Feature Request: treat JavaScript like other plugins

Bug reports and enhancement requests
Aspirant
Junior Member
Posts: 27
Joined: Mon Sep 28, 2009 12:21 am

Feature Request: treat JavaScript like other plugins

Post by Aspirant » Mon Sep 28, 2009 12:53 am

I request that the NoScript options, on the Plugins tab, includes a checkbox called "Forbid JavaScript", where the checkbox is checked by default. This would increase NoScript's flexibility to support allowing JavaScript globally (uncheck the new checkbox) while forbidding other plugins with a whitelist.

Today, I have to check the option "Apply these restrictions to trusted sites too" in order to block other plugins while allowing JavaScript globally. With Silverlight forbidden, the Netflix site will not work with streaming video (NoScript fails to display a placeholder). I would like to allow plugins for the Netflix site while forbidding Silverlight for sites not in the white list. But I cannot do this with JavaScript globally allowed today.

I understand that technical users achieve better security by disabling JavaScript globally. I explained in a previous topic how my spouse learns to allow everything for each site when sites are frequently unusable with JavaScript disabled. See viewtopic.php?f=7&t=2658
That same topic clarifies how NoScript provides many useful protections even when JavaScript is globally allowed. Today, I have to allow Silverlight on all sites just because I need it on the Netflix site. I am really hoping that my request is a small change to help support users like us.

Thanks for making NoScript an essential part of my PC security.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Feature Request: treat JavaScript like other plugins

Post by Tom T. » Tue Sep 29, 2009 8:51 am

JavaScript is already forbidden by default in NoScript. That is why it is called, "No Script".

Clicking NoScript > Options > General, you can check "Scripts globally allowed" -- but why would you want to?
You may allow any script that you wish through the NoScript menu at each site.

Your feature request is already the core of NoScript, its raison d'etre, if you will.

Thanks for your interest.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

Aspirant
Junior Member
Posts: 27
Joined: Mon Sep 28, 2009 12:21 am

Re: Feature Request: treat JavaScript like other plugins

Post by Aspirant » Tue Sep 29, 2009 4:20 pm

I understand that the original version of NoScript pioneered the strategy of default-deny and whitelisting with JavaScript. But NoScript is much more sophisticated today by applying this strategy to plugins and IFRAMES and with its ClearClick, XSS, JAR, HTTPS and ABE protections. Thus, even with JavaScript globally allowed, NoScript is very powerful and useful for helping the user with security and privacy in a way that is unmatched by any other solution.

Today's NoScript users are technically savvy and motivated enough to make good decisions about whether to allow JavaScript or not for a new site. But the unsophisticated user, which I believe is the majority of the population, is either unable or unmotivated to make this decision. I used to have Norton Internet Security on our PC, which (at that time) supported default-deny and whitelisting with JavaScript. At first, my spouse called me every time a new site didn't work and asked me what to do. After I showed her how to whitelist several times, she automatically whitelisted every new site because she wanted to see it. She also got frustrated with the inconvenience of the extra step required to see a significant percentage of new sites. To resolve this, I allowed JavaScript globally and researched other security methods.

I suspect that Giorgio's first motivation is to help protect the world from evil web sites. My request allows NoScript to be used by more unsophisticated users, and thus a larger percentage of the population. Firefox is growing in market share (see http://weblogs.mozillazine.org/asa/), so the percentage of unsophisticated Firefox users is growing too. Since default-deny works for the loyal fans of NoScript, I am not suggesting to change the default behavior. My request is for additional flexibility to allow NoScript to work for additional people. Don't we want to protect people even though we don't agree with their choices?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Feature Request: treat JavaScript like other plugins

Post by Tom T. » Tue Sep 29, 2009 9:12 pm

These same unsophisticated users are extremely unlikely to change a global-allow default, thereby rendering NS almost useless, at least for its main purpose.
The Quick Start Guide should cover this basic concept. That is why it was written.

She also got frustrated with the inconvenience of the extra step required to see a significant percentage of new sites.

I get very frustrated with the number of keys I have to carry (house, cars, office, mailbox, etc.) and with the number of usernames and passwords I have to manage. In a world of honest people, none of that would be necessary. Unfortunately, there are bad people in the world. Security is always the opposite of convenience. Sad, but true. Honest world = no keychain. Real world = must carry keychain.

I am not suggesting to change the default behavior. My request is for additional flexibility to allow NoScript to work for additional people.

