InformAction Forums

[iDrugoy]

Where does noscript save blacklist data? I'd like to find and edit that file, as I think there will never be an option to edit this list within from the extension.

[iDrugoy]

I'd like to edit blacklist. Where do these data get stored?

[GµårÐïåñ]

about:config -> noscript.untrusted
knock yourself out...

[GµårÐïåñ]

I'd like to edit blacklist. Where do these data get stored?

and don't double post...I merged your other post to this one...

[Tom T.]

<snip> I'd like to find and edit that file, as I think there will never be an option to edit this list within from the extension.

I'd like to see it myself, but I think you're right, as it's been requested several times before.

I think that what my very good friend GµårÐïåñ, who has been quite burdened with his Real World responsibilities lately, was trying to say, was:

Open about:config, type in the Filter bar:

noscript.un (that's enough to bring up Untrusted), and add or delete entries, leaving exactly one blank space in between each.

[iDrugoy]

Didn't mean to doublepost (actually, I DID delete the 1st created topic before creating the 2nd one, but seems like something went wrong).
So if they are stored in about:config then physically they are stored in prefs.js
This is quite dumb: just imagine if AdBlock rules were stored there too. But it doesn't. Instead, it uses a separate file and NoScript could do so too. And I requested to add black list editor 1.5 years ago.
Turning off NoScript for another 1.5 years with hope to see any REAL progress in it's development.

[GµårÐïåñ]

Where would you suggest he puts it? ABP saves all the custom filters in config too, only the maintained rules are served externally. For NS the config item is for redundancy and he has been busting his ass putting a solid tool out there and working on the next release which is a culmination of many years of work, so you can go away and come back or just be patient and grateful. Your call. If you have any other tool that does what NS does for you, certainly not ABP, then go for it. I am sick of having to coddle people with opinions and yet no constructive ideas.

[Tom T.]

So if they are stored in about:config then physically they are stored in prefs.js

Yes, under
user_pref("noscript.untrusted",

As a work-around, you could create a shortcut to prefs.js, either on your desktop, Start menu, or wherever.

FWIW, I created an Environment Variable such that typing %fx% into Run opens the Profiles folder, as I have more than one profile. The reason for using an EV instead of a shortcut is that I back up these (and other things) regularly, to a flash drive, and this saves a lot of typing of file paths when writing the DOS batch scripts.

I agree that it is both useful and somewhat intuitive to expect a Blacklist next to, or as part of, the Whitelist in the GUI. I will make one more try at asking for this.

Turning off NoScript for another 1.5 years with hope to see any REAL progress in it's development.

There is an old saying about "cutting off your nose to spite your face". You wouldn't be punishing NoScript or Giorgio Maone, you'd be punishing yourself with a substantial drop in Web security. Don't forget XSS, Clickjack, ABE, and many other protections unequalled elsewhere.

No "real" progress? Just five days ago, NoScript for Mobile was completed. Please read the announcement, and see what considerable improvements have been made, which will also be ported to NS 3.x for desktop, e. g.:

Furthermore, while the in-page permission UI has been greatly simplified and optimized for touchscreen consumption, NoScript for Mobile In-Page Permissions UI the underlying engine has been redesigned to allow deep per-site customization at the single permission level (e.g. making Flash permanently work by default on site X but not on site Y, even if JavaScript is allowed on both, or causing restrictions on a certain embedded object to depend on its parent page’s address). These fine grained permissions will be configured through a new desktop UI (under development, slated for inclusion in the first cross-device NoScript 3 beta) and synchronized safely via Firefox Sync across all the PCs, tablets and smartphones where NoScript is installed.

Talking about synchronization, you can already share your NoScript settings among your mobile devices (just check the “Enable Remote Sync” option), but you’ll need to wait for the aforementioned cross-device beta to include your PC in the synchronization pool.

Last but not least, NoScript 3 doesn’t require a browser restart on installation and updates, which means that hot fixes for new security threats can be deployed in a more effective, timely and convenient way.

If you'll pardon my saying so, those are far greater improvements than a blacklist GUI would be. And undoubtedly consumed a great deal of the developer's time.

Please scan other articles at Giorgio's blog, and browse through the changelog.
I think you'll agree that "no real progress" is, uh, um, an "understatement", to say the least.

There's another saying about "Don't throw the baby out with the bathwater". I. e., the bathwater is now dirty, so you drain the tub, but you don't throw the baby down the drain as well. NS is lacking one feature that you desire, but to throw away everything else because of that...

You *do* understand that we get many, many request for feature enhancements? And that not all can be done, even though each thinks theirs is crucial, or would be highly popular? NS has been praised for avoiding the bloat so common to sw projects, both paid and free. (And this one is free.) Heck, I'm a Global Moderator here, and not all of my requests for enhancement have been heeded. But I'm not the one who's donated thousands (or tens of thousands) of hours of his own time to developing, maintaining, and enhancing a free, open-source tool that is approaching 100 million downloads.

