Problem (bug?) enabling scripts

[Jojo999]

I thought NoScript worked to allow scripts on ONLY the site I specifically enabled the server script on. But this is not so.

In the screenshots below, you can see that I allowed YING.COM on the Yahoo tab only. But doing so, allowed it also on the 2nd site. It appears that when you enable a script in one site, NoScript enables it for ALL the tabs open in a FF session.

This is not what I wanted to happen and it doesn't seem what should happen. It also seems like it could be a security problem.

Screenshots:
http://www.fototime.com/99DD5A04976D766/orig.jpg

[Alan Baxter]

Use about:config to set noscript.autoReload.allTabs to false.
Auto-Reload_Page FAQ

[Jojo999]

Use about:config to set noscript.autoReload.allTabs to false.
Auto-Reload_Page FAQ

Thanks but it isn't the multiple reloading that I am concerned about. It is the fact that tabs OTHER THAN the one I turned on get enabled ALSO.

[Alan Baxter]

Not a bug. NoScript has always done it that way. If I add a site to my whitelist, I want it to be effective automatically on any new tabs and future navigation on existing tabs. I don't see how it's a security issue. You should whitelist only sites that you trust.

To work around your concern, I suggest you:
- Temporarily Allow the site
- Restrict your browsing to tabs where you want the site Allowed while the temporary permission is in effect
- Revoke Temporary Permissions when you are done browsing with that permission

[GµårÐïåñ]

Yes, this is intended behavior. When you allow a site, it is assumed to be globally trusted. If you want to trust it but limit it to that site only, use ABE configuration to accomplish that. You can allow yimg.com and then in ABE.

1. Goto Options
2. Click on Advanced tab
3. Click on the ABE tab
4. Click on user on the left
5. Click Edit
6. Write the following:

Site *.yimg.com
Accept from *.yahoo.com yahoo.com *.yimg.com yimg.com
Deny

7. Save

Now you keep yimg.com allowed on NoScript menu all the time but this ABE rule will make sure only Yahoo and Yahoo Image domains have access to it, you are protected on all other sites that try to use it, nothing will happen. Hope this helps.

[Jojo999]

Not a bug. NoScript has always done it that way. If I add a site to my whitelist, I want it to be effective automatically on any new tabs and future navigation on existing tabs. I don't see how it's a security issue. You should whitelist only sites that you trust.

To work around your concern, I suggest you:
- Temporarily Allow the site
- Restrict your browsing to tabs where you want the site Allowed while the temporary permission is in effect
- Revoke Temporary Permissions when you are done browsing with that permission

Each tab SHOULD be handled as a separate environment. But perhaps that is not easy to do in an implementation like FF where every tab is mashed into one big address space, unlike say Google Chrome where each tab has it's own separate address space.

I don't add ANY sites to my whitelist because I never know who is going to gain control of those sites, or if management will make a new partner agreement with someone and something I don't like will then get enabled automatically. That DOES NOT seem like a good thing to do.

Your 3 suggestions are not workable in real life (or how I run my life). I commonly have 50+ tabs open at any one time. Following what you suggest would be close to devolving into a single process operation environment.

[Jojo999]

Yes, this is intended behavior. When you allow a site, it is assumed to be globally trusted. If you want to trust it but limit it to that site only, use ABE configuration to accomplish that. You can allow yimg.com and then in ABE.

1. Goto Options
2. Click on Advanced tab
3. Click on the ABE tab
4. Click on user on the left
5. Click Edit
6. Write the following:

Site *.yimg.com
Accept from *.yahoo.com yahoo.com *.yimg.com yimg.com
Deny

7. Save

Now you keep yimg.com allowed on NoScript menu all the time but this ABE rule will make sure only Yahoo and Yahoo Image domains have access to it, you are protected on all other sites that try to use it, nothing will happen. Hope this helps.

OK, I will try this suggestion. But I am unclear on this syntax:

Accept from *.yahoo.com yahoo.com *.yimg.com yimg.com

Can you point me to some doc on this syntax so I might be able to apply it to other sites?

[GµårÐïåñ]

You can get more information at http://noscript.net/abe/

[Jojo999]

Yes, this is intended behavior. When you allow a site, it is assumed to be globally trusted. If you want to trust it but limit it to that site only, use ABE configuration to accomplish that. You can allow yimg.com and then in ABE.

1. Goto Options
2. Click on Advanced tab
3. Click on the ABE tab
4. Click on user on the left
5. Click Edit
6. Write the following:

Site *.yimg.com
Accept from *.yahoo.com yahoo.com *.yimg.com yimg.com
Deny

7. Save

Now you keep yimg.com allowed on NoScript menu all the time but this ABE rule will make sure only Yahoo and Yahoo Image domains have access to it, you are protected on all other sites that try to use it, nothing will happen. Hope this helps.

