[ext] NoScript 1.1.4.6 - black & white edition

[bulldog000]

I'm having a problem with NoScript. It's a compatibility issue with the extension and Digg.com.

I allowed digg.com on NoScript. There's a digg link which is made with Javascript. When I click it, it doesn't go through, and the function doesn't run. This is while NoScript is allowing scripts to be run on digg.com. So I try disabling NoScript. The problem goes again and it works like it's supposed to. I enable NoScript, while still allowing digg.com and all the sites that run scripts on digg.com, and I can't digg once again. Why is this happening?

Thank you.

[NiroZ]

Just noticed the new 'untrusted sites' feature. It's pretty good, but one problem is that there isn't any icon to indicate that all the scripts blocked on the webpage you are visiting have been marked untrusted or not, which does get a little annoying. Perhaps there should be a different icon when all the scripts blocked are marked as untrusted?

[tlu]

I'm having a problem with NoScript. It's a compatibility issue with the extension and Digg.com.

I allowed digg.com on NoScript. There's a digg link which is made with Javascript. When I click it, it doesn't go through, and the function doesn't run. This is while NoScript is allowing scripts to be run on digg.com. So I try disabling NoScript. The problem goes again and it works like it's supposed to. I enable NoScript, while still allowing digg.com and all the sites that run scripts on digg.com, and I can't digg once again. Why is this happening?

Thank you.

I tried that site. The only links I found that need JS are the "Bury" links. If I allow JS temporarily it works as it should. No other problems (using version ...322).

[bulldog000]

@tlu:

When I mouseover the "digg it" button (under the counter for each story) I see something like
"javascript:dig(2,512451,'long alphanumeric')". When I click that link, nothing happens, instead I mouseover again and it becomes "javascript:void(0)".

[tlu]

@tlu:

When I mouseover the "digg it" button (under the counter for each story) I see something like
"javascript:dig(2,512451,'long alphanumeric')". When I click that link, nothing happens, instead I mouseover again and it becomes "javascript:void(0)".

bulldogg, I can't confirm this. When I mouseover this button it shows "http://digg.com/login" and clicking that button leads me to that site even when JS disabled. (This also works when I disable the Noscript option to turn Javascript links into normal ones - so that's obviously not the reason.)

[bulldog000]

Oh, the reason that happens is because you need to be logged in order to digg links. When you are logged in, that mouseover would display what I said earlier. It's weird, because sometimes it actually diggs the story, but mostly it doesn't digg it, and instead turns the link into javascript:void(0).

On a related note, I can't see my own ads on my blog, but in Opera they show up. The ads are from Google AdSense and I get javascript code to paste, which is why I said these two problems are related.

[Giorgio Maone]

Oh, the reason that happens is because you need to be logged in order to digg links. When you are logged in, that mouseover would display what I said earlier. It's weird, because sometimes it actually diggs the story, but mostly it doesn't digg it, and instead turns the link into javascript:void(0).

I've got a digg account, and I noticed sometimes I couldn't digg a story/a comment if I kept digg out of my whitelist and just temporary allowed it, unless I issued a supplementary reload after allowing the domain.
On the other hand, since I've put digg.com permanently in my whitelist I never had this problem anymore.
This is very likely due to a peculiarity I observed in Scriptacolous, an Ajax library used by digg: sometimes, on a cached reload (such as the ones issued after a NoScript permission change), the Effect class isn't loaded and the "digg" link can't function properly.
To confirm this, just check the JavaScript Error Console for message regarding "Effect" being undefined or something like that.
If it's so, just reload the page and you can digg anything.

On a related note, I can't see my own ads on my blog, but in Opera they show up. The ads are from Google AdSense and I get javascript code to paste, which is why I said these two problems are related.

In order to see Google ads you need to allow both the main site (the domain of your blog) and the googlesyndication.com host where the AdSense scripts are loaded from.

Good luck and let me know.

[TurtleX]

Hello? Giorgio Maone, did you get my PM? I sent you my prefs.js file as requested. Thanks.

[therube]

070322
file:/// is not being anted up as an Allow item.

