by Tom T. » Sun Mar 25, 2012 5:31 am
cypherpunks wrote:Tom T. wrote:Perhaps Giorgio kept this in the
Default Whitelist because he felt that the many people who donated their time to contribute to Firefox should at least have their names listed, even in some obscure place that few will see?
It sounds like a good reason, but it's a plain HTML, so the names would be listed regardless of the whitelist entry
Perhaps the site used to contain scripts, but it does not anymore.
Kind of what I was suggesting in noting that even after removing it, the credits still ran. So yes, no script permission required.
I'll ask Giorgio whether this needs to remain, and if so, why.
Or more likely, all about: pages were whitelisted without a deeper scrutiny, simply to be on the safe side.
This and about:blank are the only ones that appear removable to me. The rest are grayed out.
about:config
noscript.mandatory gives this list:
- Code: Select all
chrome: blob: about: about:addons about:blocked about:crashes about:home about:config about:neterror about:certerror about:memory about:plugins about:privatebrowsing about:sessionrestore about:support resource:
Per
Default Whitelist FAQ,
# chrome:
It's the only "permanent" one. It can't be removed because it is the privileged pseudo-protocol used by Firefox internal scripts: disabling it would prevent the browser itself from working.
# about:xyz
A bunch of about: internal pseudo URLs. You'd better keep them there because they help your browser to work as expected.
Presumably, graying out most while allowing :blank and :credits to be user-deleted means that the rest do in fact serve a need. And that by not graying out :credits, there's an implication that it's OK to remove. Note the warning that in some cases, :blank *is* needed.
But again, when he visits us, we'll get the full story.
Now that about:credits redirects to a page in the scary world of internetz, it would make sense to reconsider the need for this whitelist entry if it's not required for anything - even if the site in question is in a relatively safe harbor of Mozilla servers.
No argument here, unless Giorgio has one unknown to this user.
Tom T. wrote:Your useragent shows Firefox 5.0.
Tor Browser spoofs the user agent string for better anonymity, actually my browser is up-to-date.
Thanks -- will add that to my knowledge base.
It may also explain why some fairly savvy users come here with what look to be quite out-of-date browsers, and perhaps don't want to admit that they're on Tor. Did they not know that it's detectable?
On that topic, when Fx 2.x reached end-of-life, one online bank warned that they would stop allowing connections with F2 within three months or so. That would be about April 2009. As a test, I changed the UA on a saved install of F2 to be whatever was the latest F3, and it worked. D'oh, not checking very deeply, people. Even the Gecko version was still from F2. It was only last week that the page design no longer accommodated F2 properly --but in this occasional curiosity-test, *it still let me log in.* Sigh..
Will give Giorgio a holler shortly. Thanks for bringing this up.
[quote="cypherpunks"][quote="Tom T."]Perhaps Giorgio kept this in the [url=http://noscript.net/faq#qa1_5]Default Whitelist[/url] because he felt that the many people who donated their time to contribute to Firefox should at least have their names listed, even in some obscure place that few will see?[/quote]
It sounds like a good reason, but it's a plain HTML, so the names would be listed regardless of the whitelist entry ;) Perhaps the site used to contain scripts, but it does not anymore. [/quote]
Kind of what I was suggesting in noting that even after removing it, the credits still ran. So yes, no script permission required.
I'll ask Giorgio whether this needs to remain, and if so, why.
[quote]Or more likely, all about: pages were whitelisted without a deeper scrutiny, simply to be on the safe side.[/quote]
This and about:blank are the only ones that appear removable to me. The rest are grayed out.
about:config [b]noscript.mandatory[/b] gives this list:
[code]chrome: blob: about: about:addons about:blocked about:crashes about:home about:config about:neterror about:certerror about:memory about:plugins about:privatebrowsing about:sessionrestore about:support resource:[/code]
Per [url=http://noscript.net/faq#qa1_5]Default Whitelist FAQ[/url],
[quote]# chrome:
It's the only "permanent" one. It can't be removed because it is the privileged pseudo-protocol used by Firefox internal scripts: disabling it would prevent the browser itself from working.
# about:xyz
A bunch of about: internal pseudo URLs. You'd better keep them there because they help your browser to work as expected.
[/quote]
Presumably, graying out most while allowing :blank and :credits to be user-deleted means that the rest do in fact serve a need. And that by not graying out :credits, there's an implication that it's OK to remove. Note the warning that in some cases, :blank *is* needed.
But again, when he visits us, we'll get the full story.
[quote] Now that about:credits redirects to a page in the scary world of internetz, it would make sense to reconsider the need for this whitelist entry if it's not required for anything - even if the site in question is in a relatively safe harbor of Mozilla servers.[/quote]
No argument here, unless Giorgio has one unknown to this user.
[quote][quote="Tom T."]Your useragent shows Firefox 5.0.[/quote]
Tor Browser spoofs the user agent string for better anonymity, actually my browser is up-to-date.[/quote]
Thanks -- will add that to my knowledge base. ;)
It may also explain why some fairly savvy users come here with what look to be quite out-of-date browsers, and perhaps don't want to admit that they're on Tor. Did they not know that it's detectable?
On that topic, when Fx 2.x reached end-of-life, one online bank warned that they would stop allowing connections with F2 within three months or so. That would be about April 2009. As a test, I changed the UA on a saved install of F2 to be whatever was the latest F3, and it worked. D'oh, not checking very deeply, people. Even the Gecko version was still from F2. It was only last week that the page design no longer accommodated F2 properly --but in this occasional curiosity-test, *it still let me log in.* Sigh..
Will give Giorgio a holler shortly. Thanks for bringing this up.