I understand your disappointment at not getting the feature you wanted. I personally consider the Web as too dangerous to use without NS, but if you wish to expose yourself to those many threats, including future threats that NS already protects against proactively (there have been many times that a new threat is announced, but NS users are *already* protected), that's your choice.

And thanks for explaining about the double-posting.

[iDrugoy]

So if they are stored in about:config then physically they are stored in prefs.js

Yes, under
user_pref("noscript.untrusted",

As a work-around, you could create a shortcut to prefs.js, either on your desktop, Start menu, or wherever.

FWIW, I created an Environment Variable such that typing %fx% into Run opens the Profiles folder, as I have more than one profile. The reason for using an EV instead of a shortcut is that I back up these (and other things) regularly, to a flash drive, and this saves a lot of typing of file paths when writing the DOS batch scripts.

Who said I got any problems in reaching my fx profile folder fast?
The problem is that NS saves info to the place not supposed to contain such data.
I think on your PC you don't have your ALL files in the same folder. You use different folders with different paths.
Now think a bit why do you use it that way and you'll find reason why I'm against having NS rules stored in that file.

I agree that it is both useful and somewhat intuitive to expect a Blacklist next to, or as part of, the Whitelist in the GUI. I will make one more try at asking for this.

So Giorgio's development process is based on chaos? Having no issue tracker and the priority system is a considered bad manners in the whole programming world.

Turning off NoScript for another 1.5 years with hope to see any REAL progress in it's development.

There is an old saying about "cutting off your nose to spite your face". You wouldn't be punishing NoScript or Giorgio Maone, you'd be punishing yourself with a substantial drop in Web security. Don't forget XSS, Clickjack, ABE, and many other protections unequalled elsewhere.

There is a similar Russian saying "don't threaten a hedgehog with your naked ass".
But the thing is that I'm not trying to punish anyone: neither NS nor GM. I just said that because NS is not usable for me in it's current state. There are still no normal interface for subscriptions, no black-list editor and no separate file for storing rules.
This makes NS absolutely non-usable for me and I won't suffer much without it.
I also don't believe in the existence of XSS/Clickjacking on normal sites. And I always know what site I'm on, so I'll never be a victim of phishing site which pretends to be another, popular one.
I would also never type-in anything from a one site into another through an iframe. And not a single NoScript would protect me in case I would.

No "real" progress? Just five days ago, NoScript for Mobile was completed. Please read the announcement, and see what considerable improvements have been made, which will also be ported to NS 3.x for desktop, e. g.:

Great, but I don't care about it yet, since I don't have a modern smartphone.

In-Page Permissions UI the underlying engine has been redesigned to allow deep per-site customization at the single permission level (e.g. making Flash permanently work by default on site X but not on site Y, even if JavaScript is allowed on both, or causing restrictions on a certain embedded object to depend on its parent page’s address). These fine grained permissions will be configured through a new desktop UI (under development, slated for inclusion in the first cross-device NoScript 3 beta) and synchronized safely via Firefox Sync across all the PCs, tablets and smartphones where NoScript is installed.

I didn't find anything corresponding to NS in about:permissions.
Will it be using about:permissions window? If not - then it is wrong.

If you'll pardon my saying so, those are far greater improvements than a blacklist GUI would be. And undoubtedly consumed a great deal of the developer's time.

For you, but not for me. I want NS to work like ABP does: I'd like to have subscriptions, would like to be able to add my own rules, would to be able to uncheck the rules I don't like from the subcription. This all can't be done without blacklist editor. NoScript has TWO lists: whitelist and blacklist. I don't see any logic to let users edit only one of them. That is just beyond my understanding.

Please scan other articles at Giorgio's blog, and browse through the changelog.
I think you'll agree that "no real progress" is, uh, um, an "understatement", to say the least.

That's all nice, but currently it still remains unusable for me.
I won't manually create rules for every site I visit. Thousands years ago humans invented a so called "division of labor" system. And I see no reasons to ignore the benefits of such a system. In other words: I'd like to subscribe once and forget about creating rules. In case I'd need a rule for a specific site - I would suggest my own rule or ask the subscription's maintainers to handle that site.
This is how it should work.

There's another saying about "Don't throw the baby out with the bathwater". I. e., the bathwater is now dirty, so you drain the tub, but you don't throw the baby down the drain as well. NS is lacking one feature that you desire, but to throw away everything else because of that...

