NoScript 10 Needs UI for Viewing/Editing xssUserChoices

Bug reports and enhancement requests
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

NoScript 10 Needs UI for Viewing/Editing xssUserChoices

Post by barbaz »

Please add a UI for viewing/editing/deleting the individual xssUserChoices in NoScript 10 Options. The lack of such UI makes it overly hard for users to investigate and fix problems such as viewtopic.php?f=8&t=25254 .

Thanks

(I seem to recall this was requested before, but search isn't turning up any such thread.)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices

Post by therube »

How does an XSS setting even get... oh, you're going to tell me it's from one of those popup dialogs that you get.
And in that dialog there must be a checkbox, to remember or something or the other.
Oh.
And so now you're saying that once a person has checked that box, there is no (straight forward) way to know that they had, much less to affect a change.

+1
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.5
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices

Post by barbaz »

Bump.

We've just had at least two more threads about this -
viewtopic.php?f=8&t=26162
viewtopic.php?f=7&t=26161
*Always* check the changelogs BEFORE updating that important software!
-
Sirus
Posts: 5
Joined: Thu Dec 10, 2020 4:08 am

Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices

Post by Sirus »

+ 1

I found out we could edit the XSS list by exporting the NoScript config (Export > noscript_data.txt > search for "xssUserChoices" and modify) which would be a workaround in the meantime while we wait for someone to code a proper UI, but that doesn't work; importing a modified noscript_data.txt doesn't stick - when I export the config afterwards, it's always the same old config. Even if I restart the browser in between.

Any thoughts? Should I flag this as an import bug?
Thanks!
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices

Post by Giorgio Maone »

Sirus wrote: Thu Dec 10, 2020 4:45 am Importing a modified noscript_data.txt doesn't stick - when I export the config afterwards, it's always the same old config. Even if I restart the browser in between.
The most likely reason for such a behavior would be your edits causing the JSON to become invalid.
Could you double check? (I'm adding a more explicit failure mode for that in 11.1.7, BTW).
Also, in order to clear the XSS settings you need an empty xssUserChoices property (

Code: Select all

xssUserChoices: {}
).
Just removing it outright would not work: is that your case?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Sirus
Posts: 5
Joined: Thu Dec 10, 2020 4:08 am

Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices

Post by Sirus »

Correct! Indeed, I left a comma ( , ) when I removed the last entry, effectively making the JSON invalid. Having a proper error message would've made me find the issue. :D

And also correct, flushing all my saved XSS choices is what I wanted to avoid.

Looking forward to that new version with explicit failure!
Thank you!!
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices

Post by Giorgio Maone »

Please check latest development build:
v 11.2rc2
============================================================
x Updated TLDs
x [XSS] New UI to reveal and selectively remove permanent
user choices
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices

Post by Giorgio Maone »

barbaz wrote: I see how to use the UI for viewing & selectively deleting xssUserChoices. But how do I use this UI to add an XSS choice to the list (or edit an existing one)? i.e. add or modify an XSS choice without triggering an actual XSS prompt and without import/export hacks?
That's not planned, because the way user choices work right now would require typing the origin(s) and the destination for each rule, which seems to much of a hassle if compared to the most common use case of "hitting" a false positive and working around it through the prompt.

Notice also that if you've been blocked by a permanent rule on a page (something which currently puzzles users a lot), you get a blue "XSS" badge instead of the red count and you get a per-tab filtered version of the same "Clear XSS user choices" UI inside the popup.
-
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices

Post by barbaz »

(Err, Giorgio, not sure how you managed to accidentally edit my post instead of replying :P :mrgreen: I changed authorship of the post to Giorgio.)
Giorgio Maone wrote: Mon Jan 25, 2021 4:34 pm That's not planned, because the way user choices work right now would require typing the origin(s) and the destination for each rule, which seems to much of a hassle if compared to the most common use case of "hitting" a false positive and working around it through the prompt.
Too much of a hassle to implement, or too much of a hassle for some users to ever use?

Because without that ability in NoScript Options, this UI cannot handle the case of persisting choices in a browser that's usually run in a sandbox that gets dumped on quit, which I reckon is not uncommon among security-minded NoScript users.
(Something that includes the ability to copy+paste would save quite a bit of typing ;) )
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply