of clicking on the statusbar and selecting the ready to be clicked "allow gmail.google.com" menu item 8)
Your casual browsing happens in the safest way possible, and you're protected even against not disclosed yet vulnerabilities - it's not a joke, did you read the childish way the guys who found latest Firefox hole close this report?

Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple of tricks up our sleeves...

Knowing that, you should really keep JavaScript disabled forever
Luckily, thanks to NoScript, enabling a trusted site is one-click away, and after that you don't have to be bothered for that site (during this session or in the future) unless you decide it is not safe anymore.

Perhaps a nice, & even more beneficial to me, addition would be a small toggle button JSon/JSoff, down on the Status Bar - just like the Online/Offline toggle.

Maybe I could change the current behaviour to "left click=global toggle, right-click=menu", but I feel this can be dangerous (accidental enabling) and unfair to Mac users.

PS, what is your native language? I noticed you gave credit to an Italian translator?

Dante Alighieri, tha author of the "Divina Commedia", helped me with Italian translation, as William
Shakespeare did for the English one

[Giorgio Maone]

It does not work with certain french on-line banking sites. I'll be pleased to name the sites if you wish. These sites are Verisigned/high grade encryptation RC54-128 bits. One of these worked with FF1.0 but not with the later versions. Works only with IE (I'd like to avoid).
Anyway the sites are : banque-accord.fr & videoposte.com
Can you fix this ?

I've browsed videoposte.com - white page.
Then I choose from "allow videoposte.com" from the NoScript menu - it reloaded OK, but cried about cookies not enabled (I've them disabled by default).
I enabled cookies from videobank.com for the session, reopened the main page videobank.com (don't reload the error page, you'd keep seeing the error) and the login form has been correctly displayed.
I'd say it works, as long as you enable cookies - can't say what happens when you login

Talking about banque-accord.fr, I've not been able to see your problem, probably because I've not the credentials to login. Can you be more precise?

Thank you for your report...

[TheOneKEA]

What will you think of next sir?

I personally don't have much use for this, but I may know someone who will!

[vhable]

Hello!
Thank you for making this cool extension! Would it be possible, that the icon in the status bar shows in any way if there is any script blocked on the current page? Then you wouldn't have to try switch noscript on and off to see if it's the reason if any site doesn't work... That would be great!
Also an option "allow script temorarely for current site" I would consider as a good feature so that the white list doesn't become too long with (save) sites you don't think to visit again...
Best regards from Germany (thanks for the German translation of noscript ),
Volker

[Giorgio Maone]

Hello!
Thank you for making this cool extension!

I'm flattered

Would it be possible, that the icon in the status bar shows in any way if there is any script blocked on the current page? Then you wouldn't have to try switch noscript on and off to see if it's the reason if any site doesn't work... That would be great!

It depends on how much precise do you need this info to be...
Scanning loaded page for <script> tags is not a big issue, but you should also examine every link for "javascript:" URLs and - worse - almost every tag for onXyz event handlers; it's a bit nightmarish, and I'm not sure this would even complete the job...

Also an option "allow script temorarely for current site" I would consider as a good feature so that the white list doesn't become too long with (save) sites you don't think to visit again...

This is a very reasonable feature. Not very easy to be implemented, but I'll make my best efforts

Best regards from Germany (thanks for the German translation of noscript )

You have to thank my friend Thomas Weber, a fine Swissman which translates FlashGot as well.
BTW, have you got the slighlest idea of why I'm receiving in my mailbox a ton of (apparently) racist oriented German spam since yesterday?
Things like...
ese selbst:
http://www.npd.de/npd_info/deutschland/ ... 05-13.html
Neue Dokumente:
http://www.rp-online.de/public/article/ ... land/87647
Botschafter in Kiew beschwerte sich noch 2004:
http://www.rp-online.de/public/article/ ... land/85735
Traumziel Deutschland:
http://www.berlinonline.de/berliner-zei ... index.html
Kanzler erleichtert Visaverfahren für Golfstaaten:
http://www.spiegel.de/spiegel/vorab/0,1 ... 62,00.html
Ohne Deutsch nach Deutschland:
http://www.aufenthaltstitel.de/zuwg/0618.html
Vorbildliche Aktion:
http://www.npd.de/npd_info/deutschland/ ... 04-24.html

I can't speak German, but I've nonetheless a bad feeling about how this stuff has been put together

[vhable]

Hello Giorgio!
Thanks for your quick reply!

It depends on how much precise do you need this info to be...
Scanning loaded page for <script> tags is not a big issue, but you should also examine every link for "javascript:" URLs and - worse - almost every tag for onXyz event handlers; it's a bit nightmarish, and I'm not sure this would even complete the job...

I think at least the scan for <script> would be an good thing!

This is a very reasonable feature. Not very easy to be implemented, but I'll make my best efforts

Cool, thank you!

BTW, have you got the slighlest idea of why I'm receiving in my mailbox a ton of (apparently) racist oriented German spam since yesterday?
Things like...
ese selbst:
http://www.npd.de/npd_info/deutschland/ ... 05-13.html
Neue Dokumente:
http://www.rp-online.de/public/article/ ... land/87647
Botschafter in Kiew beschwerte sich noch 2004:
http://www.rp-online.de/public/article/ ... land/85735
Traumziel Deutschland:
http://www.berlinonline.de/berliner-zei ... index.html
Kanzler erleichtert Visaverfahren für Golfstaaten:
http://www.spiegel.de/spiegel/vorab/0,1 ... 62,00.html
Ohne Deutsch nach Deutschland:
http://www.aufenthaltstitel.de/zuwg/0618.html
Vorbildliche Aktion:
http://www.npd.de/npd_info/deutschland/ ... 04-24.html

Sorry, no idea, I haven't received any spam like that. But you are right, NPD (1st link) is a far-right party, most of the other links are news (most of them about a visa affair in Germany) collected by someone who also seems to be far-right... No good!
Many greetings,
Volker

[Old incognu]

...
BTW, have you got the slighlest idea of why I'm receiving in my mailbox a ton of (apparently) racist oriented German spam since yesterday?
...

Could be Sober spam ... apparently, a wave of it is just starting. Discussed here: http://www2.broadbandreports.com/forum/remark,13410941