[ext] NoScript 1.8 - Your Browser is YOURS

[Giorgio Maone]

There's a browser safer than Firefox...
...it is Firefox with


NoScript - a Firefox extension for whitelist driven safe JavaScript/Java/Flash/Plugins execution plus the most powerful anti-XSS and anti-Clickjacking protection.

CHANGELOG

• Features
• Screenshots
• FAQ
• Download

Previous discussion

[therube]

Whoa there! That's WAY TOO BROAD, IMO.

> Make page permissions permanent
> command permanently enables every site shown as temporarily allowed by NoScript's menu

Perhaps if it only affected the current page's TA's (even that is broad IMO), but as it is, it globally Allows any page marked as TA. That should not be.

Looks like I was mis-understanding, mis-interpreting MPPP & what was happening.
I was not differentiating (one cannot really differentiate) between a page that had been TA'd & MPPP'd.
And in the same way, Revoke was only revoking TA'd pages & not MPPP'd pages.

[Alan Baxter]

I hadn't realized that 1.8.0 was a release version already.

# Make page permissions permanent command permanently enables every site shown as temporarily allowed by NoScript's menu

As said, on the current page only, as indicated by the tooltip. This feature will make NoScript much easier to use for many users. I usually leave temporary permissions as temporary, but I realize that makes for a bit more work than many users desire.

# Improved tooltips for page-level enablement and temporary permission revocation commands, showing affected sites.

Great! Precise descriptions of what the commands will do. You rock, Giorgio.

[PhilNY]

Hello,
I have been having an issue using the Verizon Minutes Used extension with No Script, since the inclusion of the Block JAR remote resources... feature. It seems to work fine as soon as I uncheck the Block box. I assume that I need to add something to the JAR whitelist, but I am unable to determine what exactly needs to be added.

[Giorgio Maone]

@PhilNy:
the JAR blocking routine should log something in Tools|Error Console. Could you copy the message here?

[PhilNY]

Thanks for the lightening quick reply. Unfortunately, it will not be until tomorrow before I can check this. I disabled the feature on No Script, so the Minutes Used extension is currently working. It only requests the information every five hours, so when I log on tomorrow, I will check for any error messages. Thanks again!

[javierdl]

Hi Giorgio,
First off, congrats on such an amazing Firefox plugin, and thank you kindly for sharing it with the rest of us
My only question so far is: How can I stop NoScript from using the first tab to show me its website everytime I open Firefox?

Thanks in advance and keep up the good work

Javier

[Giorgio Maone]

@javierdl:
It must not do it everytime you open Firefox, but just when NoScript gets updated, showing its release notes.
Even so you can turn off this behavior as explained here.

But if it's doing that everytime as you suggest, either something is preventing your preferences from being written (current version number should be stored as noscript.version in your about:config preferences) or you accidentally set it as your home page (check Tools|Options|Main|Startup).

[luntrus]

Hi Giorgio Maone,

I have Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080830031750 Minefield/3.1b1pre ID:20080830031750 with NoScript 1.8 With Scripts Currently Forbidden I tried to reach this http: //www.jaascois.com/software/X-Code/JAAScoisX-Code.exe
and then landed here: http ://www.jaascois.com/?foiffs=in100fweg (see code)

Code: Select all

<!--
            top.location="http://www.jaascois.com/?prvtof=8b2VkUqfXDCVzkFMugBtMOdsGRurUMnApYmdYUlV1eTi%2B3zkL%2Fv9R6vry
068z8HfzLXHjhlETS%2BY%2FuLAfyuNHRQd4SCz4fWRmYyDZAHJDwRR%2BkBMo%2
FUTZSef7XGmGfOmvTWD%2BhwKq7CvQIR5c8BXqwJLYnw9kE3ohIoCxPnQkTxXA0t
AVejvzA8DxBNpLMZuAgGueyXFeBHdNtRcQyOKzVN%2FSo%2BV2T3Ah%2BAcwRgT5hNtFWptiFVH";
            /*
         -->
                     <script type="text/javascript">
            <!--
                  if(window.top != self)
                  {
                     window.top.location = "http://www.jaascois.com/?prvtof=8b2VkUqfXDCVzkFMugBtMOdsGRurUMnApYmdYUlV1eTi%2B3zkL%2Fv9R6vry
068z8HfzLXHjhlETS%2BY%2FuLAfyuNHRQd4SCz4fWRmYyDZAHJDwRR%2BkBMo%2FUT
ZSef7XGmGfOmvTWD%2BhwKq7CvQIR5c8BXqwJLYnw9kE3ohIoCxPnQkTxXA0tAVej
vzA8DxBNpLMZuAgGueyXFeBHdNtRcQyOKzVN%2FSo%2BV2T3Ah%2BAcwRgT5hNtFWptiFVH";
                  }
            // -->
            </script>
                        <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
               <frame src="http://www.jaascois.com/?foiffs=in100fweg&prvtof=8b2VkUqfXDCVzkFMugBtMOdsGRurUMnApYmdYUlV1eTi%2B3zkL%2Fv9R6vry068z
8HfzLXHjhlETS%2BY%2FuLAfyuNHRQd4SCz4fWRmYyDZAHJDwRR%2BkBMo%2FUTZSef7X
GmGfOmvTWD%2BhwKq7CvQIR5c8BXqwJLYnw9kE3ohIoCxPnQkTxXA0tAVejvzA8Dx
BNpLMZuAgGueyXFeBHdNtRcQyOKzVN%2FSo%2BV2T3Ah%2BAcwRgT5hNtFWptiFVH">
               </frameset>
               <noframes>
               <body bgcolor="#ffffff" text="#000000">
               <a href="http://www.jaascois.com/?foiffs=in100fweg&prvtof=8b2VkUqfXDCVzkFMugBtMOdsGRurUMnApYmdYUlV1eTi%2B3zkL%2Fv9R6vry068
z8HfzLXHjhlETS%2BY%2FuLAfyuNHRQd4SCz4fWRmYyDZAHJDwRR%2BkBMo%2FUTZ
Sef7XGmGfOmvTWD%2BhwKq7CvQIR5c8BXqwJLYnw9kE3ohIoCxPnQkTxXA0tAVej
vzA8DxBNpLMZuAgGueyXFeBHdNtRcQyOKzVN%2FSo%2BV2T3Ah%2BAcwRgT5hNtF
WptiFVH">Click here to proceed</a>.
               </body>
               </noframes>
         <!--
         */
         -->
   

