MozillaZine

[ext] NoScript 1.8 - Your Browser is YOURS

Announce and Discuss the Latest Theme and Extension Releases.
m.0110
 
Posts: 5
Joined: January 21st, 2009, 2:08 pm

Post Posted January 21st, 2009, 2:14 pm

Hi,

Major bug? I just installed 1.8.9.2. Under Appearance->Contextual Menus I have most options set. When I get to a page with scripts blocked (http://sports.espn.go.com/nfl/index) and click on the NoScript icon I don't see any "allow" options. I see About NoScript, Options, Allow scripts globally, and Blocked objects- which has an arrow which leads to another set of 3 "Temporary" allows (I don't like having to click again to see that...) This problem is seen on all the sites I visit. I tried right clicking the icon, and putting another icon on the top toolbar. I've gone through the menus several times trying to find some button I need to select to give me the "allow" options in the context menu.
I remember how this extension used to work. You click on the icon and you get multiple permanent/temporary options for the specific site in a context menu, which are remembered. As it's working now, the only thing I can do is to manually add the site to the white list, which is tedious and offers much less site specific less control.
I had this extension installed several months ago. When I ugraded Firefox I didn't reinstall it. Recently, allowing Java/Javascript was killing performance for some reason, so I reinstalled it. (Disabling Java/Javascript was solving the problem.)
I am using Firefox 2.0.0.17

Thanks

m.0110
 
Posts: 5
Joined: January 21st, 2009, 2:08 pm

Post Posted January 21st, 2009, 2:40 pm

Never mind. Options-reset fixed it. Maybe it was picking up options from the old uninstalled version? When I did the reset the options were not the same as when I installed it today.

(Quote previous message didn't work...)
Re:
Major bug? I just installed 1.8.9.2. Under Appearance->Contextual Menus I have most options set. When I get to a page with scripts blocked

Jennnay
 
Posts: 2
Joined: January 21st, 2009, 12:55 pm

Post Posted January 21st, 2009, 6:32 pm

Giorgio Maone wrote:@Jennnay:
either you accidentally saved that page in Tools|Options|Main|Startup or your Firefox is failing at saving preferences.
If the latter applies, you may need migrating your data to a new profile.




Hi Giorgio:

problem solved..
I did have the NoScript page saved in Tools|Options|Main|Startup . Don't know how that happened...
Many thanks for the prompt reply..

pikerhog

User avatar
 
Posts: 2
Joined: January 21st, 2009, 9:38 pm
Location: Cyberspace

Post Posted January 21st, 2009, 11:31 pm

Hi Giorgio...

I emailed you a note about this a couple days ago.. I've since also tried both newer versions, (1.8.9.2 and 1.8.9.4) and noticed a new error message that shows up in both versions (although unrelated to my original issue I think)...

First.. both 1.8.9.2 and 1.8.9.4 (haven't tried 1.8.9.5 yet) report an error after startup, which is this:
Code: Select all
[NoScript] Init error -- def.match(/\w+[^r].\.n\w+|in\w+on\.c\w+/g) has no properties

Anyways... thats new.. but shows up in both the 1.8.9.2 released version and the development versions.

My main/primary issuse is with odd behavior which I noticed some time after 1.8.8.8 and 1.8.9+.... and that is elements within an IFRAME causing a request to be sent to a server that is explicitly in the Unstrusted list, from a page that is in a default state (not trusted, nor unstrusted) .. Specifically. near the bottom of the page at: progressive . com there is an IFRAME and a noscript tag for a link to doubleclick . net that (at the very least) causes a DNS and subsequent request to be made to the doubleclick site, when in fact NOTHING should happen. This is very unnerving to me. At first I thought it would only do it from the https version of the progressive site, but it seems that now it happens regardless of http or https. I'll let you go to the site and look at the code rather than pasting it here. It's doing some minor URI trickery or something that seems to work for some reason, except noscript isn't catching it.

Now, I don't know if or what elements are showing up since I have other measures (no offsite images, etc) in place. but my browser/web, network and firewall logs all show network activity requesting the IP(s) of the IFRAME'd site in question. BTW.. this was also tested on a Windows machine running Seamonkey, in addition to Linux running Seamonkey, and I'd almost bet that it happens to everyone.

