noscript.confirmSiteInfo

Ask for help about NoScript, no registration needed to post
Nanosaur

noscript.confirmSiteInfo

Post by Nanosaur »

Hey guys,

I've got a profile created some years ago under Firefox 2. It has been carefully maintained and updated for Fx 3, 3.5, 3.6 and then our recent 4+ builds, but I think it's time to make a new one. I'm currently checking NoScript about:config prefs to decide what I want in my new profile.

So I have noscript.confirmSiteInfo and it's absent from the new profile currently. Is it a deprecated pref that's not used anymore in the latest NoScript release ?

Or is it a hidden pref we're meant to create manually. In that case, what does it do ?


Thanks :)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Guest

Re: noscript.confirmSiteInfo

Post by Guest »

Some additional prefs that I forgot exactly what they do. Could you tell me ? I can't find their description on the web anymore.


Prefs set as default in the new profile:

noscript.consoleLog (probably logs into Firefox error console. Is there any performance impact ?)
noscript.docShellJSBlocking (old profile sets to 2)
noscript.forbidIFramesContext (old profile sets to 1. What do 1 and 2 mean ?)
noscript.untrustedGranularity
noscript.xss.trustExternal (old profile sets to false)


Finally, what's the difference between the noscript.filterXExceptions string and all the prefs under noscript.filterXExceptions.* ? Assuming I set the string to "", should I also set all following booleans to false ?


Thanks again :)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Nanosaur

What do these NoScript prefs do ?

Post by Nanosaur »

So anyone knows what those prefs are for ? If you can only answer for one pref please do, that's better than nothing :)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
User avatar
therube
Ambassador
Posts: 7922
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: noscript.confirmSiteInfo

Post by therube »

> Or is it a hidden pref we're meant to create manually.

If it's not there, I would think it deprecated.
When it was there if it were in bold, then either you created or modified it from its default.

- consoleLog, I would think there would be performance impacts & only to be used when trying to diagnose something


You might pick up some references, hints, from NoScript CHANGELOG, otherwise ...?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0 SeaMonkey/2.17a2
Nanosaur

Re: noscript.confirmSiteInfo

Post by Nanosaur »

Thanks, there are some answers in the changelog. Search engines didn't catch them for some reason...
Now it's better, but I would need a couple more answers if you have some.
noscript.forbidIFramesContext:
controls if actually enforcing IFRAME blocking depending on the parent page:
0 -- block always
1 -- block if parent is in a different site (default)
2 -- block if parent is in a different domain
3 -- block if parent is in a different 2nd level domain
What's the difference between a site and a domain ? Like (but I doubt it), is domain actually top-level domain (.com), and site is third-level domain ? (forums.informaction.com)
2nd level domain is supposed to be informaction.com.

noscript.docShellJSBlocking:
0 - no docShell JS blocking
1 - (default) docShell JS blocking for untrusted sites (enables
effective blacklists for defalut-deny modes)
2 - docShell JS blocking for every non-whitelisted site (enables
cross-frame inheritance of JS blocking)
What's docShell JS and why is that pref set to 1 even when I have "Forbid Frames" and "Apply these restrictions to trusted sites" checkboxes ticked in NoScript's UI ?

noscript.untrustedGranularity:
+ Whitelisting sites from NoScript Options|Whitelist obeys to the
noscript.untrustedGranularity preference
But it doesn't say what the different values are for.




Giorgio must have a list of what all prefs do somewhere. Has he considered making it public ? He does (or did) explain what prefs do when he introduces them, but that info seems to vanish over time.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: noscript.confirmSiteInfo

Post by Thrawn »

Nanosaur wrote: What's the difference between a site and a domain ? Like (but I doubt it), is domain actually top-level domain (.com), and site is third-level domain ? (forums.informaction.com)
2nd level domain is supposed to be informaction.com.
I believe http://forums.informaction.com would be a site, forums.informaction.com would be a domain, and informaction.com would be a 2nd-level domain.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Nanosaur

Re: noscript.confirmSiteInfo

Post by Nanosaur »

That could be it, but Wikipedia says otherwise. Giorgio is very technical-literate so he probably use the terms correctly, but your suggestion makes more sense that what I would think is "correct"... >_<

http://forums.informaction.com is a full domain name I believe. Seems faire to say it's the "site" from the quote.
forums.informaction.com is a third-level domain name.
informaction.com is a second-level domain name.
.com is the top level domain name.

But if you're a moderator you probably know Giorgio and might be used to how he uses these terms, so I'm torn. :p
I'll go with what you say for now and set the pref to 2. (today's default isn't 1 anymore, it's 3)


Okay, remain 2 questions if someone walks by! ;)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: noscript.confirmSiteInfo

Post by Tom T. »

Per NS Options > Appearance,

http://www.noscript.net
is a "Full Address", because it includes a protocol for addressing and replying. (HTTP, HTTPS, FTP, gopher, socks, etc.)
It does seem to be called "Site" in that config option.

www.noscript.net is a "Full Domain", containing the total domain name less the protocol.

You are correct that .com, .net, .org, etc. are Top-Level Domains.
Hence noscript.net is indeed a Second-Level Domain.
news.yahoo.com is a Third-Level Domain.