Please see my previous comment. The ability to allow scripting globally is built right into the user interface, in the very first tab. But if you're never going to lock your doors, why put locks on them, and why carry keys?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

Aspirant
Junior Member
Posts: 27
Joined: Mon Sep 28, 2009 12:21 am

Re: Feature Request: treat JavaScript like other plugins

Post by Aspirant » Wed Sep 30, 2009 5:09 pm

Tom,

I am not trying to change how you achieve security and a comfortable balance between security and usability. When you use phrases like "almost useless ... for its main purpose" and "if you're never going to lock your doors", I get the impression that you don't tolerate different opinions on globally allowing JavaScript. If you don't administer a PC for your spouse, you may make different choices than me.

I am aware of many JavaScript vulnerabilities and take many precautions. For example, I have Comodo Internet security software, which prevents buffer overflows (and hence such attacks). Also, my spouse and I close and re-open Firefox before and after visiting our financial web sites. My other security measures are too numerous to mention here. Please don't dismiss me as a person who prefers to leave my doors unlocked.

Since NoScript already has the option of globally allowing JavaScript, my feature request actually improves security for persons who choose this. Today, if a user globally allows JavaScript and has one important site that fails when NoScript forbids Silverlight, the user must uncheck "Forbid Microsoft Silverlight". My feature request allows forbidding Silverlight by default because the whitelist would work for plugins when JavaScript is globally enabled. Even if my feature request doesn't have any benefit for your NoScript configuration, I hope you can support improved security for those who make different choices.

Best regards
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Feature Request: treat JavaScript like other plugins

Post by Tom T. » Fri Oct 02, 2009 7:05 am

Aspirant,

I did not mean to disparage or dismiss you. I sometimes use colorful analogies to make my points. I'm sorry if you took them as offensive.

However, I must point out that there is considerable evil that can be done by Javascript alone, without any other plugins. In fact, that is why Giorgio Maone sat down and wrote NoScript in the first place. The control of other plugins was added later, as NS matured and these other threats became major factors.

There are Javascript attacks other than buffer overflows. I'm not personally familiar with Comodo, but I haven't heard of any product that can truthfully guarantee protection against all buffer overflows, including those yet to be discovered. I agree on always closing/reopening the browser before and after visiting sensitive sites, assuming you have Firefox set to delete all private data upon closing (else it dilutes the value of this). But this still does not protect you from malicious JS at the next ordinary site you visit. (We'll hope that your bank site hasn't been compromised, though it's happened.)
Today, if a user globally allows JavaScript and has one important site that fails when NoScript forbids Silverlight, the user must uncheck "Forbid Microsoft Silverlight"

I don't use Silverlight, but let's take something similar, Flash. I have all plugins blocked by default. When I visit YouTube, rather than uncheck "Forbid Flash", I simply search for the video I want, see the red NS placeholder (red block-logo), click on it, get a confirmation message, "Do you wish to allow...", click OK, and the video plays. That way, I'm exposing myself to only one Flash video instead of a million, and I don't have to remember to re-check "Forbid Flash" when I leave the site.

If you are referring to being able to whitelist plugins on a site-specific basis, that is a feature that has been on the to-do list for a long time, and I believe will be in whenever NS 2.0 comes out. Unfortunately, developer Giorgio Maone is constantly busy "putting out fires" that spring up (new threats, new vulnerabilities and exploits, etc.) I think in the meantime, if you use the method I described, or else click the NS menu and look for "blocked objects", you'll find that you can allow them temporarily without messing with the configuration.
the whitelist would work for plugins when JavaScript is globally enabled.

I'm not sure I'm understanding you completely here, but if you forbid all plugins and all Javascript by default, then go to NoScript > Options > Plug-ins and uncheck "Apply these restrictions to trusted sites too", then whenever you whitelist a site for scripting, i. e., add it to your "trusted" list, or whitelist, then the plugins will automatically be allowed there, too. Yet you still are protected from Javascript and all of the plugins at the sites that you have not whitelisted. Would this accomplish what you want? ... I prefer to allow only the single plugin needed versus allowing all of them at my trusted sites, but as you said, we may have different balances in our security comfort levels, so I think this suggestion would still improve your overall security while not inconveniencing you or your wife in the manner described.

If you don't administer a PC for your spouse, you may make different choices than me.

