Hidden default whitelist!? PLEASE GET RID OF IT!

Bug reports and enhancement requests
Post Reply
Waybie
Posts: 8
Joined: Fri May 15, 2020 1:08 pm

Hidden default whitelist!? PLEASE GET RID OF IT!

Post by Waybie »

I just discovered to my horror that NoScript has a default "whitelist" (hidden to users) which allows scripts like YouTube, Google and Gstatic to run automatically without the user's permission!

Frankly I find this outrageous! Like many people, I use NoScript for privacy - so I can ONLY allow a script on rare occasions when I choose to. The very last site I want to run scripts from is big organizations like Google, who track users and collect data. Has NoScript been bought out by Google?

If you are not controlled by Google then I urge you to either:

1) Remove this hidden "whitelist" from your add-on so that Google (or any site) is not allowed by default!
2) If you insist on including the whitelist then make it optional, ask users if we want it when we install the add-on, and add an option to disable it. (There is no mention of any "whitelist" in the options.)
Mozilla/5.0 (Windows NT 10.0; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4086.0 Safari/537.36
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Hidden default whitelist!? PLEASE GET RID OF IT!

Post by Giorgio Maone »

What's hidden?
BTW NoScript 10.x has no concept of "whitelist" anymore.
There's a default list of sites which are pre-marked as TRUSTED for users' convenience, and which can be changed to DEFAULT (i.e. erased) or even to UNTRUSTED at any time, either from the main UI (if you're visiting them), or from NoScript Options > Per-site Permissions.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Hidden default whitelist!? PLEASE GET RID OF IT!

Post by barbaz »

Did you even bother to read about NoScript at all before installing it?
Waybie wrote: Fri May 15, 2020 1:39 pm NoScript has a default "whitelist"
FAQ 1.5
Waybie wrote: Fri May 15, 2020 1:39 pm I use NoScript for privacy -
NoScript is a security tool, not a privacy tool.
Waybie wrote: Fri May 15, 2020 1:39 pm 2) If you insist on including the whitelist then make it optional, ask users if we want it when we install the add-on, and add an option to disable it. (There is no mention of any "whitelist" in the options.)
Similar has already been requested for Tor Browser users.
*Always* check the changelogs BEFORE updating that important software!
-
Waybie
Posts: 8
Joined: Fri May 15, 2020 1:08 pm

Re: Hidden default whitelist!? PLEASE GET RID OF IT!

Post by Waybie »

Giorgio Maone wrote: Fri May 15, 2020 1:58 pm There's a default list of sites which are pre-marked as TRUSTED for users' convenience, and which can be changed to DEFAULT (i.e. erased) or even to UNTRUSTED at any time, either from the main UI (if you're visiting them), or from NoScript Options > Per-site Permissions.
Thanks for the info. My problem with this is that

a) Users are not informed about these pre-trusted sites at installation
b) There's no simple way to quickly disable them all with one click

I recommend that when the add-on is first installed, it says something like:

Thank you for installing NoScript.
Would you like to allow a small list of trustworthy sites, or block ALL sites to begin with?

☑ Allow trustworthy sites (click here for a list of sites)
☐ Block ALL sites to begin with
barbaz wrote: Fri May 15, 2020 2:09 pm Did you even bother to read about NoScript at all before installing it?
Well it seems to me that the purpose of the add-on is quite a simple concept, made clear from the description on the main page, and the controls are self-explanatory. So no, like probably 99% of users, I did not seek out the lengthy FAQ and spend hours reading through it before installing.

Then again, it's probably about 15 years since I first installed, and the add-on has changed a lot over that time. I don't remember any whitelist in the early days? I forget.

But everything about the add-on, from its uncompromising "no symbol" logo, to its recommendation by privacy advocates - it all gives the impression that NoScript uses a simple 'opt-in' system which gives the user full control over what is allowed and what isn't.
barbaz wrote: Fri May 15, 2020 2:09 pm NoScript is a security tool, not a privacy tool.
I realize that it's primarily a security tool, but clearly it is also useful to many people as a privacy tool, and the developers must be well aware that a large portion of its users have both security and privacy in mind.