(This is useful because I use Yahoo Mail, and therefore must allow mail.yahoo.com. but prefer to forbid www dot yahoo.com)

There are fourth- and fifth-level domains -- every new term to the *left* of the previous left-most dot -- but I can't think of any offhand. You can probably find some.
noscript.docShellJSBlocking:
0 - no docShell JS blocking
1 - (default) docShell JS blocking for untrusted sites (enables
effective blacklists for defalut-deny modes)
2 - docShell JS blocking for every non-whitelisted site (enables
cross-frame inheritance of JS blocking)

What's docShell JS and why is that pref set to 1 even when I have "Forbid Frames" and "Apply these restrictions to trusted sites" checkboxes ticked in NoScript's UI ?
What it is would probably only complicate the discussion more, but why it defaults to 1 instead of 2 is a very good question. If I don't whitelist a site, certainly I don't want to whitelist JS in frames from or to it. I'll ask Giorgio, but in the meantime, I'm going to set mine to 2 and see if anything breaks.
noscript.untrustedGranularity:
+ Whitelisting sites from NoScript Options|Whitelist obeys to the
noscript.untrustedGranularity preference

But it doesn't say what the different values are for.
It's "probably" whether to match Untrusted by 2nd level domain, 3rd, full, etc. as discussed above, because you may configure Appearance to show only Base 2nd Leve Domains, yet blacklist a third-level domain, either manually or when Appearance was set differently. But I don't like "probably", so I'll ask Giorgio to clarify that also, and what the numbers mean.
Finally, what's the difference between the noscript.filterXExceptions string and all the prefs under noscript.filterXExceptions.* ? Assuming I set the string to "", should I also set all following booleans to false ?
I did, because I don't use those sites. Two seem to have escaped: ebay and medicare, perhaps added since I last went through about:config. I toggled those to false, also.
Giorgio must have a list of what all prefs do somewhere. Has he considered making it public ? He does (or did) explain what prefs do when he introduces them, but that info seems to vanish over time.
There was a fairly extensive list in this topic, but yours don't seem to have been included. (Else your search would have found them.) Excellent idea.


@ Giorgio: RFE: A new page in noscript,net, something like noscript.net/aboutconfigprefs, where all such configurable prefs, and a simple explanation of the meaning of each possible value, are listed, preferably in alphabetical order. I realize this may take quite a bit of time, but surely it would be a valued resource to many.
Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0.1
mjh563

Re: noscript.confirmSiteInfo

Post by mjh563 »

noscript.confirmSiteInfo is for when you middle-click on a site in the NoScript menu. It controls whether the confirmation prompt appears. It gets set to true or false depending on whether you check or clear the 'Always ask for confirmation' checkbox.
Mozilla/5.0 (X11; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: noscript.confirmSiteInfo

Post by Tom T. »

mjh563 wrote:noscript.confirmSiteInfo is for when you middle-click on a site in the NoScript menu. It controls whether the confirmation prompt appears. It gets set to true or false depending on whether you check or clear the 'Always ask for confirmation' checkbox.
Thanks for adding that, as my post was already rather long.
To be more specific, if set to "True", then whenever you use the Site Info feature, you get this prompt first:
You're about to ask for information about the "news.yahoo.com" site
by submitting a query to http://noscript.net.
Do you want to continue?
It seems kind of intuitive to me that you are asking NoScript to do something for you, so I set it to False. Some might like to know exactly where the query goes: It goes to noscript.net, until you click any of the links shown in the reply, which are no longer under NoScript's control. Thanks again.
Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0.1
Nanosaur

Re: noscript.confirmSiteInfo

Post by Nanosaur »

It looks like the default for noscript.forbidIFramesContext is tough. It's unusual that I customize NS to make it more lenient :D (I set it from full address to only domain, which might isolate third-level domains as well as domain; at least that's the behavior I want)

I'll keep confirmSiteInfo as default and wait to hear back if you get news for the 2 other prefs. (For now untrustedGranularity is on default and docShellJSBlocking is 2)
I'm undecided on filterXExceptions because, while I used to know exactly what it means, it's become rather blurry what it translates to concretely on the battle field. Guess I'll need to refresh this knowledge some time later...

Anyway thank you both for the replies! :)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: noscript.confirmSiteInfo

Post by Tom T. »

Nanosaur wrote:I'm undecided on filterXExceptions because, while I used to know exactly what it means, it's become rather blurry what it translates to concretely on the battle field. Guess I'll need to refresh this knowledge some time later...
Those are automatic, default exceptions to the XSS filter. They were put there for the same reason as most of the default whitelist entries: to make NS easier for novices to use "right out of the box", with the most popular sites allowed in whitelist. Presumably the XSS list is because those sites, also quite popular, seem to generate false positive XSS messages.

No harm in making them all False, especially sites you don't use, and see whether indeed the others do generate XSS messages. Perhaps some have cleaned up their code a bit. If it's too annoying, and, in Giorgio's words (XSS FAQ), "you're very confident the target web page is immune to XSS vulnerabilities", you can always toggle back that particular site to True.

I've been to email, banking, and some other sites, and so far docshellJSblocking on 2 hasn't broken anything. Will let you know if it does.
Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0.1
Post Reply