If (any of) you can't reproduce this or recreate what I'm experiencing, I'd be surprised, but either way I look forward to any comments or suggestions regarding this.. especially if I don't have to drastically alter my noscript configurations that have seemed to work seamlessly across platforms for so long as it and the noscript package have grown and improved. I believe it has to be in the code somewhere.

Thanks in advance, and keep up the great work! You rock, by the way.

...piker

Mervaine
 
Posts: 3
Joined: January 10th, 2009, 11:45 pm

Post Posted January 22nd, 2009, 2:28 am

Giorgio Maone wrote:@nagan:
...

2. Those are called "popunder"s, and Firefox can't do anything about them because they're usually triggered by an user click, so the browser can't tell it is unwanted.


Yes, I asked about this some pages back. You make it sound like a policy of FF rather than a technical problem with preventing them. So far I've seen no legitimate use for pop-unders except as an advertising annoyance in situations as nagan describes, in my case on file-sharing sites. You can block the URL the pop-under links to in AdBlock or BlockSite, but you still get the window, just blank, and it still needs to be closed manually. Unfortunately, if they are produced by scripts, it's not currently possible to use the sites without also allowing the script that creates the pop-under.

So I ask again, is it not possible to add into NoScript a POLICY you could select that pop-unders should be prevented EVEN on a white-listed site, and filter/disable/prevent this particular type of script before passing it?

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted January 22nd, 2009, 4:47 am

@pikerhog:
this is the answer I already gave to your previous private email:
Giorgio Maone wrote:Hi piker,

I can't observe any request toward doubleclick.net (I don't even have doubleclick.net in my untrusted list, it's just a "normal" non-whitelisted site).
I'm watching the request using Live Http Headers, Adblock Plus and TCPView by Sysinternal, but unless doubleclick.net is allowed in NoScript neither of these utilities show traces of doubleclick.

How do you observe those requests?


Now, I made further test even with "Allow scripts globally" (keeping doubleclick.net marked as untrusted), and I still can't reproduce: the frame gets blocked as expected (as long as I've got "Forbid IFrame" and "Always block objects coming from untrusted sites" checked).
I tested on Seamonkey, and watched for connections with TCPView.
Also, an iframe from fls.doubleclick.net was always listed in NoScript's Blocked Objects menu, as expected. Can't you see that either?
Did you try on a clean profile with just NoScript installed?

Regarding the other error, it's fixed in latest development build (please download 1.8.9.5 again, it's a minor sub revision).

@Mervaine:
There's no general way to block popunders without blocking legitimate popups as well.
This is because a popupunder is just a popup whose opener retains focus. There's no way to tell the two kinds apart.

Mervaine
 
Posts: 3
Joined: January 10th, 2009, 11:45 pm

Post Posted January 22nd, 2009, 7:45 am

Giorgio Maone wrote:@Mervaine:
There's no general way to block popunders without blocking legitimate popups as well.
This is because a popupunder is just a popup whose opener retains focus. There's no way to tell the two kinds apart.


But would it be possible then to have a policy that blocked ALL pop-ups on a per-site basis like a separate white/black-list? A site that has nuisance pop-unders will generally not have "legitimate" pop-ups I'd guess, and vice-versa. Once you have identified a rogue site using pop-unders only, it would be great to block them just as simply as NoScript does now for other scripts but leave other functionality that the site requires to operate, and you're not saying that is technically impossible.

lakrids
 
Posts: 123
Joined: December 17th, 2006, 12:51 am

Post Posted January 22nd, 2009, 7:55 am

Mervaine wrote:
Giorgio Maone wrote:@Mervaine:
There's no general way to block popunders without blocking legitimate popups as well.
This is because a popupunder is just a popup whose opener retains focus. There's no way to tell the two kinds apart.


