Page 1 of 1
NoScript 10 Needs UI for Viewing/Editing xssUserChoices
Posted: Sun Oct 14, 2018 4:19 am
by barbaz
Please add a UI for viewing/editing/deleting the individual xssUserChoices in NoScript 10 Options. The lack of such UI makes it overly hard for users to investigate and fix problems such as
viewtopic.php?f=8&t=25254 .
Thanks
(I seem to recall this was requested before, but search isn't turning up any such thread.)
Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices
Posted: Sun Oct 14, 2018 12:41 pm
by therube
How does an XSS setting even get... oh, you're going to tell me it's from one of those popup dialogs that you get.
And in that dialog there must be a checkbox, to remember or something or the other.
Oh.
And so now you're saying that once a person has checked that box, there is no (straight forward) way to know that they had, much less to affect a change.
+1
Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices
Posted: Thu Nov 12, 2020 3:05 pm
by barbaz
Bump.
We've just had at least two more threads about this -
viewtopic.php?f=8&t=26162
viewtopic.php?f=7&t=26161
Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices
Posted: Thu Dec 10, 2020 4:45 am
by Sirus
+ 1
I found out we could edit the XSS list by exporting the NoScript config (Export > noscript_data.txt > search for "xssUserChoices" and modify) which would be a workaround in the meantime while we wait for someone to code a proper UI, but that doesn't work; importing a modified noscript_data.txt doesn't stick - when I export the config afterwards, it's always the same old config. Even if I restart the browser in between.
Any thoughts? Should I flag this as an import bug?
Thanks!
Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices
Posted: Thu Dec 10, 2020 12:19 pm
by Giorgio Maone
Sirus wrote: ↑Thu Dec 10, 2020 4:45 am
Importing a modified noscript_data.txt doesn't stick - when I export the config afterwards, it's always the same old config. Even if I restart the browser in between.
The most likely reason for such a behavior would be your edits causing the JSON to become invalid.
Could you double check? (I'm adding a more explicit failure mode for that in 11.1.7, BTW).
Also, in order to clear the XSS settings you need an empty xssUserChoices property (
).
Just removing it outright would not work: is that your case?
Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices
Posted: Thu Dec 10, 2020 4:29 pm
by Sirus
Correct! Indeed, I left a comma ( , ) when I removed the last entry, effectively making the JSON invalid. Having a proper error message would've made me find the issue.
And also correct, flushing all my saved XSS choices is what I wanted to avoid.
Looking forward to that new version with explicit failure!
Thank you!!
Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices
Posted: Mon Jan 25, 2021 2:23 pm
by Giorgio Maone
Please check
latest development build:
v 11.2rc2
============================================================
x Updated TLDs
x [XSS] New UI to reveal and selectively remove permanent
user choices
Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices
Posted: Mon Jan 25, 2021 4:34 pm
by Giorgio Maone
barbaz wrote:
I see how to use the UI for viewing & selectively deleting xssUserChoices. But how do I use this UI to add an XSS choice to the list (or edit an existing one)? i.e. add or modify an XSS choice without triggering an actual XSS prompt and without import/export hacks?
That's not planned, because the way user choices work right now would require typing the origin(s) and the destination for each rule, which seems to much of a hassle if compared to the most common use case of "hitting" a false positive and working around it through the prompt.
Notice also that if you've been blocked by a permanent rule on a page (something which currently puzzles users a lot), you get a blue "XSS" badge instead of the red count and you get a per-tab filtered version of the same "Clear XSS user choices" UI inside the popup.
Re: NoScript 10 Needs UI for Viewing/Editing xssUserChoices
Posted: Mon Jan 25, 2021 5:27 pm
by barbaz
(Err, Giorgio, not sure how you managed to accidentally edit my post instead of replying
I changed authorship of the post to Giorgio.)
Giorgio Maone wrote: ↑Mon Jan 25, 2021 4:34 pm
That's not planned, because the way user choices work right now would require typing the origin(s) and the destination for each rule, which seems to much of a hassle if compared to the most common use case of "hitting" a false positive and working around it through the prompt.
Too much of a hassle to implement, or too much of a hassle for some users to ever use?
Because without that ability in NoScript Options, this UI cannot handle the case of persisting choices in a browser that's usually run in a sandbox that gets dumped on quit, which I reckon is not uncommon among security-minded NoScript users.
(Something that includes the ability to copy+paste would save quite a bit of typing
)