Actually, I feel pretty good with other kinds of protection: I use RefControl to send no referrers (until needed), I use BetterPrivacy to clean super-cookies (flash cookies), I use Cookies Permissions (button for Custom Buttons) to whitelist sites I want to keep cookies for (+ it vanishes unprotected cookies once in a few hours), I use ABP's "anti-counters" subscription which doesn't let sites' counters to track me. + I'm always aware of what site I'm on.

You *do* understand that we get many, many request for feature enhancements? And that not all can be done, even though each thinks theirs is crucial, or would be highly popular?

I do. And do you understand that keeping a chaotic choice system as a basement at software development leads to nowhere? There should be a bug tracker. There should be a priority system based on security_risk/votes.

I understand your disappointment at not getting the feature you wanted. I personally consider the Web as too dangerous to use without NS, but if you wish to expose yourself to those many threats, including future threats that NS already protects against proactively (there have been many times that a new threat is announced, but NS users are *already* protected), that's your choice.

I've listed above my measures of defense, could you please name the list of threats I'm vulnerable to?

[Tom T.]

Having no issue tracker

A feature request is not an issue.

and the priority system

As said, the priority was to produce NS Mobile, while still fixing any bugs found in the desktop version, providing protection against emerging threats, strengthening existing ones...

But the thing is that I'm not trying to punish anyone: neither NS nor GM. I just said that because NS is not usable for me in it's current state. There are still no normal interface for subscriptions, no black-list editor and no separate file for storing rules.

Because it's open-source, you are perfectly free to create your own fork of it to suit your needs.

I also don't believe in the existence of XSS/Clickjacking on normal sites.

The fact that you don't believe in the existence of burglars doesn't mean that they don''t exist, nor that they can't hurt you.
Are McAfee, Amazon, PayPal, and eBay not "normal" sites?

No "real" progress? Just five days ago, NoScript for Mobile was completed. Please read the announcement, and see what considerable improvements have been made, which will also be ported to NS 3.x for desktop, e. g.:

Great, but I don't care about it yet, since I don't have a modern smartphone.

Clearly, you didn't read the part about "soon being ported to desktop", even though I put it in bold type for you. I'll make it even bigger.
Edit: Was that big enough?

I want NS to work like ABP does: I'd like to have subscriptions, would like to be able to add my own rules, would to be able to uncheck the rules I don't like from the subcription. This all can't be done without blacklist editor. NoScript has TWO lists: whitelist and blacklist. I don't see any logic to let users edit only one of them. That is just beyond my understanding.

Because it's open-source, you are perfectly free to create your own fork of it to suit your needs.

I won't manually create rules for every site I visit. ... I'd like to subscribe once and forget about creating rules.

That issue has been brought up before. The problem is trusting a third party with critical security decisions that the user should make, which is far more crucial than merely blocking ads. Not to mention that each user's needs, usage habits, etc. are different. And how up-to-date the list would be. The very idea of NS is to give the control to the user.

You *do* understand that we get many, many request for feature enhancements? And that not all can be done, even though each thinks theirs is crucial, or would be highly popular?

There should be a priority system based on security_risk/votes.

This isn't a democracy. And ballot-stuffing at review sites and such is notorious.

I've listed above my measures of defense, could you please name the list of threats I'm vulnerable to?

No, because they're in the FAQ page. Read them. Or just discover them after they've happened to you.

There is a similar Russian saying "don't threaten a hedgehog with your naked ass".

Well, if we're going there, the famous scientist Isaac Asimov reportedly said, "Never try to teach a pig to sing. It wastes your time and annoys the pig."

No more time-wasting here. This conversation is over. Use NS, don't use it, create your own fork, whatever.
But if disinformation continues to be spread, the topic will be locked if necessary.
Good luck to you. You'll need it.

[dhouwn]

Having no issue tracker

A feature request is not an issue.

The absence of a "good" feature is an issue IMHO.
Giorgio talks about putting things on a to-do list, no idea whether it's a text file, post-its on a wall or whatnot but apparently he has something like that, just not public.

There are still no normal interface for subscriptions

I don't think you would need an interface for creating an add-on that manages/downloads/merges NoScript rules.

[iDrugoy]

A feature request is not an issue.

In bug tracker - they are equal.

Because it's open-source, you are perfectly free to create your own fork of it to suit your needs.

I'm not a programmer, but I could maintain a subscription, if there would be an easy way to edit/import/export both black- and white-lists + properly stored rules.

The fact that you don't believe in the existence of burglars doesn't mean that they don''t exist, nor that they can't hurt you.
Are McAfee, Amazon, PayPal, and eBay not "normal" sites?

Seems like there is something I don't understand.
If a respectful site has an XSS - who can use this XSS to make me somehow suffer? No one, as just the existence of an XSS is not hurtful itself, it becomes so only in case you are made to execute some code on that page manually. (I saw XSSed sites which could give you an alert with "hello world" if you execute the proper code.)
Is my answer correct?

