[RESOLVED] about:credits on the whitelist

[cypherpunks]

about:credits loads https://www.mozilla.org/credits/ and it doesn't use any scripts. Is there any reason for having it on the default whitelist?

[Tom T.]

about:credits loads https://www.mozilla.org/credits/ and it doesn't use any scripts. Is there any reason for having it on the default whitelist?

Removing it doesn't seem to break anything -- so far. It's listed in the about:config preference
noscript.default,
but *not* in
noscript.mandatory.

Perhaps Giorgio kept this in the Default Whitelist because he felt that the many people who donated their time to contribute to Firefox should at least have their names listed, even in some obscure place that few will see?

But when I click Firefox Help > About Mozilla Firefox > Credits, the window still opens *and the credits start to scroll*.
So, something is keeping them there, and executing an auto-scroller.

The "About NoScript X.x.x" still has its credit list, although with manual scrolling required.

Not seeing much change with and without it. Perhaps Giorgio or someone else who knows can tell us the function of this entry -- it is *not* breaking the credits list in Fx or NS, at least on Fx 3.6.28. I may try on Fx 11.

[Tom T.]

Same thing on Fx 11.0., except that the Fx link isn't called "credits" as in F3; it's a text link in the paragraph, "... a global community..."

Still hasn't broken anything AFAICT. I might leave it that way for a while to see if anything does break, or until definitive word is given.

Interesting question.

ETA: Your useragent shows Firefox 5.0.
There have been 27 Critical security flaws fixed since then, along with 9 "HIgh" and some number of "Moderate".

If what's showing as useragent is affected by the travel across the TOR network, it still seems that something nasty could slip in somewhere.
If it's your own, then for your own safety, please choose either of the two presently-supported versions, Fx 3.6.28 and 11.0.

NoScript does not necessarily protect you from all flaws in the browser itself. (and TOR is a privacy tool, not a security tool).
So this is very risky.
Cheers.

[cypherpunks]

Perhaps Giorgio kept this in the Default Whitelist because he felt that the many people who donated their time to contribute to Firefox should at least have their names listed, even in some obscure place that few will see?

It sounds like a good reason, but it's a plain HTML, so the names would be listed regardless of the whitelist entry Perhaps the site used to contain scripts, but it does not anymore. Or more likely, all about: pages were whitelisted without a deeper scrutiny, simply to be on the safe side. Now that about:credits redirects to a page in the scary world of internetz, it would make sense to reconsider the need for this whitelist entry if it's not required for anything - even if the site in question is in a relatively safe harbor of Mozilla servers.

Your useragent shows Firefox 5.0.

Tor Browser spoofs the user agent string for better anonymity, actually my browser is up-to-date.

[Tom T.]

Perhaps Giorgio kept this in the Default Whitelist because he felt that the many people who donated their time to contribute to Firefox should at least have their names listed, even in some obscure place that few will see?

It sounds like a good reason, but it's a plain HTML, so the names would be listed regardless of the whitelist entry Perhaps the site used to contain scripts, but it does not anymore.

Kind of what I was suggesting in noting that even after removing it, the credits still ran. So yes, no script permission required.

I'll ask Giorgio whether this needs to remain, and if so, why.

Or more likely, all about: pages were whitelisted without a deeper scrutiny, simply to be on the safe side.

This and about:blank are the only ones that appear removable to me. The rest are grayed out.
about:config noscript.mandatory gives this list:

Code: Select all

chrome: blob: about: about:addons about:blocked about:crashes about:home about:config about:neterror about:certerror about:memory about:plugins about:privatebrowsing about:sessionrestore about:support resource:

Per Default Whitelist FAQ,

# chrome:
It's the only "permanent" one. It can't be removed because it is the privileged pseudo-protocol used by Firefox internal scripts: disabling it would prevent the browser itself from working.

# about:xyz
A bunch of about: internal pseudo URLs. You'd better keep them there because they help your browser to work as expected.

Presumably, graying out most while allowing :blank and :credits to be user-deleted means that the rest do in fact serve a need. And that by not graying out :credits, there's an implication that it's OK to remove. Note the warning that in some cases, :blank *is* needed.

But again, when he visits us, we'll get the full story.

Now that about:credits redirects to a page in the scary world of internetz, it would make sense to reconsider the need for this whitelist entry if it's not required for anything - even if the site in question is in a relatively safe harbor of Mozilla servers.

No argument here, unless Giorgio has one unknown to this user.

Your useragent shows Firefox 5.0.

Tor Browser spoofs the user agent string for better anonymity, actually my browser is up-to-date.

Thanks -- will add that to my knowledge base.

It may also explain why some fairly savvy users come here with what look to be quite out-of-date browsers, and perhaps don't want to admit that they're on Tor. Did they not know that it's detectable?