Why did NoScript not protect me against this hack, or was it on the queried server? I recently see a lot of these hacks, why no one reports this hijack malware, is beyond me.

luntrus

[steviex]

Hi Giorgio,
First off, congrats on such an amazing Firefox plugin, and thank you kindly for sharing it with the rest of us
My only question so far is: How can I stop NoScript from using the first tab to show me its website everytime I open Firefox?

Thanks in advance and keep up the good work

Javier

I suggest you make sure that noscript.net has not accidentally been added to your list of Home Pages....

Go to Tools > Options > Main, and have a look in the Home Page box... Click in the box, and scroll right, to see all the contents of the box...
Multiple Home Pages are separated by a | Character.

[VeryMellow]

Another tooltip thing:
when you hover over allow scripts globally it shows your current status (same as hovering over the icon on the bottom)
Shouldn't it say something else ?

[javierdl]

Hi again Giorgio,
Thanks a bunch for the advice. I didn't think NoScript had added itself to the HomePage address as I had already done that for my web email client, but strangely enough... it did add itself there but it also kept the address I had entered myself, each address divided with this: |
As a result Firefox opens each address on a diff tab. Which is a very cool thing! I didn't know one could do this! I used to use a little plug in just to do that before! So I just proceeded to change the NoScript address for the 2nd one I wanted and voila! The problem is solved!
Thanks again Giorgio

Javier

@javierdl:
It must not do it everytime you open Firefox, but just when NoScript gets updated, showing its release notes.
Even so you can turn off this behavior as explained here.

But if it's doing that everytime as you suggest, either something is preventing your preferences from being written (current version number should be stored as noscript.version in your about:config preferences) or you accidentally set it as your home page (check Tools|Options|Main|Startup).

[Giorgio Maone]

@luntrus:
Could you explain what the "hack" is supposed to be?
I cannot see anything there which NoScript should prevent but happening despite of this.
Am I missing something?

[kgbme]

Hi, thanks again for this marvel!..:) Just wondering, how come I've got the 1.7.9 version - when, 1.7.8 (edit: yes, yes that would be 1.8, instead of 1.7.8) = latest stable/dev version?!?? :S

Development version

Latest development snapshot is identical to the official release above

Code: Select all

http://rapidshare.com/files/141551392/noscript-1.7.9.zip.html

ps. Giorgio Maone, I have PMed you the RapidShare delete link for this archive!..:)

pps. O-M-G 0k so I am stupid and I have used the link myself! xD Thank you again.

[therube]

@luntrus:

At the moment, the entire jaascois.com domain is bogus. Looks to be one of those redirect pages that you might get rather the a 404 (or rather then being hacked altogether).

Anyhow, when I open http ://www.jaascois.com/software/X-Code/JAAScoisX-Code.exe, I "stay" on that page unless I click somewhere in the page. There is coding (in a frame in that page) that may redirect to http ://www.jaascois.com/?foiffs=in100fweg but perhaps you may need to click (somewhere) on the page for it to happen?

Code: Select all

<!--
top.location="http://www.jaascois.com/";
/*
-->
   <script type="text/javascript">
      <!--
         if(window.top != self)
         {
            window.top.location = "http://www.jaascois.com/";
         }
      // -->
   </script>

      <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
      <frame src="http://www.jaascois.com/?foiffs=in100fweg">
      </frameset>

      <noframes>
      <body bgcolor="#ffffff" text="#000000">
      <a href="http://www.jaascois.com/?foiffs=in100fweg">Click here to proceed</a>.
      </body>
      </noframes>
   <!--
   */
   -->

Try the same page in a clean Profile or after performing a Reset in NoScript & see if there is any difference.