I don't directly administer, but offer support to, users at all levels, from first-time computer users through advanced users. I have a friend who has a Master's Degree in Computer Science, 25 years' experience, first as a programmer, then at the management level, but all in industrial applications, none Internet-related. This person has used a number of programming languages, from BASIC on through ADA, C, etc,. but not Javascript, because, for some strange reason, NASA, for example, chooses not to use Javascript for command and control of the Space Shuttle. So I have had to assist this expert professional a little with NoScript, because in that area, this person is as much a novice as your wife. Is it worth it? Let me ask you a few questions, continuing our interesting discussion, please!

When your wife (or you) sat behind the wheel of a car for the first time, did either of you immediately pop it in gear, hop on the freeway, and do 70 mph? Did you know how to parallel-park already? I'm guessing that each of you had either formal instruction, or a friend or parent help you, and probably spent some hours, if not days or weeks, driving around the parking lot before getting on the road for the first time.

I learned how to fly. It took me about 40 or 50 hours of instruction to receive my private pilot's license.

When your wife sat down in front of a computer for the first time ever, did she already know how to boot it? Shut it down safely? Put it on standby? Open, create, move, rename files and folders? Navigate the Web? Surely someone had to teach her these things, and surely it took hours, or a number of sessions over days or weeks, before she felt fully comfortable on her own sending email, downloading photos, doing online banking, etc.

All I am trying to say is that unfortunately, the Internet is a very dangerous place, as dangerous in its own way as a crowded highway. To drive on it *safely* takes some instruction. The proof of this is that random surveys and inspections have shown that 80-90% of home PCs have some form of malware infection.

My friend mentioned above, the professional, one day saw a new toolbar appear in the browser. I quickly recognized it as spyware. S/he (trying to protect privacy, please) had no idea where it came from, and didn't remember doing anything that would have allowed it. Yet, there it was. We did a rather painful extraction, which included some significant edits to the Windows Registry, something no novice or average home user should attempt, but we got rid of it.

The bottom line here is that I think a few sessions of instruction in how to use NoScript's powerful protection to maximum advantage would pay off in the long run, and, IMHO, are just as necessary to drive the Internet superhighway as driving lessons are before driving a car on the highway, or the local streets.

We are aware that NoScript can be challenging to novices. That is why the Quick Start guide was written, the FAQ, the Common Troubleshooting sticky post, the Firefox Self-Help Links sticky post, etc. Making it more user-friendly is always a goal. Giorgio has talked about putting a more "consumer-oriented shell" around it. These things take time (a small donation doesn't hurt either, as every hour Giorgio spends on this freeware is an hour away from his paying job), but in the meantime, please consider what I have said about educating your wife to self-sufficiency in NoScript, and please let her know that we are always here to help if she has any questions to which she can't find answers in the above resources. IMHO, the response times at this forum to critical technical or user-problem issues are faster than at any other support forum I've seen. Give her a chance, and let us know how we can help.

Thanks for your time and continued interest.
Best wishes,
Tom
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

Aspirant
Junior Member
Posts: 27
Joined: Mon Sep 28, 2009 12:21 am

Re: Feature Request: treat JavaScript like other plugins

Post by Aspirant » Sat Oct 03, 2009 8:55 pm

Tom,

Thanks for spending considerable time to respond. I am trying to keep this topic focused on the feature request. I am interested in discussing the general issue of whether JavaScript vulnerabilities can be addressed without default-deny. I opened another topic for this at viewtopic.php?f=8&t=2768&p=11290#p11290, which includes details on Comodo's buffer overflow protection.

This is from my opening post:
Aspirant wrote: Today, I have to check the option "Apply these restrictions to trusted sites too" in order to block other plugins while allowing JavaScript globally. With Silverlight forbidden, the Netflix site will not work with streaming video (NoScript fails to display a placeholder). I would like to allow plugins for the Netflix site while forbidding Silverlight for sites not in the white list. But I cannot do this with JavaScript globally allowed today.


Tom T. wrote:I don't use Silverlight, but let's take something similar, Flash. I have all plugins blocked by default. When I visit YouTube, rather than uncheck "Forbid Flash", I simply search for the video I want, see the red NS placeholder (red block-logo), click on it, get a confirmation message, "Do you wish to allow...", click OK, and the video plays.


As my opening post mentions, NoScript fails to display a placeholder for Silverlight on the Netflix site, so my only option today is to toggle NoScript's forbid option on the Silverlight plug-in.

Aspirant wrote:If you are referring to being able to whitelist plugins on a site-specific basis


No, I am just requesting that NoScript provides a way to default-deny for the forbidden plug-ins, with a whitelist, when JavaScript is globally allowed. The whitelist is the new feature in this scenario.

