help understanding changelog

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: help understanding changelog

Re: help understanding changelog

by Thrawn » Fri Jun 27, 2014 3:37 am

By the way, I can think of a sensible use case for cascading permissions: if you also use RequestPolicy.

Re: help understanding changelog

by barbaz » Thu May 29, 2014 1:20 am

It's probably worth saying that restrictSubdocScripting won't do anything in Gecko < 28. I got quite a surprise in Pale Moon (based on Gecko 24) when frames were running scripts despite the pref set to true and the parent site not whitelisted.

Re: help understanding changelog

by Giorgio Maone » Wed May 28, 2014 10:53 am

Thrawn wrote:
barbaz wrote: Scary :shock: :o
I agree - but often requested.
By people who should be careful what they wish for, nevertheless (link courtesy of Grumpy Old Lady).
As I said, this feature has been asked by the TOR project, but this doesn't mean I support it "ideologically" at all, and in facts it won't be enabled by default.

Re: help understanding changelog

by Hannibal » Wed May 28, 2014 9:57 am

Loud and clear, thanks again !

Re: help understanding changelog

by Giorgio Maone » Wed May 28, 2014 9:10 am

Hannibal wrote:Thanks for the explanations :)

To make sure I got it right: Is #2 (noscript.cascadePermissions) kinda similar to "allow all this page" except it works on a domain instead of just a page ?
It works on any page, i.e. if the top-level document origin is whitelisted, all the scripts imported by it and by its subdocuments are allowed to run independently from their actual origins, which on the other hand these don't get automatically whitelisted: if there's another tab with the same 3rd party scripts but whose top-level document origin is not whitelisted, its scripts won't run.
therube wrote: Isn't #1, when set to True, the way things were some time ago (maybe a long time ago)?
Nope, each frame used to have (and has) the same permissions on desktop NoScript, unless noscript.docShellBlocking is true (which is not the default and is deprecated anyway).
NSA at this moment uses a mechanism akin to noscript.docShellBlocking (but will change as soon as I find the time to put it back on its rails), therefore works more or less the way you say.

Re: help understanding changelog

by Hannibal » Wed May 28, 2014 7:18 am

Thanks for the explanations :)

To make sure I got it right: Is #2 (noscript.cascadePermissions) kinda similar to "allow all this page" except it works on a domain instead of just a page ?

Re: help understanding changelog

by therube » Wed May 28, 2014 1:54 am

Isn't #1, when set to True, the way things were some time ago (maybe a long time ago)?

Re: help understanding changelog

by barbaz » Tue May 27, 2014 3:11 am

Thrawn wrote:Should there at least be some kind of message telling the user which sites were whitelisted? Maybe a message bar like the one for XSS and ABE actions?
I would guess that people who want cascading permissions wouldn't care too much what sites are getting Temp-Allowed via cascading.

Wouldn't it be enough if all sites (other than top level) allowed via cascading are displayed only as "Mark (site) as Untrusted" in the main menu, like currently seen with "Scripts Globally Allowed"?

EDIT Oh, and there's this too:
Giorgio Maone wrote:In either case, subdomain scripts from 'untrusted'/blacklisted sites will continue to be blocked, and if the user has selected to enable the "Untrusted" NoScript appearance option, these subdomain blacklist choices will still be displayed.

Re: help understanding changelog

by Thrawn » Tue May 27, 2014 3:03 am

barbaz wrote: Scary :shock: :o
I agree - but often requested.

Should there at least be some kind of message telling the user which sites were whitelisted? Maybe a message bar like the one for XSS and ABE actions?

Re: help understanding changelog

by barbaz » Mon May 26, 2014 4:05 pm

Thank you for the explanations.
Giorgio Maone wrote:
  1. "Block scripting in whitelisted subdocuments of non-whitelisted pages" (noscript.restrictSubdocScripting)
    • If /true/, frames and iframes whose parent document's URL is not whitelisted will be prevented from running and loading scripts, no matter whether they're themselves whitelisted.
    • If /false/, current behavior which bases scripting permissions for subdocuments only on their own origin, independently from their parent's, will be kept.
I like this. Probably can eventually replace some of my ABE rules to do essentially that, so I'll be enabling this feature soon.
Is it planned to be possible to add exceptions to this behavior when enabled?
Giorgio Maone wrote:[*]"Cascade parent document's permissions to 3rd party scripts" (noscript.cascadePermissions)
  • If /true/, user will just need to allow/forbid the top-level document's origin or forbid it, to block/unblock all the scripts on the page (including those in subdocuments): also, in order to avoid confusion, when this mode is active the NoScript menu will show Forbid/Allow commands for the top-level origin only (currently in bold).
  • If /false/, current behavior which allows full granularity to forbid/allow scripts by their origin will be kept.
  • In either case, subdomain scripts from 'untrusted'/blacklisted sites will continue to be blocked, and if the user has selected to enable the "Untrusted" NoScript appearance option, these subdomain blacklist choices will still be displayed.
  • NoScript will provide an associated configuration UI control for this preference.
[/list]
Scary :shock: :o

Re: help understanding changelog

by therube » Mon May 26, 2014 10:58 am

1. So that will do things like block a foreign hosted video from displaying in the current page, until the current page has been allowed, even if the foreign hosted video site had already been Allowed.

Allow youtube.com ytimg.com
Visit http://failblog.cheezburger.com/

The Youtube videos display & will play without allowing cheezburger.com.

Toggle the Pref.

The Youtube videos will not display or play until you have Allowed cheezeburger.com.

Re: help understanding changelog

by Giorgio Maone » Mon May 26, 2014 9:28 am

These are features being added by request of the TOR project, useful for TOR Browser users but possibly also for some regular NoScript users.

At this moment they are pretty much work in progress (the UI side, for instance, is still unaffected), but in the end they should amount to:
  1. "Block scripting in whitelisted subdocuments of non-whitelisted pages" (noscript.restrictSubdocScripting)
    • If /true/, frames and iframes whose parent document's URL is not whitelisted will be prevented from running and loading scripts, no matter whether they're themselves whitelisted.
    • If /false/, current behavior which bases scripting permissions for subdocuments only on their own origin, independently from their parent's, will be kept.
  2. "Cascade parent document's permissions to 3rd party scripts" (noscript.cascadePermissions)
    • If /true/, user will just need to allow/forbid the top-level document's origin or forbid it, to block/unblock all the scripts on the page (including those in subdocuments): also, in order to avoid confusion, when this mode is active the NoScript menu will show Forbid/Allow commands for the top-level origin only (currently in bold).
    • If /false/, current behavior which allows full granularity to forbid/allow scripts by their origin will be kept.
    • In either case, subdomain scripts from 'untrusted'/blacklisted sites will continue to be blocked, and if the user has selected to enable the "Untrusted" NoScript appearance option, these subdomain blacklist choices will still be displayed.
    • NoScript will provide an associated configuration UI control for this preference.
[Edit]
A requirement added and implemented later, is that "[Temporarily] Allow all this page" commands affect the top-level document only when Cascade Permissions mode is enabled (i.e. no 3rd party script get actually whitelisted, they're just implicitly allowed as long as their top ancestor page's domain is whitelisted).

help understanding changelog

by barbaz » Fri May 23, 2014 9:29 pm

Just got 2.6.8.26rc1, and saw in the changelog:
http://noscript.net/getit#devel wrote:+ noscript.cascadePermissions preliminary backend implementation
+ noscript.restrictSubdocScripting preliminary backend implementation
I see that both prefs by those names in about:config are set to false.
What are these features / what do they do?
What aspects of them are enabled by default or always enabled?

Top