I tried to add this as per the instructions you gave. But when I got to step #5 and clicked the EdIT button, I get this error window:

================
Windows cannot open this file:

File: USER.abe

To open this file, Windows needs to know what program created it. Windows
can go online to look it up automatically, or you can manually select from a list of
programs on your computer.

What do you want to do?
Use the Web service to find the appropriate program
Select the program from a list
================

DO I have to link Notepad to do the editing in? Or some other program?

[GµårÐïåñ]

Just select notepad and you are done. In the old days it would automatically open with notepad but not recently, it might be a bug that Giorgio can fix or you can just simply browse for notepad when prompted, select it and make sure the checkbox is checked for always use, and it will be fine. Hope you get it working.

[Jojo999]

I have been running the YIMG block in ABE and it seemed to be functioning OK. But I guess that might have to do with the fact that I didn't hit another site that required YIMG.

I did so today and discovered that YIMG images will not display on sites other than Yahoo (as per the ABE rule) even though I temporarily allowed them in the NS control in the status bar.

There needs to be a way to temporarily bypass ABE also.

Screenshot:
http://www.fototime.com/A716D5CEDE5BA85/orig.jpg

[Jojo999]

I'm a bit mixed up here about this YIMG.com issue.

I have yimg.com allowed through the script list at Yahoo.com. BUT of course, when I allow yimg.com at Yahoo.com, it also gets globally allowed at all other sites (I can see this with the toggle "forbid yimg.com" entry in the script list on each site).

BUT I have the ABE rule implemented.

So HOW do I know that the ABE is actually blocking access to yimg.com at sites other than Yahoo.com?

btw: There is no indication that I notice that an ABE rule is in effect for an entry in the script list. It would be nice to see a small ABE symbol next to entries in the script list that are controlled by an ABE rule. That would give the user a clue if there were problems.

[therube]

If I change the ABE rule to only Accept from yahoo.com

Then if I follow a link to a site like, http://shopping.yimg.com/

I get an ABE warning at the top of the page & the page does not load.

If I close the warning, then manually reload the page, the page will load, but is a state of disarray.

The NoScript icon shows that the page is allowed (is that the meaning of the icon), yet it must not be (or else it would display properly), & that makes it kind of confusing?

[Alan Baxter]

The ABE notification bar isn't appearing for me when I load http://shopping.yimg.com/. Several ABE messages are appearing in the Error Console. The page loads, but appears like no style is being applied. (Sort of like selecting View > Page Style > No Style from the Firefox menu bar. Why isn't the ABE notification bar appearing for me? I've verified that ABE notifications and the Notification bar are enabled in the NoScript Options.

Default NoScript 1.9.9.45 settings. ABE USER rule changed to.

Code: Select all

# User-defined rules. Feel free to experiment here.
Site *.yimg.com
Accept from yahoo.com
Deny

Error Console:

Code: Select all

[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/combo?yui/2.7.0/build/reset-fonts-grids/reset-fonts-grids.css&shop/s2/sh_global_200910211639.css&shop/s2/sh_topshop_200908101535.css&uh/15/css/uh-1.0.28.css <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/brand/purplelogo/uh/us/shop.gif <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/gr/sprite_primary_colors_043009.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/gr/sprite_alpha_043009.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/gr/sprite_secondary_colors_081809.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/gr/sprite_repeat_h_121208.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/ydeals/sprite_shadow_repeating_091808.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/brand/purplelogo/uh/us/shop.gif <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/lib/uh/15/sprites/shopping-1.0.0.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/gr/sprite_primary_colors_043009.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/gr/sprite_repeat_h_121208.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/ydeals/sprite_shadow_repeating_091808.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/gr/sprite_secondary_colors_081809.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/gr/sprite_alpha_043009.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/gr/valentines_topshop_012610_right.png <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/i/us/sh/gr/valentines_topshop_012610_left.jpg <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://ads.yimg.com/a/a/ya/yahoo_shopping5/add_to_yahoo_shoppng_2.gif <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/a/combo?yui/2.7.0/build/yahoo-dom-event/yahoo-dom-event.js&yui/2.7.0/build/imageloader/imageloader-min.js&shop/s2/sh_global_200904101603.js <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny
 ----------
Error: YAHOO.Shopping is undefined
Source file: http://shopping.yimg.com/
Line: 237
 ----------
Error: YAHOO.Shopping is undefined
Source file: http://shopping.yimg.com/
Line: 239
 ----------
[ABE] <*.yimg.com> Deny on {GET http://l.yimg.com/d/lib/bc/bc_2.0.4.js <<< http://shopping.yimg.com/, http://shopping.yimg.com/}
USER rule:
Site *.yimg.com
Accept from yahoo.com
Deny

[therube]

Options | Notifications, ABE -> checkmarked?