With JavaScript globally allowed on NoScript 1.9.9.05, and unchecking the option "Apply these restrictions to trusted sites too", forbidding plug-ins has no effect on those plug-ins! Perhaps this is a NoScript bug. If this behavior were changed, I wouldn't need to check "Apply these restrictions to trusted sites too", and I wouldn't be requesting whitelist support in this scenario.

Since you don't use Silverlight, please confirm my bug scenario with another plug-in. For example:
- allow JavaScript globally
- remove YouTube from your whitelist
- forbid flash plug-ins
- uncheck the option "Apply these restrictions to trusted sites too"
- play a video on YouTube and notice that there is no placeholder for the Flash plug-in (but I expect a placeholder)
- check the option "Apply these restrictions to trusted sites too"
- play a video on YouTube and notice that there is now a placeholder for the Flash plug-in

I hope that all of our discussion has helped to bring out a bug, which, if fixed, would eliminate my feature request.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Feature Request: treat JavaScript like other plugins

Post by Tom T. » Sat Oct 03, 2009 9:39 pm

Aspirant wrote:Since you don't use Silverlight, please confirm my bug scenario with another plug-in. For example:
- allow JavaScript globally
- remove YouTube from your whitelist
- forbid flash plug-ins
- uncheck the option "Apply these restrictions to trusted sites too"
- play a video on YouTube and notice that there is no placeholder for the Flash plug-in (but I expect a placeholder)
- check the option "Apply these restrictions to trusted sites too"
- play a video on YouTube and notice that there is now a placeholder for the Flash plug-in

I hope that all of our discussion has helped to bring out a bug, which, if fixed, would eliminate my feature request.

Aspirant, thank you for the very specific set of instructions to reproduce your issue. I'm sorry that it's taken so long for us to get to your exact issue, but those instructions were what I needed. (Actually, it's what most tech support requests need :) )

I've successfully reproduced both scenarios. I don't believe this would be classed as a "bug". What is happening is that when you allow Scripting Globally, you are in essence declaring the entire World Wide Web to be your "trusted" list. You've whitelisted the world, in essence, declaring all sites to be trusted. Therefore, when you uncheck "Apply these restrictions to trusted sites too", you are in essence negating all plug-in protection everywhere, since all sites are trusted.

When you or I re-check "Apply to trusted", then the plug-in protection works. YouTube and all others are "trusted", in this scenario, so the Flash plug-in is blocked, and the placeholder appears as you said.

I believe I now understand your request. It seems inconsistent to allow JS globally, but forbid the plugins, since, as mentioned, JS alone can do much evil.
Although the option to allow scripting globally is there, because of requests from some users or for test purposes, I don't believe that we wish to do anything that would encourage that option; on the contrary; it is discouraged as much as possible. IMHO, spending a little time to use the default-deny of JS, and learning how to temporarily allow, or whitelist, trusted sites is far more worthwhile.

However, I don't set the policy on these matters. Now that I understand your specific request, I will ask NoScript Developer Giorgio Maone to review your request and respond. It is his decision whether to include the feature that you asked for, or any other. Please allow a couple of days for his response.

Thank you for clarifying your request, and for your continued interest in NoScript.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Aspirant
Junior Member
Posts: 27
Joined: Mon Sep 28, 2009 12:21 am

Re: Feature Request: treat JavaScript like other plugins

Post by Aspirant » Sat Oct 03, 2009 10:58 pm

http://noscript.net/features#xss says:
NoScript features unique Anti-XSS counter-measures against XSS Type 0 (DOM based) and XSS Type 1 (Reflective, absolutely the most common) attacks targeted to whitelisted sites.


Tom T. wrote: I don't believe this would be classed as a "bug". What is happening is that when you allow Scripting Globally, you are in essence declaring the entire World Wide Web to be your "trusted" list. You've whitelisted the world, in essence, declaring all sites to be trusted. Therefore, when you uncheck "Apply these restrictions to trusted sites too", you are in essence negating all plug-in protection everywhere, since all sites are trusted.


If Giorgio's intention is to whitelist the world when JavaScript is globally allowed, then Anti-XSS wouldn't work fully in this scenario because it is looking for attacks from non-whitelisted sites to whitelisted sites. However, Giorgio says Anti-XSS protection does work with JavaScript globally allowed (see viewtopic.php?f=7&t=2658#p10879). So there is an inconsistency here somewhere.

