Chaining "Allow all this Page"

[biff]

Often times when I activate "Allow all this page," it will clear the NoScript Logo icon for a second, but then it will go yellow again. Is there an option to automatically keep doing "allow this page" until it stays clear? (Could be implemented with a timeout, etc.)

If not, I request that be added as a feature, so I don't need to do it like 10 times (on some websites).

[thunderscript]

http://forums.informaction.com/viewtopic.php?f=7&t=8309

[Guest]

It looks like that topic is locked, so I can't add any comments. I read through several of the posts, though not all four pages.

So, I realize I could select "allow scripts globally," and then turn off it off when I'm done with the page, but I'd like something more convenient. I understand it's dangerous, but not more so than "allow scripts globally". The proposal is to add a new menu option:

"Allow Cascading Loads from <website>"

The behavior would be that when you click it, it sets a timer (perhaps configurable, with a default of 5 seconds), and then runs the same logic as "Allow <website>" now except that that if more scripts that would be allowed by another invocation of "Allow <website>" arrive within the timeout, the timeout is reset and the "Allow <website>" logic is run again. Once the timer expires, then nothing more is let through without user interaction.

I get distracted easy as I have many windows open, so having to set something and then clear it is, for me, more dangerous.

[Hecuba's daughter]

nvm

[Thrawn]

At its most fundamental, the issue boils down to this: By 'cascading' the allows, you will be allowing sites to run scripts before seeing them on the menu and getting a chance to vet them.

So, have you already checked before and confirmed that all scripts from this site are safe?
If you have, then you should permanently whitelist the sites that are needed - manually, but only once - and then you're set.
If you have not checked before, then a cascading allow is conceptually the same thing as global allow. You may think that it is safer, because you trust the main site, but this is a false sense of security. You're trusting sites before you know what they are, simply because you're visiting them, and you're back to the default browser allow-all policy.

[Hecuba's daughter]

nvm

[original poster]

I could understand if someone were too busy to implement a feature, or wanted to be paid, but it's frustrating that I know exactly what I want and the thought is that I shouldn't have it, because I'm not going to use it responsibly If I don't have this feature, I'm simply going to repeatedly execute "temporarily allow all this page" without reading anything until the icon clears or whatever functionality I need starts working. Yes, I'm trusting the main site a little, and also in OS and browser security updates, as well as virus and malware scanners and HIPS firewall (layered security). I want to have the extra protection of NS when I want it, and to shed it when I have no time to deal - that's my choice, in the same way a motorcyclist takes a risk to ride on two wheels.

Now, I don't like the "allow global scripts" check/uncheck approach for two reasons. First, my understanding is that this would allow ALL scripts, such as in other browser windows where I don't want to weaken security, rather just in the window I'm hammering with "temporarily allow all this page". So from that point of view, it's already worse. Secondly, I don't want extra work, which having to flip a switch and then make sure to flip it back would be, as opposed to a one click job. (Right now I'm doing more work of course, but I wouldn't be if my suggestion were implemented.)

I wouldn't say I'm forgetful as much as very busy - I was joking a bit as I didn't realize I would encounter resistance to what I see as a user-friendly and wise suggestion. I'm reminded a bit of Apple by all of this, where I hear the people at the top decide what the customers need, rather than the other way around. (I'm not saying you don't have the right to do whatever you want with your own software; I'm just saying I think customer usability, including a realistic acceptance of what customers are actually willing to put up with, is the better approach.) Other people who've hit this issue may simply turn off script blocking entirely rather than deal with the hassle. As for the unsuspecting user fear, I'm sure there are ways to make sure the user knows any potential danger. You could require a special checkbox somewhere to enable it with a big nasty warning.

Anyway, the only thing accomplished by not having this is forcing me to do it (allow all this page) manually and perhaps give my fingers good exercise.

[Guest]

If you have not checked before, then a cascading allow is conceptually the same thing as global allow.

Indeed, it is not just conceptual but actually Global Allow with bells on.
The user to me appears to be asking for Global Allow - but only per tab - plus with a time-out; quite the complex idea.

I was fairly explicit with my request, but to restate, I am asking for "temporarily allow all this page" to be repeatedly executed
for the particular tab or window I'm interacting with (the icon changes state per tab). This Is not global allow "with bells on," but a much restricted, less dangerous option than global allow.

For example, suppose I have NBC news site open and also a porn site and I'm "multitasking". (Imagine separate windows rather than separate tabs.) So I click "temporarily allow all this page" on NBC to leave a comment, but it's still not running, so do it again etc. I want a way to just chain those cliks on that tab/window automatically, without enabling the porn site to do anything. I don't want to deal with whitelists or anything else, just a menu option right next to "temporarily allow all this page". (Understandably disabled by default if so desired as an "advanced feature".)

Of course there's a possibility NBC does something untoward, but I have other layers of security, so I'm willing to take that risk, but much less so with the porn site.

[Thrawn]

If you go to nbc.com regularly, then why do you use Temporarily Allow? As I see it, it is your use of temporary permissions that is making extra work for you - much more than the work involved in clicking the Global Allow menu item twice. If you permanently allowed what the site needs, then the issue would vanish, without needing to allow all the junk.

By the way, the noscript.autoReload.allTabsOnGlobal preference controls whether all tabs will be automatically reloaded when you toggle Scripts Globally Allowed. So, if you globally allow in the NBC tab, post your comment, then globally forbid again, without loading pages in any other tabs, you're OK.

[Hecuba's daughter]

nvm

[npcomplete]

Could this option be allowed for say, trusted sites, and/or https ?

I like noscript, but to be honest, it just breaks a lot of things for me. There are some sites, after experimenting with allowing each single included site, still does not work correctly.. but that's a separate issue than nested allows I guess.

However, what I am most concerned about are important transactions, like financial, or anything that is transaction-oriented and/or sensitive to form submissions. Having a online transaction break because you did not explicit allow some other site that it includes, uses or subsequently loads is disconcerting. I go to a page and allow everything to make that page work. I submit a form for a transaction, then it breaks. And one real danger is resubmitting or redoing something, after experimenting with "allows" that can lead to multiple transactions (e.g. two credit card charges).

[Hecuba's daughter]

nvm

[Thrawn]

This is the point of my recent idea - but either I've misunderstood the way NS blocks, or I haven't explained myself well, because Giorgio indicated that it wouldn't work .

[Hecuba's daughter]

nvm

[therube]

asking for Global Allow - but only per tab - plus with a time-out

remove sites from the temporary whitelist per tab, not per session

extra protection of NS when I want it, and to shed it when I have no time to deal

I agree with all of that .

"allow global scripts" ... this would allow ALL scripts, such as in other browser windows

Correct.
(Though typically other [then the current] pages are not affected until a refresh or until you've followed a link in another window.)

I have NBC news site open and also a porn site and I'm "multitasking". (Imagine separate windows rather than separate tabs.) So I click "temporarily allow all this page" on NBC to leave a comment, but it's still not running, so do it again etc. I want a way to just chain those cliks on that tab/window automatically, without enabling the porn site to do anything.

Exactly.

Allow Globally ... What effect it has at a session restart

There is an option, noscript.tempGlobal, to automatically disable Allow Globally on restart.