[PR1] NoScript: RequestPolicy [PR2] Horizontal MenuGroups

Bug reports and enhancement requests
Post Reply
metadings
Posts: 4
Joined: Wed Mar 01, 2017 3:52 pm

[PR1] NoScript: RequestPolicy [PR2] Horizontal MenuGroups

Post by metadings »

Hey Giorgio,

I've made two PullRequests on github.com/avian2/noscript:
[PR1] NoScript: RequestPolicy https://github.com/avian2/noscript/pull/9 and
[PR2] NoScript: Horizontal MenuGroups https://github.com/avian2/noscript/pull/10

I'm going to call this [PR1] NoScript+RequestPolicy, because this also blocks access for HTMLs, IMAGEs, STYLESHEETs, if they are cross-toplevel-domain requests.

I also did something which is a matter of taste, this is [PR2] HorizontalMenuGroups, which instead of asking "Allow example.com" and "Temporarily allow example.com" (and a seperator), this is just asking "example.com: temporarily, allow".

I do want you to try this. You made this so very easy (using makexpi.sh and a lot of javaScript), so I just want you to do this:

git clone https://github.com/metadings/noscript metadings-noscript
cd metadings-noscript
git checkout master-requestpolicy // and also master-requestpolicy-horizontalmenu
// You may do now `git show`, to see what I've changed.
./makexpi.sh
// Now run noscript-5.0rc2~pre.xpi in your favorite Mozilla Firefox installation.

What do you think?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: [PR1] NoScript: RequestPolicy [PR2] Horizontal MenuGroup

Post by barbaz »

Your horizontal menu groups PR looks interesting. If you make it optional, +1 from me. There are times when I'd prefer the traditional menu, and there are times when I'd prefer this. For example, your menu would make it a lot easier to deal with those sites that load like every script under the sun.

I have only two minor suggestions for it:
1) At the far left of each row, add an icon indicating that site's current state.
2) There's something weird about the "untrusted" menu items in this new arrangement. When the Untrusted sub-menu is de-selected, but "Mark [...] as Untrusted" *is* selected, the Untrusted menu item should be on the same line as "Temporarily" and "Allow". When the Untrusted sub-menu is selected, the label should be changed to "mark as untrusted".
_________

About your PR1. I reverted it before trying your horizontal menu. NoScript is a security tool, not a privacy tool. There is no security advantage to your proposal. That level of strictness in blocking is why I never used RequestPolicy.

Where I do want such functionality, I much prefer to just use µMatrix. It's designed for the job, more flexible, and much better suited to doing limited request controlling.
*Always* check the changelogs BEFORE updating that important software!
-
metadings
Posts: 4
Joined: Wed Mar 01, 2017 3:52 pm

Re: [PR1] NoScript: RequestPolicy [PR2] Horizontal MenuGroup

Post by metadings »

About PR2:

> 1) At the far left of each row, add an icon indicating that site's current state.
Ya, well this is "untrusted". Everyone.com is "untrusted", you just "allow" them or you "temporarily" allow them.

The "untrusted" menu is now just for google-analytics.com, scorecardresearch.com and so on.
There should be a state "trust" them again, so that they come out again from the "untrusted" menu, without javaScripts...

> 2) There's something weird about the "untrusted" menu items in this new arrangement.
well... I also tried to createElement table, tr, and td, however I do believe I missed a div wrapping around menuFrag and mainFrag, the "things" you appendChild to the mainMenu after the menuseparator `stop` (and also appendChild to the unstrustedFrag, the "things" you appendChild to the untrustedMenu).

Yes, I do believe, I'm going to cancel PR2... Just because asking "example.com temporär erlauben" is grammatically correct, however "example.com temporaneamente permetti" is the same garbage as "example.com Temporarily allow"...
__

> About your PR1. I reverted it before trying your horizontal menu. NoScript is a security tool, not a privacy tool. There is no security advantage to your proposal.

Well, I believe that Security comes through Privacy.

If I'm going to someone.com, I don't want them to go to scorecardresearch.com.

They are basically all "untrusted". A second menu for having "untrusted" ones.com, is just hiding them away from me.

I do really not like sitestat.com or the like, which just read a tiny IMAGE or a <link href=on a .png...

> That level of strictness in blocking is why I never used RequestPolicy.
So to say, this is easier than RequestPolicy.

This is alot easier, because you don't say "someone.com to office356.com".

You just say "allow office356.com".

What do you think?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: [PR1] NoScript: RequestPolicy [PR2] Horizontal MenuGroup

Post by Thrawn »

So, in a nutshell, you want the ability to block inactive content (HTML, images) for any non-trusted site?

