[ext] NoScript 1.1.4.1, cleanup release

[canuckerfan]

any chance of the close button of the information bar being switched to the left in order to be consistant with the close button of the find search bar?

[Giorgio Maone]

any chance of the close button of the information bar being switched to the left in order to be consistant with the close button of the find search bar?

Guess not, as it is currently consistent with its closest relative, the popup blocker whose close button is on the right (yes I know, you've got no many chances to see it when you're using NoScript ).
As a matter of facts, it is the standard popup blocking message infobar itself reused here: not a NoScript invention, even if not many know there are actually 2, one on the top and the other on the bottom of the page (I choose the latter position as default to avoid screen jumping on display, but you can swap them or even kill the bar once for ever)...

[Old Greg S]

Is there any particular reason that the toolbarbutton inside the customize window has it's text lined up on the right?

I notice that some of Mr. Techs toolbarbuttons will do the same thing, sometimes anyway. Somtimes his can be placed back in the window and the text will be under the bottom of the button but yours always remains to the side. It seems to be associated with buttons that have a dropmarker.

And unrelated, what's up with this dropmarker coding? Some extension authors have toolbarbutton-menu-dropmarker class with a dropmarker type of menu while others use toolbarbutton-menubutton-dropmarker class with a dropmarker type of menu-button. Why can't there just be a standard for this instead of having various classes using different types? Looks to me like it accomplishes the same thing.

[deadelous]

For some reason, noscript seems to allow some sites to run *.swf even though I have it set to block everything by default. I have removed everything I can from the whitelist, to no avail. The offending site is http://www.yeeguy.com/freefall/georgerag.swf

I use the stumbleupon extension and this seems like a fairly common problem here.

Thanks for your help, and for making such a wonderful product available for free!

[mzfuser]

For some reason, noscript seems to allow some sites to run *.swf even though I have it set to block everything by default. I have removed everything I can from the whitelist, to no avail. The offending site is http://www.yeeguy.com/freefall/georgerag.swf

I use the stumbleupon extension and this seems like a fairly common problem here.

Thanks for your help, and for making such a wonderful product available for free!

i can confirm this as well; maybe noscript wont block flash movies when their url is loaded directly?

[Giorgio Maone]

maybe noscript wont block flash movies when their url is loaded directly?

Yes, this is exactly what happens since Firefox 1.5 and above which, differently from previous versions (like Fx 1.0.8) considers (flash) movies, audio-clips and PDFs all as "documents" rather than "objects" when they're opened directly in a top level window, and so skips the NoScript filtering stage.
Java Applets, however, can be run only as embedded objects, thus they're are always blocked by NoScript.

I'll investigate to see if the old behaviour can be emulated some way.
In the meanwhile, if you're worried about this, you can change the default action for Flash Movies (SWF and SPL) from "Using this plugin" to "Save them on my computer": doing so they won't be opened automatically, but you will be prompted for saving them instead.

[sberka]

I have TiddlyWiki I use frequently. Since it uses JavaScript (it's all it uses!), I had to allow "file://" in NoScript. But I hoped to be able to allow JavaScript just for this one file or may be the folder it is in and not for all files. Is it possible? Is there a workaround?

[Giorgio Maone]

I hoped to be able to allow JavaScript just for this one file or may be the folder it is in and not for all files. Is it possible? Is there a workaround?

This issue can't be fixed at NoScript level, because it is CAPS (the underlying Mozilla security subsystem) which can't currently discriminate paths but only domains (either in file:// or other URL schemes).

CAPS currently assumes you trust/untrust the whole domain, rather than a specific path - an assumption which can be easily proven controversial for file:// URLs, especially on multi-user systems...

There's some discussion about it (for slightly different reasons) in this bug.

The only workaround I can suggest, for now at least, is allowing file:// temporarily, rather than permanently.

[emiel]

Is it possible to make NoScript work the other way around, i.e. to be able to allow all sites to execute scripts, except scripts which are loaded from some specified sites?

It would be nice to be able to block all scripts from http://www.google-analitycs.com or from http://pageadd2.googlesyndication.com and still have a working website...

I know I can addblock http://pagead2.googlesyndication.com/* but I don't want my browser to make a request to this site using JavaScript.

[Mugros]

Feature request:
If scripts are allowed temporarily add an option to permanently allow a site. Right now if a site looks weird i allow scripts temporarily. And if this helps, i have to forbid again and then have to choose allow scripts. This also causes the site to reload twice.

And i don't know if this is possible: With WMP 10 there is a critical error on sites with embedded videos, unless scripts are allowed. An option that allowed scripts in these cases would be nice.

[therube]

This also causes the site to reload twice.

That doesn't have to be, if you have "Automatically reload affected pages when permissions change" unchecked in NoScript Options | General.

critical error on sites with embedded videos

That is known issue. Though it is not a NoScript issue.

Giorgio simply hasn't figured out how to fix Microsoft - yet .

[Mugros]

But i don't want to uncheck this option.
Of course, it is not a NoScript issue. But maybe this can be prevented by checking for embedded videos and allowing scripts automatically.

[AcidReflux]

I seem to have a problem with Firefox 1.5.0.3 + NoScript 1.1.4.1 and the new yahoo homepage. None of the mouse overs seem to work (E.G. mail preview). However, if I enable JavaScript globally in NoScript (I then have to manually reload the page) they work. NoScript is not reporting that it is blocking any scripts, but it appears to be.

[StriderSkorpion]

Are there any plans of making use of a black list for NoScript rather than just a white list? Is it possible to read this black or white list from a text file (i.e. IE-SPYAD for ZonedOut) or maybe get the list from IE's Trusted and/or Restricted Zones? On the subject of direct linking, could NoScript check the file extension and disable the link? Like if the link was to a Shockwave file and it was disabled in the options menu.

[Giorgio Maone]

Are there any plans of making use of a black list for NoScript rather than just a white list?

There's a vague plan to revamp the whole blocking/unblocking interface in the direction of a full blown security manager (included separate whitelists/blacklists for JS, Java, Flash and other media types), but it's a very long-term plan (1st quarter of next year, most likely).
This is actually not an itch of mine, because for my everyday needs I'm very happy with the current NoScript whitelist-only approach for security combined with the blacklist annoyance blocking provided by AdBlock Plus, and since time is a good I desperately lack I give priority to actual improvements to the current philosophy rather than adventuring on new minefields, but I recognize the blacklist thing is one of the most requested features and I'm giving it some attention (even if I still thing it's a bad idea).

Is it possible to read this black or white list from a text file (i.e. IE-SPYAD for ZonedOut) or maybe get the list from IE's Trusted and/or Restricted Zones?

You can use the [Import] button in the 1st NoScript Options tab to grab a swhitelist from a plain text file (one entry per line).

On the subject of direct linking, could NoScript check the file extension and disable the link? Like if the link was to a Shockwave file and it was disabled in the options menu.

Not a great idea, since the link could point to an apparently non-shockwave document which could use an HTTP redirection to point you to the actual one.
I'm implementing an IMHO better approach for next NS version: if a top level document is detected in the pre-loading phase as non-textual (mimetype not matching "text/*") and current NS setup says that kind of file should be blocked, user is prompted with the same confirmation question as he was clicking on a NoScript media placeholder ("Allow http://somesite.com/movie.swf - application/x-shockwave-flash?").