But would it be possible then to have a policy that blocked ALL pop-ups on a per-site basis like a separate white/black-list? A site that has nuisance pop-unders will generally not have "legitimate" pop-ups I'd guess, and vice-versa. Once you have identified a rogue site using pop-unders only, it would be great to block them just as simply as NoScript does now for other scripts but leave other functionality that the site requires to operate, and you're not saying that is technically impossible.
Most other browsers deal with this by custom blacklist. Firefox is still behind here, all it offers us is a useless whitelist. (this whitelist is truly useless because the popup blocker doesn't even catch all popups...). I wish there was a way to blacklist both origin of the popup/under request as well as blacklisting destination of them.
It would be nice if Noscript could help with this but I think it's out of the scope of Noscript...Probably.

luntrus

User avatar
 
Posts: 141
Joined: May 3rd, 2005, 1:37 pm
Location: Netherlands

Post Posted January 22nd, 2009, 2:03 pm

Hi forum folks,

Everybody encounters obfuscated code and then is curious what it works out to.
Read about investigating here:
http://asert.arbornetworks.com/2006/04/ ... avascript/

luntrus
Fx forever

Stardance
 
Posts: 30
Joined: October 11th, 2003, 2:10 am

Post Posted January 22nd, 2009, 10:02 pm

Perhaps it is just me, but it seems that the fellow who runs AuditMyPC has found some way to hack NoScript.

The reason that I say this is that when I go to a page on his website, such as the one about Anonymous Surfing (http://www.auditmypc.com/anonymous-surfing.asp), I find that NoScript is always set to "Forbid AuditMyPC.com". If I do forbid AuditMyPC.com to run Javascript, and check to see afterward whether it is indeed forbidden, then the dialog says "Allow AuditMyPC.com". However, if I then go to my home page and return to the same AuditMyPC page, I do not hear the NoScript alert. I don't hear the alert because the setting has been changed to "Forbid AuditMyPC.com" and the website is currently allowed to run Javascript. This apparently occurs at the time that Firefox 3.0.5 fetches the page. Note: while at the home page, I flush the cache, so that Firefox must fetch fresh pages for the AuditMyPC website.

Could someone look into this to confirm whether the same thing happens when they go to that website?
nil carborundum illegitimi

NanM
 
Posts: 179
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted January 23rd, 2009, 1:40 am

Stardance wrote:
Could someone look into this to confirm whether the same thing happens when they go to that website?


Hi Stardance,

NoScript blocks all scripts on the page you gave. That is to say that NoScript offers the usual "allow" for all the domains in the context menu dialog.
I don't feel inclined to trust the domain, so I can't confirm the behaviour you report.
Of course, once scripts are run on a page, there's plenty of mischief can be done, unfortunately.

As another thought, have you checked for extension conflicts?

kteague
 
Posts: 3
Joined: May 7th, 2008, 8:47 pm
Location: San Jose, CA

Post Posted January 23rd, 2009, 12:10 pm

May I request a feature?

- Allow inputting CIDR formatted addresses in the whitelist. This will make it easy to add private network IPs, if one feels brave enough to do so, such as 10.0.0.0/8.

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted January 23rd, 2009, 1:13 pm

@kteague:
you can already specify the leftmost 2 or 3 bytes as a shorthand, e.g. "10.0." for 10.0.0.0/16

kteague
 
Posts: 3
Joined: May 7th, 2008, 8:47 pm
Location: San Jose, CA

Post Posted January 23rd, 2009, 1:28 pm

Giorgio Maone wrote:@kteague:
you can already specify the leftmost 2 or 3 bytes as a shorthand, e.g. "10.0." for 10.0.0.0/16


Interesting. OK, so I tried that and I must have had some corruption in my whitelist. I tried to select some old full 10.x.x.x IPs at the bottom of my list and it wouldn't let me. It kept scrolling back to the top. I decided to say, "Screw it!", and hit the RESET button.

Now I'm back with a default whitelist as I requested. I input 10. and add it, and NoScript adds to the end of my whitelist the following:
file://10.
http://10.
https://10.

Fair enough, if that's the way NoScript likes to work. However, I thought that by adding 10. to my whitelist, it would automatically know to handle them for all protocols without the need to automatically add those entries.

So then I proceed to adding 192.168., but it doesn't automatically add the file, http, and https entries for them. It also didn't do it for 172.16. Odd.

This also brings up a question, because I had a radio station in my whitelist labeled 981mystation.com. When I added 99. to the whitelist, it made me wonder if it will whitelist something like 99.somedomain.com.

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted January 23rd, 2009, 1:37 pm

@kteague:
IP shorthands are guaranteed to work with two or more bytes. "10." is just one byte.
That said, when you add "99" you're not allowing 9981mystation.com.

Return to Extension/Theme Releases


Who is online

Users browsing this forum: No registered users and 3 guests