Reminds me somewhat of my attempts at SABER, which I pretty much haven't touched since starting to use uMatrix. The one thing I did manage to implement was the ability to write ABE rules that could refer to your whitelist and temporary whitelist. I suspect that they might not work with current/future NoScript, though.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: [PR1] NoScript: RequestPolicy [PR2] Horizontal MenuGroup

Post by barbaz »

metadings wrote:About PR2:

> 1) At the far left of each row, add an icon indicating that site's current state.
Ya, well this is "untrusted". Everyone.com is "untrusted",
Unless everyone.com is Forbidden (as in, not marked as Untrusted). Or Allowed. Or Temporarily allowed.
metadings wrote:There should be a state "trust" them again, so that they come out again from the "untrusted" menu, without javaScripts...
That already exists, if you have the sticky menu. Just Temp-Allow the site, then - without leaving the menu - Forbid the site again.
metadings wrote:Well, I believe that Security comes through Privacy.
Only up to a point. Beyond that, it becomes a trade-off. Let's take your example -
metadings wrote:If I'm going to someone.com, I don't want them to go to scorecardresearch.com.
Websites can fingerprint you based on what sites you have allowed. When you choose not to let someone.com load the script from scorecardresearch.com, someone.com could notice that and use it to fingerprint you. By having the added security of NOT running the scorecardresearch script you don't trust, you are sacrificing the privacy of being like "most users".

Incidentally, this is why the Tor Project wanted Giorgio to implement cascading permissions mode.
metadings wrote:This is alot easier, because you don't say "someone.com to office356.com".

You just say "allow office356.com".

What do you think?
I think this stuff shouldn't meddle with script permissions. Just because I want to see one image from office356.com, doesn't mean I want to run all their active content.

Again, this is best left to a dedicated addon designed for the purpose.
*Always* check the changelogs BEFORE updating that important software!
-
metadings
Posts: 4
Joined: Wed Mar 01, 2017 3:52 pm

Re: [PR1] NoScript: RequestPolicy [PR2] Horizontal MenuGroup

Post by metadings »

Again, this is best left to a dedicated addon designed for the purpose.
No.

Look, I'm installing people "just" Mozilla Firefox and µblock, if they even care; they usually have "just" Mozilla Firefox and AdBlockPlus.

Now what I want is, if you care: You should use "just" Mozilla Firefox and NoScript.

This runs awesome fast, for about 99% of all websites.
__
So, in a nutshell, you want the ability to block inactive content (HTML, images) for any non-trusted site?
Yes, exactly. Just Mozilla Firefox and NoScript.

For example, I do want to allow `www.tagesschau.de`. ((implicitly) requesting `karten.tagesschau.de` and `wetter.tagesschau.de`.)
I may allow them to request `ard.de` or `sportschau.de` (but I do NOT want them to request `sitestat.com` or `ioam.de`).

For example, I do want just `computerbase.de`. (NEITHER `amazon-adsystem.com`, or `ssl-images-amazon.com`, NOR `theadex.com`, `himediads.com`, `ioam.de` or `google-analytics.com`.)

For example, I do want to allow `stackoverflow.com`, `sstatic.net`, `ajax.googleapis.com`, maybe `imgur.com`. (but I do NOT want them to request `casalmedia.com`, `quantserve.com`, `adzerk.net`; I do also NOT want them request two "untrusted" sites, `google-analytics.com` and `scorecardresearch.com`)

For example, I was even forced to allow `themusicfire.com`, just because of a "CloudFlare DDOS protection" which actually runs in javaScript.
Now, I do allow `themusicfire.com`; let them just forward without quickly forbidding - just to see what happens.
I do also allow `ajax.googleapis.com` and `themfire.com` - now the site "just works, perfectly".
I do even want one of the soundtracks. I'm going to allow `bandcamp.com` and `bcbits.com`, now without forbidding <AUDIO>/<VIDEO>, I do have MEDIA playing the soundtrack on my soundcard!
(I do NOT want them to request `directev.com`, `shorte.st`, `yadro.ru`, `onclickads.net`, `adcash.com`, `quantserve.com` or `google-analytics.com`.)
you are sacrificing the privacy of being like "most users"
No. I just don't want to be "bad" like "stupid" people who don't care about security. (People usually have AdBlockPlus, to "care" about security.)

Look, I don't want NoScript to be just for Scripts, I do want them to BLOCK everything.
(Just because you're doing nsIContentPolicy.)

This is also why I want Giorgio Maone to try `[PR1] NoScript: RequestPolicy`. What do you think?

