InformAction Forums

@Quest

(I'm certain those questions were both already asked and answered on this forum, but I can't find it either, so...)

1) Yes. For benefits, please see the sticky - https://forums.informaction.com/viewtopic.php?f=7&t=26285
The drawback is that the current mitigation may cause a FOUC (flash of unstyled content) and may result in loading some additional resources that wouldn't otherwise be loaded.

2) It should depend on the state of "script" capability:
[quote="Giorgio Maone" post_id=103831 time=1617208962 user_id=2]
we assume JavaScript-enabled pages have plenty and more accurate ways to accomplish the same thing
[/quote]
... that CSS PP0 would accomplish.

This is off-topic for this thread, so if you wish to continue this please start a new thread. (If you do we can merge your post and this reply there as well if you like.)

Although the CSS-restriction name discussion goes on I venture to ask:
1. Are there any real security benefits or behavior drawbacks to (un)check these CSS non-restrictions?
2. Some of my custom Per-Site Permissions now have this option checked and some don’t.
These (un)checks have appeared automatically without any actions from my part.
What’s the logic?

[quote=barbaz post_id=103910 time=1619638038 user_id=181509]
The problem with "unrestricted CSS" is that the current mitigation doesn't "restrict" anything, it just loads CSS differently. What about "uncontrolled CSS"?
[/quote]

Giorgio could you please address this? Thanks

[quote=fatboy post_id=103914 time=1619695597 user_id=257423]
What if the name is "unsafe CSS"?
[/quote]

That isn't a sharp description of this capability. That reads like un-checking it would result in NoScript actually blocking some CSS. But that is not the case atm.

"[url=https://forums.informaction.com/viewtopic.php?p=103859#p103859]Do keep the name short though.[/url]"
What if the name is "unsafe CSS"?

Maybe there is no clean win on this one :?

The problem with "unrestricted CSS" is that the current mitigation doesn't "restrict" anything, it just loads CSS differently. What about "uncontrolled CSS"?

I'm thinking of using a previous candidate, "unrestricted CSS", which we originally rejected because it seemed too long in characters for the UI layout. But the capabilities list is already two rows long no matter what on Chromium (which restricts the popup width to 800px max), so...

I guess "css threat" is excessive, too? Maybe a native english speaker can come up with something nice. "unchecked_css" is confusing.

"css attack" would be more obvious, but IMHO excessive: by checking the checkbox, you're allowing the site to use any CSS without checks (not necessarily for an attack).

Just to make sure I understand correctly:
Checking "unchecked_css" makes it unchecked and unchecking it makes it checked? :roll:
My english is too bad to come up with a clever name for it but because everything else uses nouns maybe something like "css attack" would be more obviously?