[ext] NoScript 1.1.4.5 - faster and neater

Announce and Discuss the Latest Theme and Extension Releases.
Locked
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: NoScript hardening

Post by Giorgio Maone »

Torpark wrote:I am writing a new version of Torpark, and I have a request for NoScript.
I want to disable all plugin scanning/loads by default in the prefs.js

user_pref("noscript.forbidJava", true) ;
user_pref("noscript.forbidFlash", true) ;
user_pref("noscript.forbidPlugins", true) ;

Ahah, someone as paranoid as me, finally :banana:

Torpark wrote:Also, if you could adjust the time that the notice bar appears to allow the user to allows the page, that would be great also.

The relevant preference is noscript.notify.hideDelay, whose value is the number of seconds before the bar gets hidden (default 5).

Alfred Neuman wrote:
Giorgio Maone wrote:Go over to cnn.com and try it, yourself.

I'm sorry if my "are you sure?" may have sound rude to you, but this one does not sound very nice to me: I did go there and tested before answering, as I always do when I receive a report like yours (and time is not exactly the more disposable thing I've got).
As you can see, therube did the same.
Now would you mind to try on a clean profile? my suspect is that you've got a plugin (are you using WMP10? something else?) or an extension which interferes with movie playing when content blockers are generally active, even if not actively filtering the current content.
Does the blocking happens also when AdBlock is enabled (if you use it)?
Peace :)
User avatar
Alfred Neuman
Posts: 1930
Joined: January 19th, 2005, 10:52 am

Re: NoScript hardening

Post by Alfred Neuman »

Giorgio Maone wrote:
Alfred Neuman wrote:
Giorgio Maone wrote:Go over to cnn.com and try it, yourself.

I'm sorry if my "are you sure?" may have sound rude to you, but this one does not sound very nice to me: I did go there and tested before answering, as I always do when I receive a report like yours (and time is not exactly the more disposable thing I've got).
As you can see, therube did the same.
Now would you mind to try on a clean profile?

Sorry, I was out of line. Please consider it a weak moment.
I will try a clean profile.
Do you often feel that you must be from another planet, or wish you were?
Vodkaneat
Posts: 5
Joined: March 14th, 2006, 6:32 am

Regex whitelisting

Post by Vodkaneat »

Hi,

Sorry I posted in the old thread, then noticed the new thread link. Many thanks for this extension, very useful to me. I work on a web network consisting of a thousands of sites - have you considered or does noscript already implement a regex feature for whitelisting, this would be very useful for me as most of our sites adhere to standard naming conventions.
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Post by Giorgio Maone »

@Vodkaneat: regex will eventually come, but not very soon because they're not supported by the underlying Script Security Manager for performance reasons and hence need a lot of careful work

@revuur: works for me. Does it work when scripts are "Globally Allowed"? Could you check if JavaScript is maybe disabled from the main Firefox preferences (Options|Content)?
reevuur
Posts: 375
Joined: September 13th, 2004, 2:02 pm

Post by reevuur »

yes it works when scripts are Globally Allowed.

Javascript is enabled in my FF. (I did not change the settings).
User avatar
Torpark
Posts: 16
Joined: October 5th, 2005, 9:06 am
Contact:

Re: NoScript hardening

Post by Torpark »

Giorgio Maone wrote:user_pref("noscript.forbidJava", true) ;
user_pref("noscript.forbidFlash", true) ;
user_pref("noscript.forbidPlugins", true) ;

Ahah, someone as paranoid as me, finally :banana:


Yeah, I have to be for my users. Thanks for the great plugin.

I think you may get the idea, but I am not sure:

1. Assume I have disabled plugin scanning by default in the prefs.js
2. Assume NoScript is installed and all plugins are blocked

When the user gets the notification that the script/page is blocked, and selects
to allow unblocking it, will that bypass #1 and run the plugin(s) ? I am hoping "yes"
as this would allow a solution to a plugin-disabling attack.

The relevant preference is noscript.notify.hideDelay, whose value is the number of seconds before the bar gets hidden (default 5).


I can edit this, no problem. I just thought you might like for users to be able to modify the delay.
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Re: NoScript hardening

Post by Giorgio Maone »

Torpark wrote:this would allow a solution to a plugin-disabling attack.

If you allow page's domain, plugins content is allowed as well.
You can also selectively allow one content on the other (provided that it has layout, like an applet or a flash move) by clicking on the NoScript placeholder (without allowing JavaScript or the other content , even of the same type).