Besides, the distinction between security and privacy is often a fine one. For example, when big, evil companies like Microsoft, Amazon and Yahoo get hold of people's personal data, spy on them, log everything they type, and access their webcam without permission - many of us consider that a security breach.
Last edited by barbaz on Fri May 15, 2020 6:01 pm, edited 1 time in total.
Reason: fix quote attribution
Mozilla/5.0 (Windows NT 10.0; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4086.0 Safari/537.36
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Hidden default whitelist!? PLEASE GET RID OF IT!

Post by barbaz »

Waybie wrote: Fri May 15, 2020 4:18 pm b) There's no simple way to quickly disable them all with one click

I recommend that when the add-on is first installed, it says something like:

Thank you for installing NoScript.
Would you like to allow a small list of trustworthy sites, or block ALL sites to begin with?

☑ Allow trustworthy sites (click here for a list of sites)
☐ Block ALL sites to begin with
The security rationale for this would probably only apply to Tor users. For typical users, there's no security reason to go beyond just being able to remove default-whitelisted entries, as you can now.
Waybie wrote: Fri May 15, 2020 4:18 pm a) Users are not informed about these pre-trusted sites at installation
This could be solved by, similar to your suggestion, having an onboarding page informing users that NoScript has a default whitelist, and linking the FAQ entry for more info. I'm not sure whether that would overall be an improvement or not. I can see both sides.
Waybie wrote: Fri May 15, 2020 4:18 pm Well it seems to me that the purpose of the add-on is quite a simple concept, made clear from the description on the main page, and the controls are self-explanatory. So no, like probably 99% of users, I did not seek out the lengthy FAQ and spend hours reading through it before installing.
Even just the descriptions on NoScript's AMO page makes clear that NoScript's purpose is security, it says nothing about privacy.
Waybie wrote: Fri May 15, 2020 4:18 pm I realize that it's primarily a security tool, but clearly it is also useful to many people as a privacy tool,
And whoever relies on NoScript for privacy is getting a false sense of privacy. Any privacy protection NoScript provides is only a side-effect of its security measures. It's trivial for a tracker to "circumvent" NoScript's privacy protection, and in fact many of them do so.
Waybie wrote: Fri May 15, 2020 4:18 pm a large portion of its users have both security and privacy in mind.
True. And those users use NoScript for security alongside other extension(s) for privacy.

So, going back to this -
Waybie wrote: Fri May 15, 2020 1:39 pm privacy - so I can ONLY allow a script on rare occasions when I choose to.
For this case you maybe better off with µMatrix (if you're advanced user) or ScriptSafe, they are more privacy-oriented than NoScript.
*Always* check the changelogs BEFORE updating that important software!
-
Waybie
Posts: 8
Joined: Fri May 15, 2020 1:08 pm

Re: Hidden default whitelist!? PLEASE GET RID OF IT!

Post by Waybie »

Thanks for the reply, Barbaz. Very helpful information. It guess I must have overestimated how much importance NoScript places on privacy. Though the add-on is surely very attractive to privacy lovers. I'm sure I can't be the only user who feels an enhanced sense of privacy from seeing scripts like Google Analytics being blocked.

For more privacy-focused script blocking, I will consider alternative add-ons as you suggested (probably in addition to NoScript as frankly I can't imagine not having NoScript!).
barbaz wrote: Fri May 15, 2020 6:00 pm This could be solved by, similar to your suggestion, having an onboarding page informing users that NoScript has a default whitelist, and linking the FAQ entry for more info. I'm not sure whether that would overall be an improvement or not. I can see both sides.
Putting aside the issue of security vs privacy, I think it can only be a good thing for users to understand how the program is working. A quick mention of the whitelist could only be helpful and informative.

I recently installed NoScript on a new Firefox profile and kept getting confused as to why sites like Google were seemingly becoming un-blocked! (At first I wondered if some kind of malware was changing my settings!) It had me scratching my head, and re-installing several times, before I read about the whitelist in the FAQ.

IMHO, the kind of people who install NoScript are people who like to be in control of their computer, so giving us the opportunity to accept or reject the default whitelist would give a sense of empowerment, as well as educating us about the workings of the add-on.

Plus - in terms of the add-on's marketing image - mentioning the whitelist at installation makes the add-on look smarter, rather than a simple dumb tool which needs the user to make every last decision. It brags about what the add-on is doing for you.

Another issue is whether or not the whitelist remains permanently fixed after initial installation, or if it is periodically updated. That's something people might want to know, and this could be clarified at installation.
Mozilla/5.0 (Windows NT 10.0; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4086.0 Safari/537.36
Post Reply