[ext] NoScript 1.8 - Your Browser is YOURS

[pirlouy]

RequestPolicy: doesn't the contextual menu sound familiar ?

Your opinion, Giorgio, on this extension ?

[Giorgio Maone]

@pirlouy:
that sounds like a good idea against CSRF.
Actually there's a new NoScript component called ABE (Application Boundaries Enforcer) currently under development, which will be very similar in intent, but likely more flexible than that (e.g. by allowing/denying POST vs GET requests, or framed requests following firewall-like rules).

[Giorgio Maone]

@med2ver:
I filed bug 466525.
A corollary of my findings about this bug:
if you remove your "introlayer" element, or you remove its "overflow: auto" style, or you switch its visibility using "display" instead of "visibility", everything should be fine.

[r2006m]

Is this a "safe" add-on?
Will it allow me to open .pps files as I cannot open .pps files with No-Script:

http://hackademix.net/2008/10/08/hello- ... ckjacking/

Or can you please explain to this Newbie "How to Open .pps Files in NoScript"

Thank you
rm
Extensions installed:

NoScript; Adblock Plus;

[dst7]

I think I have discovered a problem (or bug?) in NoScript 1.8.6.

My Situation:

In NoScript Options |General, I have selected Temp. Allow Top-Level Sites... = Base 2nd Level Domains and Left Clicking on NoScript Toolbar Button Toggles... = Base 2nd Level Domains. In NoScript Options |Appearance, Statusbar Icon is selected/visible, Contextual Menu is selected, and Temp. Allow All This Page is selected/visible. The rest of all options in NoScript Options is (un)selected by default.

When I (for the first time) visit a website - for example www.youtube.com -, I cannot play a video because of NoScript's default (secured) settings. To play a YouTube video of my choice and with my earlier mentioned settings, I have to click the NoScript statusbar icon first (or right click for the context menu) and pick the option Temp. Allow All This Page to start the video. But then the YouTube video does not start yet because NoScript didn't allow all this (YouTube) page right after the first click on the icon. Then I (right) click the NoScript icon a second time to pick the option Temp. Allow All This Page again but now Temp. Allow All This Page is disappeared completely from the NoScript icon menu. The result is that no YouTube video can't play because www.youtube.com is still secured by NoScript, unless I manually change (or reset) the default secured settings.


Another example.

Take your own website, www.noscript.net, and use again my earlier mentioned settings. When you enter www.noscript.net for the first time, the website is partially allowed/showed (because of my NoScript settings).

Then click on the NoScript statusbar icon (or right click for the NoScript context menu) and you'll see four options: About NoScript..., Options..., Temp. Allow All This Page, and Forbid noscript.net (these options are available because of my NoScript settings). Then pick the option Temp. Allow All This Page to temporarily show the complete website with all it's "dangerous" elements. When you now click once more on the NoScript statusbar icon (or via NoScript in the context menu), you will see that the option Temp. Allow All This Page is gone from the NoScript statusbar icon (and context-) menu. The only way to "restore" Temp. Allow All This Page on the NoScript statusbar icon (and context-) menu is to manually change or reset the (default) secured settings.

[LimeJuice]

First of all, NoScript is awesome, great job.

I have one request and that is to have a blacklist in addition to a whitelist, for a couple reasons:

1) If the only javascript blocked is from domains on my blacklist, then I would want the NoScript icon in the status bar to be the all-clear NoScript icon, or at least a different icon from the NoScript icon with red cancel decoration, and I don't want the status message "Scripts Partially Allowed,..." to pop up above the status bar. What happens now, is I often click that icon because I see something is blocked only to find out it is something that I never allow or don't care about like google-analytics.com.

There are a number of advertistment and statistics and analytics domains which are heavily used by many websites, and I would just like to block all of them one time, and have the NoScript status bar and menu treat these differently.

One suggestion is to allow the user to add domains to a blacklists, and then if scripts are partially allowed, but the only blocked scripts are from blacklisted sites, you could just show a NoScript icon with a black cancel decoration, and don't popup that status bar message 'Scripts Partially Allowed, ...'

2) If I click "Temporarily allow all on this page", I would like to allow everything except the blacklisted code.

[LimeJuice]

I was just exploring NoScript some more, and I just figured out that the "Untrusted-> Mark google-analytics.com as Untrusted" does exactly what was requesting re: blacklist in my previous post. I'm very pleased and embarrassed at the same time that I just noticed this wonderful feature only after posting a feature request for the same!

I have to ask why isn't the list of untrusted domains listed as a tab in the NoScript options page along with "Whitelist"? I had looked over the options before I posted, and I saw whitelist but nothing that looked like blacklist, so that is what prompted my post.

I would suggest the terminology be improved so that you either use "Trusted" list and "Untrusted" list, or you use "Whitelist" and "Blacklist". Right now there is an inconsistency:

In NoScript Menu, you can
- "Allow xyz" which adds it to the Whitelist
- "Untrusted-> Mark xyz as Untrusted" which adds it to Untrusted list.

Also, you are using "Allow" vs "Mark as untrusted". Shouldn't you use "Allow" and "Disallow" or "Mark as trusted" and "Mark as untrusted"?