Torpark wrote:I just thought you might like for users to be able to modify the delay.

Yes, it needs UI but I tend to be lazy on UIs recently because of all the internationalization beaurocracy (Babelzilla is my release-time nightmare).

revuur wrote:yes it works when scripts are Globally Allowed.

Have you got any "special" hand-crafted CAPS setting (preferences like "capability.policy.something") out of capability.policy.maonoscript.* and capability.policy.default?
Please look at your user.js or prefs.js files if you are not sure.
Vodkaneat
Posts: 5
Joined: March 14th, 2006, 6:32 am

Post by Vodkaneat »

Thanks for your quick response, no regex in security manager - how inconvenient :) In case you're not aware, Sebastian Zartner has written a regex extension https://addons.mozilla.org/firefox/2077/. Perhaps when the time is right this extension may help with implementation ideas.

Again, many thanks!
reevuur
Posts: 375
Joined: September 13th, 2004, 2:02 pm

Post by reevuur »

Yes in prefs.js:

user_pref("capability.policy.default.javascript.enabled", "noAccess");
user_pref("capability.policy.maonoscript.javascript.enabled", "allAccess");
user_pref("capability.policy.maonoscript.sites", .......> a lot of sites
user_pref("capability.policy.policynames", "maonoscript");
User avatar
Alfred Neuman
Posts: 1930
Joined: January 19th, 2005, 10:52 am

Post by Alfred Neuman »

OK, NoScript works fine in a clean profile. But I am not sure that I want to go to all the effort to find which extension is causing a conflict. I disabled a couple of them with no effect.

I am getting really tired of having to enable scripts on web sites to get them to work.
I think that I will remove NoScript and try surfing without paranoia for a while.
Do you often feel that you must be from another planet, or wish you were?
User avatar
Giorgio Maone
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy
Contact:

Post by Giorgio Maone »

reevuur wrote:user_pref("capability.policy.default.javascript.enabled", "noAccess");
user_pref("capability.policy.maonoscript.javascript.enabled", "allAccess");
user_pref("capability.policy.maonoscript.sites", .......> a lot of sites
user_pref("capability.policy.policynames", "maonoscript");

It's just the kosher setup.
I can't figure out any reason why it shouldn't work, aside some type of corruption in your whitelist (which never happened before, though)...
Would you mind to send me your whitelist (if it's not too much private), i.e. the maonoscript.sites line, either by PM or email?

Thanks!
virtdave
Posts: 13
Joined: January 16th, 2006, 10:54 pm

Post by virtdave »

Aha! at your suggestion, Giorgio, I did set up a clean user profile. I noticed, btw, that Windows Media Player was automatically installed--at least, I briefly saw a window open which advised me of this, I assume it was WMP 10 (?). I was able to use Yahoo Calendar successfully in the clean install, just with calendar.yahoo and about:blank on the whitelist. Perhaps the simplest work-around would be for me just to switch users to the clean user to use those sites like yahoo calendar and a few others which are giving me trouble on my usual user profile, though this seems a bit strange. It's not clear to me at all what is messing up my use of NoScript in my usual profile, but clearly the problem is with some program, or other Mozilla extension I have installed there which is interfering.....

Btw, I spent some time in Sicily (Enna, Trapani, Pantelleria) recently...very interesting place.
virtdave
Posts: 13
Joined: January 16th, 2006, 10:54 pm

Post by virtdave »

one more thing I just noticed. when I click on the NoScript icon in the right lower corner of the Firefox window when looking at Yahoo calendar, I get different things in the clean profile than I get in the usual profile: in particular, about:blank does not show up as allowed in the usual window (though about:blank is definitely listed in the whitelist of that profile), whereas it DOES show up as allowed in the clean profile.....
stelt
Posts: 9
Joined: January 31st, 2006, 9:44 am
Contact:

cleaner GUI idea

Post by stelt »

The list of "allow..." and "temporarily allow ..." is often annoyingly long.

Therefore i have thought up this:
only list the most specific URL, and do the allowing/blocking based on where you click on it.
For example, if i click on "mozillazine" in "forums.mozillazine.org" it will interpret it as "mozillazine.org"
User avatar
Alfred Neuman
Posts: 1930
Joined: January 19th, 2005, 10:52 am

Re: cleaner GUI idea

Post by Alfred Neuman »

stelt wrote:The list of "allow..." and "temporarily allow ..." is often annoyingly long.

How about allowing one to click on multiple lines in the list before it closes?
Do you often feel that you must be from another planet, or wish you were?
Locked