InformAction Forums

[kaz219]

I second that. An option to erase white list entries which were not "hit" since a certain amount of time (configurable) would be much appreciated. It wouldn't be turned on by default, so the default behaviour of NoScript stays unchanged, and people who don't like this idea don't even have to take any action.

My white list is also growing huge because I'm not disciplined enough. And editing the list manually is kind of a nightmare. I think it is clear that at least a non negligeable amount of users would benefit from this option, in terms of security. Indeed, I do also believe that you can't clearly separate domains in "primary" and "third party ad server". Plus, any primary server can be hacked and taken over, making him dangerous. So any domain is potentially dangerous, thus : keeping the white list as short as possible is vital.

The only drawback I see is when you don't use a computer during a long time and then use it again (some kind of spare laptop for example). If the whole white list is flushed when you start it for the first time since many months for example, it's kind of annoying. But this is a very rare case.

[Tom T.]

I don't think in my whole life I've visited 10,000 web sites!
I don't allow session restore, either. Yes, my browsing habits are very cautious.
If it were a user option, "Set whitelist expiration : No / Yes / Days ___ . and it wasn't' difficult or complicated to implement, then I guess it's a good idea if we have users with 10,000-item whitelists. OP, do you really visit so many sites on a regular basis? (I understand more than one script per site.)

IMHO only, anyone who uses Facebook, MySpace, etc. is pretty much throwing their security to the winds. But that's just a personal opinion, supported by nothing more than their massive database breaches, invasions of privacy, and your voluntary discarding of your privacy. Pay no attention to the curmudgeon. My banks need to stay in the w/l unless and until I close the account.

Point 3 is slightly off OP topic, but I was surprised to find live.com in default list. I have no idea what it does or who it is, removed it, and never missed it. If some site doesn't work and needs it, it'll show up in NS menu. "Pre-emptive default blocking of all executable content" -- let's not lose sight of the original vision and mission statement. We start with zero, TA the rare visits, and w/l the regular ones. I can't picture 10,000 without someone just w/l every site they visit, which is not good. IMHO. YMMV.

I wish I knew a quick way to identify every script in the world. If you have one, please share it! .... else, it's like the Quick Start Guide and FAQ say: Do you trust this site? Are they respectable and stand behind their product (site)? AND IS THIS SCRIPT NECESSARY for the functions you want? Cheers.

[GµårÐïåñ]

Just to add my two cents without addressing any specific person's comments. This is my mindset on the whole whitelist/no/expire/etc:

1. Whitelist only sites you go to CONSTANTLY (daily or at least high frequency) AND you trust it (logic to follow if not obvious already)
2. Don't whitelist a site, even if you trust it unless its frequent use, just temp allow it (logic to come later)
3. Mark untrusted items you encounter through regular and constant interaction BUT not every single thing (#2 logic applies, will follow)

Simple as that and the following logic has kept me lean, efficient, to the point, completely safe and not bogged down with performance issues. #1, this allows you to efficiently and without having to constantly add/remove sites you visit regularly and can easily notice if something is wrong, from a productivity angle, this is sufficient, so why #2 then?

#2, making the list too long, even if you trust the sites you are putting on there, when you don't visit them regularly is a performance issue, the longer your list, the more parsing, the longer it takes and the more things can go wrong, its simple common sense. In this case temp allowing things you don't visit often will help you keep the performance and chances of list corruption to a minimum and a simple closing the browser, poof they are gone. Ok, maybe I agree but why #3 then?

#3, has the same common sense approach as #2 with regard to list length and performance and corruption. Also, unless you are encountering the "bad" site constantly and each and every day, why have the sites validate against a huge list slowing performance or possible false positives, there are so many more ways to block bad sites than putting them on the untrusted list as a general blanket.

Anyway, that's my thinking and therefore makes the whole make whitelist/untrusted items expire thing moot to me. If you had a reason to put it there, then it should be up to you to take the time to remove it, not have it be done for you on a schedule, that defeats the purpose of why its there to begin with. Many of you know that I consider safety a proactive thing and it should NOT be easy or complacency sets in and people fall into grooves of false sense of security. If you take the time to evaluate it, put it on there or remove it willfully and intentionally, then you are more likely to be safe, happy and KNOW what you got going on. There is no surprises, no "oh I thought it was blocked", or "oh I thought that was allowed", so on and so forth. </end blabbing>

[Tom T.]

The only drawback I see is when you don't use a computer during a long time and then use it again (some kind of spare laptop for example). If the whole white list is flushed when you start it for the first time since many months for example, it's kind of annoying. But this is a very rare case.

(raises hand) Uh, that would be I. I do keep a spare laptop, for reasons not pertinent here, though it gets dragged out every month to get updated and the battery freshened. But not necessarily visiting sites. I know of others who have, say, bought a new computer and kept the old one as a backup in case the new one has to go into the shop for several days or a week. (It *happens*, trust me!). What a pain not just to get OS updates, NS updates, etc., but have all of your whitelists expire on you.

If the whitelist is that large, it somewhat defeats the purpose of NS. You're very close to "Allow scripts globally". (At 10,000, you might as well be.)

@Guardian: You put it much better than I did. Agree 100%. Thanks for making the case very clearly and strongly.