[ext] NoScript 1.1.4.6 - black & white edition

[angelora252]

Okay, so I'm really not good with computers so if any one can help me with downloading NoScript I'd appreciate it......so I went to the web page where you can Install NoScript, I clicked on the link and the box that allows you to 'Open', 'Save', or 'Cancel' came up but instead of it saying Open it said 'Find', and the first line of the box said 'Do you want to save this file or find a program online to open it?', so entered find....to make a long story short, I kind of figured out that I need to install some kind of XPI thing, but other than that i'm lost......help please!!

[Giorgio Maone]

Okay, so I'm really not good with computers so if any one can help me with downloading NoScript I'd appreciate it......so I went to the web page where you can Install NoScript, I clicked on the link and the box that allows you to 'Open', 'Save', or 'Cancel' came up but instead of it saying Open it said 'Find', and the first line of the box said 'Do you want to save this file or find a program online to open it?', so entered find....to make a long story short, I kind of figured out that I need to install some kind of XPI thing, but other than that i'm lost......help please!!

Are you using Firefox (or another Gecko based browser)?
If so, just left-clicking on the link should install NoScript. Get it here, just to be sure your security settings aren't forbidding it.

If you're not running Firefox (e.g. you're an Internet Explorer user), you must install Firefox first.

[phornikator]

Great add-on. I wouldn't surf the web without it.

I have a feature request with the new cross-site sanitation. Please make a per-site whitelist control to allow exceptions to the sanitation. I use LogMeIn (logmein.com) to admin various remote systems and it apparently uses some cross-site-esque methods in the course of its operation. It didn't render it unusable, but the frame/screen was the size of a postage stamp after being sanitized and it took enabling the full-screen option to be able to use it properly. If you're not familiar with LogMeIn, it appears to operate similar to a web-based Terminal Services client using a remote client tunnel for each system administered.

Thanks,

P

[Giorgio Maone]

Please make a per-site whitelist control to allow exceptions to the sanitation.

If you're familiar with regular expressions, you can already tweak the about:config noscript.filterXException preference, which already contains exceptions for Google and Yahoo search requests.
A sample value may be:
^http://(?:www\.google\.com/(?:search|custom)|search\.yahoo\.com/search|[a-z\.]*?\blogmein\.com\/.*?)\?

At any rate, the main reason why I still didn't release this feature in the "official" line are false positives, hence I'm going to investigate this logmein issue and see if it can be worked around with no need for exception.

Thanks for your report

[cavanaug]

I hate to admit this but, the current defaults of noscripts anywhere is a tad too conservative for me. But at the same time I really dont like the option of globally disabling scripts.

Would it be possible to add an option that would in essence allow all first party scripts (ie. those originating from the website itself), but disallow all 3rd party scripts (coming from urls other than current website).

This would be a big help for me.

--
JohnC

[Giorgio Maone]

I hate to admit this but, the current defaults of noscripts anywhere is a tad too conservative for me. But at the same time I really dont like the option of globally disabling scripts.

Would it be possible to add an option that would in essence allow all first party scripts (ie. those originating from the website itself), but disallow all 3rd party scripts (coming from urls other than current website).

This would be a big help for me.

--
JohnC

I hate do admit this , but I believe this option is already there:
NoScript Options|General|Temporarily allow top-level sites by default

[brucemc777]

I finally installed NoScript after a long time of visiting sites that likely run scripts it probably would have protected me from. Going forward I am better set to keep clean, but how would I detect and repair any damage from before? Norton AV is running, but I suspect a script can do damage outside NAV's scope, right?

[Giorgio Maone]

I finally installed NoScript after a long time of visiting sites that likely run scripts it probably would have protected me from. Going forward I am better set to keep clean, but how would I detect and repair any damage from before? Norton AV is running, but I suspect a script can do damage outside NAV's scope, right?

Malicious scripting nowadays is used mostly for credentials theft, rather than installing viruses/trojans, so just update NAV and perform a system scan, then check your account balance and change your webmail password, if you want to stay on the safe side.

[brucemc777]

TY!

[therube]

NoScript 070325

On this page:
http://www.troweprice.com/common/indexH ... 13,00.html

To the left of where it says, "Retirement Account Servicing Forms", there is a "left navigation" frame:
http://www.troweprice.com/common/gcLeft ... 11,00.html

If troweprice.com is Forbidden, not much of anything will work at that domain.

If troweprice.com is Allowed, the "left navigation" form does not appear.

If troweprice.com is Allowed and scripts are Globally Allowed, the "left navigation" form does not appear.

If troweprice.com is Forbidden and scripts are Globally Allowed, the "left navigation" does finally appear.

So in addition to Allow Globally, you also need to make sure that troweprice.com is Forbidden.

[the_simurgh]

how about tying no script into filterset g. those ad sites being added in would allow people to to run around with a new option globally allowed except for untrusted sites.

[Giorgio Maone]

NoScript 070325 On this page:
http://www.troweprice.com/common/indexH ... 13,00.html

Fixed, thanks.
Notice that you follow the link from an untrusted site and troweprice.com is whitelisted, XSS filters will modify the request because it contains a "dangerous" equal (=) character.

@the_sirmugh: even if I still strongly believe that relying on a blacklist and permit everything by default is not a great idea, I've already started working on something like that.
In the meanwhile, you've got both the "untrusted" blacklist and the (not advised) NoScript Options|General|Temporarily allow top-level sites by default.

[Giorgio Maone]

I believe we've got a "golden" release candidate, 1.1.4.6.070410 AKA 1.1.4.7rc3.

It further improves XSS filters "kindness" and also fixes various glitches reported in this thread (e.g. non-blocked or semi-blocked Flash movies, Opera Mini site display problems, dynamic loading of JS libraries randomly failing).
It's a recommended upgrade, and if nobody reports show-stopper bugs in the next 12 hours, it's going to become the official 1.1.4.7 release (after including Babelzilla localizations).

As always, thank you everybody for your help

[wrad]

The person that wrote this commentary does not understand how dangerous scripting can be:

http://www.computerworld.com/action/art ... geNumber=1

NoScript is the reason I tolerate the disappearing tabs, vanishing bookmarks, etc. that haunt my Firefox installation.

[Alfred Neuman]

This is my experience, exactly. That plus the fact that even after I allow all the scripts to run, the page still won't
work correctly until I allow scripts globally.
<i>
This extension is hugely popular and works as advertised, giving you control over which JavaScript, Java and other executable content on a page can run, depending on that content's source domain. You whitelist the sites you consider safe and blacklist the sites you don't.

NoScript has you allow or forbid executable content by originating domain; a single Web page can include such content from multiple domains.

If you really have a need for this kind of control, then you're already using the extension and will continue to do so. But for the average Web surfer, constantly having to whitelist sites so that scripts can execute in order to give you a fully formed Web experience gets tedious very quickly.

Does NoScript make Firefox safer? Sure. Is it worth the hassle? No. For some reason, paranoia seems to be cool among Web geeks, but for the most part, it is totally unwarranted unless you're sending and receiving sensitive data. Most typical Web surfers who install this extension remove it after the novelty wears off. </i>

How about losing the word "dangerous" that is used in several places?
It may be a little safer to have NS turned on, but I have yet to be blown out
of the water after years of letting scripts run. Saying it is "dangerous" feeds paranoia.

Also, the warning that I have to click through each time that I allow scripts globally becomes tedious. Give me a break and give me an option to remove it. I am not a total idiot.