Clearly, you didn't read the part about "soon being ported to desktop", even though I put it in bold type for you. I'll make it even bigger.
Edit: Was that big enough?

I did read that. And that's why I wrote a word "yet" Which means "yet until it got ported to desktop or yet until I get a modern smartphone", not just "yet until I get a modern smartphone".

Because it's open-source, you are perfectly free to create your own fork of it to suit your needs.

Why are you keeping to say that? I'm aware it's open-source. I'm grateful that it is free, but as I'm not a programmer - I can't contribute any code. And it would be really a strange world if doctors would be busy not with their patients, but with coding, right? You remember when I've said about "division of labor", right?

That issue has been brought up before. The problem is trusting a third party with critical security decisions that the user should make, which is far more crucial than merely blocking ads. Not to mention that each user's needs, usage habits, etc. are different. And how up-to-date the list would be. The very idea of NS is to give the control to the user.

I remember those discussions. But why not let people decide themselves whether to use a subscription or to use only their own rules? Having an option - is actually better then not having one. Go "mozilla way" - give a choice.
+ Usual users understand nothing in web security and yes, it's better for such users to be protected by someone, who'd maintain subscription instead of those users.
There won't be any problems with trust, if the subcription would be maintained openly, e.g. it would be seen which rules are added/deleted and who requested/suggested every concrete rule.

You *do* understand that we get many, many request for feature enhancements? And that not all can be done, even though each thinks theirs is crucial, or would be highly popular?

I do understand that they should be listed (with a "wontfix" status), so no one would duplicate them + could read an explanation of why they got wontfix.
And I also think that if many users vote for some enhancement that you won't make have a high priority - you should actually take into account what users want.
Now the majority's need may stay ignored and that is not correct, in my opinion.

This isn't a democracy. And ballot-stuffing at review sites and such is notorious.
Yes, it's not a democracy, that's why the product is not as good as it could be.
I think Giorgio is interested in having a better product too, then he'd better be interested in democracy way at prioritizing issues.
That's why I said that current system is chaotic, because no one knows what happens in Giorgio's head [in a good meaning]. He might forget something or might be reminded of something not so useful or so.

No, because they're in the FAQ page. Read them. Or just discover them after they've happened to you.

Okay. But that FAQ for makes no use, as there is an explanation of XSS and at the same time there is not explained what it actually is and how it works. There are just some general words. Maybe I'm just too dumb, but that kind of explanation there - doesn't make the situation clear for me.

Well, if we're going there, the famous scientist Isaac Asimov reportedly said, "Never try to teach a pig to sing. It wastes your time and annoys the pig."
No more time-wasting here. This conversation is over. Use NS, don't use it, create your own fork, whatever.
But if disinformation continues to be spread, the topic will be locked if necessary.
Good luck to you. You'll need it.

You are harsh, man.
Maybe my knowledge of English doesn't let me sometimes understand that my words might sound aggressive, in that case sorry, but I didn't really mean to sound so.
If you think that you waste your time here - you may stop replying me, it's your right.
But I think that "spreading a word", i.e. educate others - is a great mission. It is the only thing that is truly a 100% good deed.
Thanks for your wishing of good luck to me and I am wishing to be less sensitive to you. (-:

[iDrugoy]

I don't think you would need an interface for creating an add-on that manages/downloads/merges NoScript rules.

What are you talking about? I don't need any separate add-on that manages/downloads/merges NoScript rules. It should be part of NoScript and I was talking about having such an interface inside NoScript. Currently there is a white-list editor. But there is also a blacklist and no blacklist editor.

[dhouwn]

it becomes so only in case you are made to execute some code on that page manually.

You mean if you click on a let's say tinyurl link manually?

I don't need any separate add-on that manages/downloads/merges NoScript rules. It should be part of NoScript

There are certain schools of thought that would disagree, according to them programs should be simple (and somewhat atomic) but also extensible through other programs, ie. new features as separate programs esp. if the new features are not features everyone might use.

[Tom T.]

You are harsh, man.
Maybe my knowledge of English doesn't let me sometimes understand that my words might sound aggressive, in that case sorry, but I didn't really mean to sound so.

The saying about the hedgehog was crude, vulgar, and did sound aggressive and insulting.

But I think that "spreading a word", i.e. educate others - is a great mission. It is the only thing that is truly a 100% good deed.:

Not when the word you spread is

This makes NS absolutely non-usable for me and I won't suffer much without it.

That is your opinion, and you're certainly entitled to it. But then why have you used it for so long? (rhetorical question - don't need to answser.)

Others reading your post may believe that they won't suffer much without NS, and that is why it is not a good deed and should be refuted - as dhouwn did with a single example.
Thank you for toning down the conversation.