On that topic, when Fx 2.x reached end-of-life, one online bank warned that they would stop allowing connections with F2 within three months or so. That would be about April 2009. As a test, I changed the UA on a saved install of F2 to be whatever was the latest F3, and it worked. D'oh, not checking very deeply, people. Even the Gecko version was still from F2. It was only last week that the page design no longer accommodated F2 properly --but in this occasional curiosity-test, *it still let me log in.* Sigh..

Will give Giorgio a holler shortly. Thanks for bringing this up.

[Giorgio Maone]

about:credits used to be a standalone local page in early Firefox version, and having a "Forbidden" icon on the bottom of the window for a built-in browser page reportedly caused confusion in some users.
If it's confirmed that the behavior is the same (a scriptless redirection) since Firefox 3.0, it can be indeed removed.

[Tom T.]

If it's confirmed that the behavior is the same (a scriptless redirection) since Firefox 3.0, it can be indeed removed.

I confirm that on both Fx 3.6.28 and Fx 11.0, with about:credits removed from the whitelist, Firefox Help > About and the link mentioned above do indeed produce a static text page listing contributors. The NoScript > About still has the scrollable list of credits.

Does this mean that you will remove about:credits from future NS releases, since it apparently serves no purpose?
Else the FAQ should probably mention this.

Deleting from Default Whitelist seems easier. Thanks, Giorgio.

[cypherpunks]

Is any action planned here? With about:credits (https://www.mozilla.org/credits/) confirmed by Tom T. to be scriptless across multiple versions, it can be safely removed.

[Tom T.]

Is any action planned here? With about:credits (https://www.mozilla.org/credits/) confirmed by Tom T. to be scriptless across multiple versions, it can be safely removed.

I don't know if it has been removed from fresh installs of NoScript (i. e., to new users). I'll check that on a clean profile, and report back in a few minutes.

I do know that if you remove it from the whitelist manually, as I did several weeks ago (and never put it back), NoScript updates, both stable and dev builds, will honor your choice, and will not re-add it to the whitelist.

As for the FAQ, yes, there are a number of things that need updating. But with getting to a release of NoScript 3.x for the desktop as a priority, and the fact that NS 3 will change a lot of things greatly, thus necessitating substantial FAQ changes, I can understand this relatively minor matter being way down on the list.

Still, I'll give Giorgio a tap on the shoulder and ask about these changes, including to Default Whitelist FAQ, thanks.

[Tom T.]

Is any action planned here? With about:credits (https://www.mozilla.org/credits/) confirmed by Tom T. to be scriptless across multiple versions, it can be safely removed.

I don't know if it has been removed from fresh installs of NoScript (i. e., to new users). I'll check that on a clean profile, and report back in a few minutes.

No, with a fresh install of NS 2.3.7 on Fx 3.6.28 with a clean profile, about:credits is still in default whitelist.
Will mention to Giorgio.

[cypherpunks]

I do know that if you remove it from the whitelist manually, as I did several weeks ago (and never put it back), NoScript updates, both stable and dev builds, will honor your choice, and will not re-add it to the whitelist.

Sure. My case is a bit specific, because I start with a clean profile every time I extract Tor Browser. I remove some other stuff from the whitelist anyway, so about:credits being there doesn't bother me or make any big difference (takes less time to delete it a hundred times than to write this post), but I figured that I might save someone else's time spent figuring out if the entry can be deleted if I report it and the obsolete URI is removed upstream.

[Tom T.]

.... My case is a bit specific, because I start with a clean profile every time I extract Tor Browser. I remove some other stuff from the whitelist anyway, so about:credits being there doesn't bother me or make any big difference (takes less time to delete it a hundred times than to write this post), but I figured that I might save someone else's time spent figuring out if the entry can be deleted if I report it and the obsolete URI is removed upstream.

Absolutely. I support the suggestion wholeheartedly, because even if not dangerous, useless or obsolete stuff should be removed on general principle.

I was trying to think of a way that you could create a custom prefs.js file or user.js file that could be substituted after you start Tor Browser, or perhaps a simple batch script that would make the changes. But as MZ says at prefs.js article (previous link),

It only stores changes made to the defaults, after they are written back to disk. This normally occurs when you exit the Mozilla-based application.
....
The user.js file is optional. If you have one whenever the application is started it will overwrite any settings in prefs.js with the corresponding settings from user.js.

... but your clean profile won't have the user.js, and if you import/copy it after starting, it's too late, apparently.

Maybe these brief ideas will get your creative juices flowing, and come up with a way to automate *all* of your changes from default, including this one.
If you do, by all means, share it.

WARNING: ANY SUCH METHOD WILL MOST LIKELY BE UNDOCUMENTED. NOT RECOMMENDED. USE AT YOUR OWN RISK, OR NOT AT ALL.

(sorry, I have a paranoid lawyer)

[cypherpunks]

Verified fixed in 2.3.9rc1, thanks.

[Tom T.]

Verified fixed in 2.3.9rc1, thanks.

Yes, many thanks to Giorgio for prompt response. Will mark as Resolved, and thanks to you for following up on the request.