(Introducing a `crossDomainSites: new PolicySites()`, I would need much more space in mainMenu.
There is no way of asking four times, if I'm going to "Allow", to "Temporarily Allow", to also "Allow Scripts" or "Temporarily Allow Scripts".
What I'd need is "someone.com: [x] temporarily, allow" ...
However, I don't believe in too much buttons or menuitems, just to allow someone.com.
This is sacrificing usability over the (privacy/)security, just not to request another.com. This is why I'd just go with this PR1.)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: [PR1] NoScript: RequestPolicy [PR2] Horizontal MenuGroup

Post by barbaz »

metadings wrote:Look, I'm installing people "just" Mozilla Firefox and µblock, if they even care; they usually have "just" Mozilla Firefox and AdBlockPlus.

Now what I want is, if you care: You should use "just" Mozilla Firefox and NoScript.
Care about what?
metadings wrote:
you are sacrificing the privacy of being like "most users"
No.
Skim reading much? -
barbaz wrote:Websites can fingerprint you based on what sites you have allowed. When you choose not to let someone.com load the script from scorecardresearch.com, someone.com could notice that and use it to fingerprint you. By having the added security of NOT running the scorecardresearch script you don't trust, you are sacrificing the privacy of being like "most users".
metadings wrote:Look, I don't want NoScript to be just for Scripts, I do want them to BLOCK everything.
(Just because you're doing nsIContentPolicy.)
Look, I want you to help port NoScript to a pure WebExtension.
(Just because you worked with NoScript code for your PRs.)

Seriously, who gives a **** what you or I want? What matters is whether it makes sense.
*Always* check the changelogs BEFORE updating that important software!
-
metadings
Posts: 4
Joined: Wed Mar 01, 2017 3:52 pm

Re: [PR1] NoScript: RequestPolicy

Post by metadings »

Websites can fingerprint you based on what sites you have allowed.
Well, yes, they MAY do that. This is okay, because I am visiting the website.
By having the added security of NOT running the scorecardresearch script you don't trust, you are sacrificing the privacy of being like "most users".
By having added security of NOT running sitestat.com's IMAGE, I am "just" going to tagesschau.de.

Unlike "most users" I don't even request the sitestat.com. sitestat.com does NOT **know** that I am on tagesschau.de.
Look, I want you to help port NoScript to a pure WebExtension.
(Just because you worked with NoScript code for your PRs.)
This has nothing to do with WebExtensions. I don't believe in WebExtensions, nor would I believe in that they are going to cancel XPCOM in November 2017.
(Well, I do believe Mozilla/AMO says "just WebExtensions", or also "no more XPCOM", but they don't "remove" XPCOM from Firefox.)

(I tried to make a WebExtension, this also worked for blocking requests, but I couldn't block redirects. In webRequest.onHeadersReceived, when the redirect was in action, I changed the HTTP statuscode from 307 to 400..., but I couldn't ask or confirm, if you want and where to be redirected.
I also remember that I could block SCRIPTs, but I couldn't block HTML-SCRIPTs, so to say the <script tags embedded in the HTML response.)
Seriously, who gives a **** what you or I want? What matters is whether it makes sense.
Doesn't it make sense?
I think this stuff shouldn't meddle with script permissions. Just because I want to see one image from office356.com, doesn't mean I want to run all their active content.
This is true - if there is someone.com untrusted, there should be a state of "trust" again, right before you would "(temporarily) allow" someone.com.
Currently you need to "allow" and then "forbid" someone.com, to get someone.com out of the untrusted menu.
Last edited by metadings on Fri Mar 03, 2017 4:45 pm, edited 3 times in total.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: [PR1] NoScript: RequestPolicy

Post by barbaz »

metadings wrote:By having added security of NOT running sitestat.com's IMAGE,
Wait, wait, aren't you missing something there? Like, if blocking cross-site images added security, that NoScript would be doing it already?

NoScript has protections against cross-site security threats. Cross-site XHR controls, cross-site frame controls, protection against cross-site scripting, cross-site request forgery, cross-site resource abuse, cross-site etc etc. In fact, NoScript has always been ahead of the game on cross-site protections. And Giorgio is very well versed in this security stuff.

It is in no one's interest to deliberately ignore a security problem in a default-deny type addon like NoScript.
metadings wrote:This has nothing to do with WebExtensions.
Well, it has as much to do with WebExtensions as NoScript's use of nsIContentPolicy has to do with blocking images.
metadings wrote:Doesn't it make sense?
No. You are insisting on conflating security and privacy in a 'This club requires jackets. I'm wearing a shirt, they should let me in' type way.

BTW, ignoring the questions posed to you is unproductive -
barbaz wrote:
metadings wrote:Look, I'm installing people "just" Mozilla Firefox and µblock, if they even care; they usually have "just" Mozilla Firefox and AdBlockPlus.

Now what I want is, if you care: You should use "just" Mozilla Firefox and NoScript.
Care about what?
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply