RFE: Prevent whitelisting of http:
RFE: Prevent whitelisting of http:
In light of situations like this one, should NoScript prevent the user (or perhaps warn them) from whitelisting the whole http: protocol?
It makes sense to allow the whole chrome: or about: protocol, but whitelisting http: is almost certainly an accident (and a dangerous one).
Maybe there could be an 'allowWhitelistingAllHttp' setting in about:config that would act as a safety catch, so unless you've deliberately gone into about:config and toggled it, you can't whitelist http:. Perhaps it could be a list of all protocols that are allowed to be globally whitelisted, defaulting to just the built-in ones (about, chrome, blob, resource). Maybe including data: as well, so you have the option to whitelist all data: if you want to.
This would probably apply to https: as well. There's slightly more sense in allowing all https: URLs, but I think it still makes sense to put a prompt or safety catch of some kind on it, because it's not normal.
It makes sense to allow the whole chrome: or about: protocol, but whitelisting http: is almost certainly an accident (and a dangerous one).
Maybe there could be an 'allowWhitelistingAllHttp' setting in about:config that would act as a safety catch, so unless you've deliberately gone into about:config and toggled it, you can't whitelist http:. Perhaps it could be a list of all protocols that are allowed to be globally whitelisted, defaulting to just the built-in ones (about, chrome, blob, resource). Maybe including data: as well, so you have the option to whitelist all data: if you want to.
This would probably apply to https: as well. There's slightly more sense in allowing all https: URLs, but I think it still makes sense to put a prompt or safety catch of some kind on it, because it's not normal.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: RFE: Prevent whitelisting of http:
+1, but wouldn't it make the most sense for NS to turn on "Allow Scripts Globally" when the user attempts to whitelist http: ? (I don't think that should happen when the user tries to whitelist https: .)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21
Re: RFE: Prevent whitelisting of http:
So whitelist https:, file: and maybe more as well just because the application tried to guess the user's intend? Please no, please nothing of the sort of such philosophy (something that might then be called something along the lines of "context-aware pervasive ambient intelligence computing" )wouldn't it make the most sense for NS to turn on "Allow Scripts Globally" when the user attempts to whitelist http: ?
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Re: RFE: Prevent whitelisting of http:
I wouldn't want to turn on Scripts Globally Allowed in this situation, because without clear intent by the user, I would assume that it was a mistake, and I wouldn't want to exacerbate it.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Re: RFE: Prevent whitelisting of http:
I would agree with you and dhouwn, but turning on Scripts Globally Allowed presents the user with a dialog where they could just click Cancel if they don't want that. As for users who don't understand the dialog, wouldn't they be more likely to click "Cancel" than "OK" in any case, thus saving them rather than exacerbating the situation?Thrawn wrote:I wouldn't want to turn on Scripts Globally Allowed in this situation, because without clear intent by the user, I would assume that it was a mistake, and I wouldn't want to exacerbate it.
(This forum doesn't allow posting from browsers that don't identify themselves as Gecko-based, even if they really are?)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21
Re: RFE: Prevent whitelisting of http:
Oh, you meant with a confirmation dialog. Yeah, that could work, but it may as well have its own dialog rather than reusing that one.I would agree with you and dhouwn, but turning on Scripts Globally Allowed presents the user with a dialog
I'm posting from the Symbian default browser right now.(This forum doesn't allow posting from browsers that don't identify themselves as Gecko-based, even if they really are?)
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Symbian/3; Series60/5.3 NokiaN8-00/111.030.0609; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/533.4 (KHTML, like Gecko) NokiaBrowser/7.4.2.6 Mobile Safari/533.4 3gpp-gba
Re: RFE: Prevent whitelisting of http:
If whitelisting http: wasn't a mistake, why would someone do that other than because they're frustrated with digging around in the NS menu repeatedly?Thrawn wrote:Oh, you meant with a confirmation dialog. Yeah, that could work, but it may as well have its own dialog rather than reusing that one.I would agree with you and dhouwn, but turning on Scripts Globally Allowed presents the user with a dialog
That browser has "Gecko" in its user-agent string. I was using an old Firefox with an Opera user-agent string. You're also a moderator while I'm a junior member.Thrawn wrote:I'm posting from the Symbian default browser right now.(This forum doesn't allow posting from browsers that don't identify themselves as Gecko-based, even if they really are?)
This is getting complicated, so to keep this topic clean could you please split the discussion of allowed browsers to the Metaforum?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21
Re: RFE: Prevent whitelisting of http:
Then they really ought to use the Allow Scripts Globally menu item, which is more convenient, more explicit, and gives more obvious feedback (like the changed icon).barbaz wrote: If whitelisting http: wasn't a mistake, why would someone do that other than because they're frustrated with digging around in the NS menu repeatedly?
Mind you, I'm OK with the idea of letting someone whitelist http:, provided that they have made it clear that they really want to do it, they didn't just start typing and get distracted.
Actually, after a quick search, it's already been discussed here.barbaz wrote: This is getting complicated, so to keep this topic clean could you please split the discussion of allowed browsers to the Metaforum?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: RFE: Prevent whitelisting of http:
I think there's something I'm not understanding about NS internals because I thought that saying "turn on Allow Scripts Globally when http: is whitelisted" was understood to mean "if the user tries to whitelist http:, don't do that but instead act like they clicked the menu item." Also, with Scripts Globally Allowed it would be easier to block some sites from running active content by clicking "Mark site as untrusted". For users who don't want Scripts Globally Allowed, when would whitelisting http: be necessary and selectively allowing sites from Full Addresses wouldn't work?
Contrast this to whitelisting https:, where someone may want to temporarily do that to complete a financial or other sensitive transaction without allowing insecure active content to run but not potentially messing up the payment/whatever by blocking the wrong thing at the wrong time.
Speaking of which, if we're going with confirmation dialog for whitelisting https:, how about offering three options: Cancel, Temp-allow, and Allow? Thoughts?
Contrast this to whitelisting https:, where someone may want to temporarily do that to complete a financial or other sensitive transaction without allowing insecure active content to run but not potentially messing up the payment/whatever by blocking the wrong thing at the wrong time.
Speaking of which, if we're going with confirmation dialog for whitelisting https:, how about offering three options: Cancel, Temp-allow, and Allow? Thoughts?
Thanks, that makes sense.Thrawn wrote:Actually, after a quick search, it's already been discussed here.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21
Re: RFE: Prevent whitelisting of http:
Yes, that's what I assumed you meant. I don't like it. If they want to click on the menu item, they should click on the menu item.barbaz wrote:I think there's something I'm not understanding about NS internals because I thought that saying "turn on Allow Scripts Globally when http: is whitelisted" was understood to mean "if the user tries to whitelist http:, don't do that but instead act like they clicked the menu item."
I agree that there is not much of a use case for whitelisting http:, which is why I think it's (almost always) a case of user error, hence this RFE.Also, with Scripts Globally Allowed it would be easier to block some sites from running active content by clicking "Mark site as untrusted". For users who don't want Scripts Globally Allowed, when would whitelisting http: be necessary and selectively allowing sites from Full Addresses wouldn't work?
Thus I'm open to the idea of allowing users to override the protection if they really want to. But I think that https: should still have a restriction of some kind.Contrast this to whitelisting https:, where someone may want to temporarily do that to complete a financial or other sensitive transaction without allowing insecure active content to run but not potentially messing up the payment/whatever by blocking the wrong thing at the wrong time.
Maybe, but I'm assuming that the user probably didn't really mean to do this, and there's almost no good reason why they might want to, so it's not necessary to give them extra options. It's just a safety catch.Speaking of which, if we're going with confirmation dialog for whitelisting https:, how about offering three options: Cancel, Temp-allow, and Allow? Thoughts?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: RFE: Prevent whitelisting of http:
Oh, I didn't realize this wasn't about use cases. In that case, I think it would be best to go with a boolean about:config preference like you suggested for http: and a simple confirmation dialog for https: (being less dangerous, it doesn't need as big a safety catch).Thrawn wrote:It's just a safety catch.
Update: @Thrawn & Giorgio: Just for fun, I've made a working PoC of the above and it turns out that it's enough to insert
Code: Select all
if ((site == "https:" && !noscriptUtil.prompter.confirm(window, "NoScript", "Do you really want to whitelist the entire HTTPS protocol?")) || (site == "http:" && !ns.prefs.getBoolPref("allowWhitelistingAllHttp"))) return;
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21
Re: RFE: Prevent whitelisting of http:
Huh.
http://forums.informaction.com/viewtopi ... =7&t=17205
Who'd have thunk?
I like the PoC, although I wouldn't have seen it unless I came back to add the above link, because editing your post doesn't make it show up in my Unread Posts...
What do you think about the earlier suggestion of having an about:config preference that would list all the protocols you're allowed to whitelist?
http://forums.informaction.com/viewtopi ... =7&t=17205
Who'd have thunk?
I like the PoC, although I wouldn't have seen it unless I came back to add the above link, because editing your post doesn't make it show up in my Unread Posts...
What do you think about the earlier suggestion of having an about:config preference that would list all the protocols you're allowed to whitelist?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: RFE: Prevent whitelisting of http:
My reaction too. Despite what I was saying earlier, I'd never have thought of that use case.
Even so, that just shows why it's a good idea to keep the safety catch on https: as simple as possible.
Even though you're a Moderator who needs to be notified of potential spamming? Another discussion for the Metaforum, I suppose...Thrawn wrote:I like the PoC, although I wouldn't have seen it unless I came back to add the above link, because editing your post doesn't make it show up in my Unread Posts...
For a feature intended to protect only a couple of protocols, that seems a bit much. If we're going with an about:config pref that's listing protocols, better to list the ones you shouldn't be allowed to whitelist by default (ignoring the ones in noscript.mandatory, of course).Thrawn wrote:What do you think about the earlier suggestion of having an about:config preference that would list all the protocols you're allowed to whitelist?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21
Re: RFE: Prevent whitelisting of http:
Bump
I could provide a more complete (meaning everything other than localization) patch for this as applied on top of the latest NoScript dev build, if that would be helpful.
I could provide a more complete (meaning everything other than localization) patch for this as applied on top of the latest NoScript dev build, if that would be helpful.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 (PaleMoon)
Re: RFE: Prevent whitelisting of http:
Bump
With the new Allow HTTPS scripts globally on HTTPS documents feature introduced in NS 2.6.8.37rc2, now it's probably best to instead prompt about setting that mode when attempting to whitelist all HTTPS
@Giorgio, do you think this is a good idea?
Let me know & if you like this idea I'll attempt to update the patch
With the new Allow HTTPS scripts globally on HTTPS documents feature introduced in NS 2.6.8.37rc2, now it's probably best to instead prompt about setting that mode when attempting to whitelist all HTTPS
@Giorgio, do you think this is a good idea?
Let me know & if you like this idea I'll attempt to update the patch
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 SeaMonkey/2.28