[Giorgio Maone]

Hello? Giorgio Maone, did you get my PM? I sent you my prefs.js file as requested. Thanks.

Sorry for coming back so late, but I've been tackling XSS countermeasures.
I installed your prefs file in a clean profile with NoScript, and it works fine (the whitelist is quite short, too).
I also noticed that you show full domains in your context menu, and this adds up fine-grained control over your security.

Since I couldn't reproduce any problem with your settings, I strongly suspect this is a corrupted profile or bad interaction with a different extension.
Standard diagnostic is strongly advised.

Good luck and let me know.

@therube: thanks for pointing that, it's a side effect of a fix to "http://" or "https://" shown for malformed <script> or <iframe> tags.

[therube]

Usability vs. Security · 2007-03-25 00:53 by Wladimir Palant

[Giorgio Maone]

Usability vs. Security · 2007-03-25 00:53 by Wladimir Palant

I read it, and I gave up answering.
As it seems to me, Wladimir's opinion can be summarized as:

1. The web is broken, NoScript can't protect you
2. Oh wait, looks like NoScript can protect you but the web is not broken enough to justify NoScript usage
3. Users are too stupid to use NoScript in any meaningful way, they should just use AdBlock Plus and have fun blocking ads while waiting for the next security patch

How ironic is that NoScript helped Adblock Plus in winning its battle for Adblock "classic" annihilation by openly endorsing it in NoScript FAQ...

[pirlouy]

"There's a browser safer than Firefox... it is Firefox, with NoScript!"
First, WP explains that Firefox is not inevitably safer, because NoScript could be vulnerable too.

Now he explains NoScript isn't very user friendly (it breaks pages by default, and users have to do several things to have an usable page).

But I don't criticize your developer skills. You're certainly one of the better codder working on Mozilla environment. It's just that we do not have the same conception as "better navigation".

[Giorgio Maone]

First, WP explains that Firefox is not inevitably safer

He didn't manage to do that: Firefox + NoScript is actually "inevitably" safer than Firefox alone.
He could only argue on how much safer it was (before anti-XSS additions).

because NoScript could be vulnerable too

So far nobody exhibited anything resembling a "NoScript vulnerability".
WP talked about vulnerable web sites which used to be a possible gateway to work-around NoScript.
And this is the past, anyway.

Now he explains NoScript isn't very user friendly (it breaks pages by default, and users have to do several things to have an usable page).

NoScript doesn't "break the pages" by default. Actually most of its code is meant to limit as much as possible the inconvenience of keeping JavaScript and Java turned off on untrusted sites (a standard security advice outside the inner circles of browser developers, Web 2.0 fanatics and SEO experts), and to make your trusted sites as usable as before.

But I don't criticize your developer skills. You're certainly one of the better codder working on Mozilla environment. It's just that we do not have the same conception as "better navigation".

Thank you, but I say "safer", not necessarily "better for everyone": "good" is a very vague a debatable concept...

[bulldog000]

On the other hand, since I've put digg.com permanently in my whitelist I never had this problem anymore.
This is very likely due to a peculiarity I observed in Scriptacolous, an Ajax library used by digg: sometimes, on a cached reload (such as the ones issued after a NoScript permission change), the Effect class isn't loaded and the "digg" link can't function properly.
To confirm this, just check the JavaScript Error Console for message regarding "Effect" being undefined or something like that.
If it's so, just reload the page and you can digg anything.

I checked the Javascript Error Console and I did get that message with the Effect being undefined. But after I reloaded the page and tried to digg again, it didn't work, so I checked the error console and got the same message again. I reloaded 5 times and got the same error 5 times. But this morning I tried digging links, and it worked without a problem. It's a hit or miss situation on my end. (note: It worked on the 7th time)

In order to see Google ads you need to allow both the main site (the domain of your blog) and the googlesyndication.com host where the AdSense scripts are loaded from.

My blog is hosted on Blogger and I allowed/whitelisted every site that runs a script on my blog, including googlesyndication.com. I still don't see the ads though. I tried forbidding and then allowing googlesyndication.com and my blog's url, but the ads don't show up still.