[sraf]

Upon opening FF (2.0.0.17) yesterday morning, I was prompted to download and install the latest NoScript update. After it loaded, I clicked on "Continue," and was distressed to discover that only one FF window (with five or six open tabs) was now loading, of the maybe twenty or so (each with an average of five or six tabs) that I'd had open when I last shut down FF (I have my FF prefs set to restore the previous session). This doesn't happen with every NoScript update, but it has happened a couple of times before, and it does cause me to lose -- sometimes forever -- web pages of interest.

Any idea why this happens, and how it can be prevented?

[med2ver]

Thanks !
Med

[Giorgio Maone]

@r2006m:
What program/plugin are those .pps file associated with in your system (Acrobat, maybe?)
If it's a plugin, NoScript blocks it by default on untrusted sites. You usually get a yellow placeholder, and just need to click it in order to open the file.

dst7:
(Temporarily) allow all this page disappears as soon as there's nothing more shown to be allowed (except explicitly untrusted items).
Does the menu show some other "Allow site.com" command when "all this page" disappear?
Automatic temp can be quite tricky with "all this page" because when you forbid something it goes in the untrusted list.

@LimeJuice:
I know, terminology can be confusing because the blacklist feature has been added late in the game.
Actually we've got 3 kind of "statuses" (temporary permissions and "Allow globally mode" aside):

1. Trusted (sites after "Allow site.com")
2. Untrusted/Forbidden/Unknown (every site but those Trusted)
3. Marked as untrusted ("Mark as untrusted site.com")

Sites marked as untrusted are disabled exactly as unknown sites, but they UI tends to make more difficult for them to be accidentally enabled or get in your way with notifications.
Permissions UI is gonna change to be made more streamlined, but you can already edit the untrusted blacklist manually.



@sraf:
that looks like a Firefox bug, either in the session restore or the extension manager code.
Could you file it in http://bugzilla.mozilla.org ? Chance are it's already fixed in Firefox 3, but we couldn't tell for sure unless a bug report is filed.

[therube]

Sometimes, I suppose based on where on the page the click items is, a false ClearClick warning is generated.



Happens sometimes with the Next/Prev icons on this page: http://superfreshfood.inserts2online.co ... toreID=912

[oshoshitzu]

Hi Giorgio

Since I installed NoScript plugin for FireFox, QFX Keyscrambler no longer works. If I hover the mouse cursor over Keyscrambler's tray icon the following info appears:

"KeyScrambler is inactive. Right click for information"

However, when I right click Keyscrambler is shown as active; but the scrambled letters and numbers no longer appear on screen when I press the keyboard


I have tried removing all additional restrictions for untrusted sites and allowed global scripts in NoScript, yet keyscrambler still does not work

[geffr2]

I'm having log in issues with 1.8.6 on My yahoo, Yahoo mail & a forum called imwan. The problem continues even if I disable HTTPS Auto Secure Cookies & both XSS check boxes. I'm always able to log inti Imwan on Opera, & sometimes with yahoo; I'm not certain if the Yahoo issue is No script or a network issue. Both of these started after installing 1.8.6.

[r2006m]

@r2006m:
What program/plugin are those .pps file associated with in your system (Acrobat, maybe?)
If it's a plugin, NoScript blocks it by default on untrusted sites. You usually get a yellow placeholder, and just need to click it in order to open the file.

dst7:
(Temporarily) allow all this page disappears as soon as there's nothing more shown to be allowed (except explicitly untrusted items).
Does the menu show some other "Allow site.com" command when "all this page" disappear?
Automatic temp can be quite tricky with "all this page" because when you forbid something it goes in the untrusted list.

@LimeJuice:
I know, terminology can be confusing because the blacklist feature has been added late in the game.
Actually we've got 3 kind of "statuses" (temporary permissions and "Allow globally mode" aside):

1. Trusted (sites after "Allow site.com")
2. Untrusted/Forbidden/Unknown (every site but those Trusted)
3. Marked as untrusted ("Mark as untrusted site.com")

Sites marked as untrusted are disabled exactly as unknown sites, but they UI tends to make more difficult for them to be accidentally enabled or get in your way with notifications.
Permissions UI is gonna change to be made more streamlined, but you can already edit the untrusted blacklist manually.



@sraf:
that looks like a Firefox bug, either in the session restore or the extension manager code.
Could you file it in http://bugzilla.mozilla.org ? Chance are it's already fixed in Firefox 3, but we couldn't tell for sure unless a bug report is filed.

r2006m
The .pps files are Power Point Programs from Microsoft.
A menu comes up:
"Clear Click Warning" Potential Clickjacking"
When I check: Clear Clickjacking on "Trusted" pages...it will still not open

[dst7]

[...]

dst7:
[...]
Does the menu show some other "Allow site.com" command when "all this page" disappear?
[...]

[...]

No, only About NoScript... and Options... remain visible in my NoScript icon / context menu.

[...]

dst7:
[...]
Automatic temp. can be quite tricky with "all this page" because when you forbid something it goes in the untrusted list.
[...]

[...]

Well, I think that's my problem.

In my situation, every website I manually completely forbid it remains forbidden/untrusted after I restart my browser. Does it have to?

With the term temporarily I expect a website is forbidden (if I forbid a website) during a browser session. When I close/restart my browser I expect an automatic deletion of the untrusted list, so every website is (temporarily) partially or fully allowed/accessible again. Am I wrong?