Presently, you think I am inconsistent or foolish to allow JavaScript globally, and I think you are inconsistent or foolish to surf without Comodo's buffer overflow protection given that NoScript allows JavaScript for trusted sites (which are not always trust-worthy). At such a high level, this is more like a religious debate that seems unresolvable. However, I suspect we have things to learn from each other. So, instead, I offer to dialog with you on this subject in this thread:
viewtopic.php?f=8&t=2768
By taking this debate from the subjective, high level to the objective, detailed level, I hope to either adopt your strategy or have you recognize that my strategy is reasonable. If you and Giorgio accept that my strategy is reasonable, I am hoping there will be better support for the option of allowing JavaScript globally (such as the whitelist for plug-ins blocking that works).

Looking forward to our dialog...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Feature Request: treat JavaScript like other plugins

Post by Tom T. » Sun Oct 04, 2009 2:42 am

Aspirant,

No offense intended whatsoever, but I'm an unpaid volunteer here, as all support team members are, and therefore prefer to spend whatever time I can afford here on solving users' problems or responding to inquiries such as specific feat reqs, rather than engaging in philosophical discussions, as interesting as I'm sure that would be. I'm sure you understand and won't take any offense. (Enhancing user safety, to me, includes encouraging full use of NS capability, but not to continue after understanding the other party does not care to do so.) The req has been passed to the decision-maker.

I took a quick look at your Comodo link. It was to only their general site, not specifically to the buffer-overflow countermeasure. I saw "memory firewall" listed in the features, but couldn't quickly find specific information on it, and didn't want to spend time hunting through a (typically) large site crammed with sales points and short on specifics.

On brief reflection, though, I'd guess that what they're probably referring to is DEP (Data Execution Prevention), a sw feature of Windows at least since XP SP2, possibly earlier, and a hw feature of most processors built since about 2005. Unfortunately, in both cases, both were turned off by default. If Comodo is turning sw and hw DEP on for novice users who don't know to do this themselves, or don't know how, then that's commendable, but you can do it yourself.

Sw:
Open the System Properties box, either through Control Panel or by right-clicking My Computer > Properties.
Click the Advanced tab.
Click the Data Execution Prevention tab.
Click "Turn on DEP for all programs and services except those I select".
"OK" all the way out.

The "exceptions" box is mostly there in case a poorly-written program should cause false positives; then you can add it to the exceptions if you are sure that that is the issue. However, since this feature has received more widespread use, most such programmers are writing to comply. I have no exceptions.

Turning on hw DEP is done by accessing the system BIOS, the procedure for which varies by manufacturer. Usually, it is in the Advanced tab of the BIOS, titled either "Enable execute-bit disabling", or "No-execute bit enabled", or something similar. This prevents code from being executed in areas of RAM that were intended to be data buffers only.

Steve Gibson offers a small, light freeware tool for determining if your system supports hw DEP, and, if so, whether it has been enabled, here, along with further explanation of this feature.

I have heard, but not personally verified, that in the past few years, either Microsoft and/or some OEMs have begun enabling either or both of these by default. It is sad to note that had this been the case eight or ten years ago, hundreds of exploits that occurred during those years would have been prevented. The malicious code itself might still be injected in a number of ways, but it would not be able to execute, which is "good enough".

Please note that we are no longer discussing NoScript issues, and that therefore none of the above is to be construed as the advice or recommendation of this forum or its admin, but only my personal opinion, as per the discussion that you invited. Therefore, there are no warranties on such information, and is to be used at your own risk only. You should instead contact either Microsoft support resources or your computer's manufacturer's support resources for official information on these topics.

If you do find out that this is in fact what Comodo is doing, that would be interesting. I didn't think of it before, because it sounded as though they were claiming some exclusive new invention of their own that would prevent BO attacks, which sounded a bit snake-oil-ish. A lot of sw vendors charge people for doing what they could do themselves, but if that's the only way that user would receive the protection, then they are still better off. Cheers.

P. S. Just out of curiosity, may I ask to what it is you aspire? :)
Last edited by Tom T. on Sun Oct 04, 2009 2:46 am, edited 1 time in total.
Reason: typo
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Aspirant
Junior Member
Posts: 27
Joined: Mon Sep 28, 2009 12:21 am

Re: Feature Request: treat JavaScript like other plugins

Post by Aspirant » Sun Oct 04, 2009 3:43 am

Hi Tom,

Here is the info on buffer overflow protection I put in this previously mentioned thread at viewtopic.php?f=8&t=2768

Install one of the free products by Comodo for protection against all buffer overflow errors: Internet Security or Comodo Firewall, see http://www.comodo.com/home/free/free-protection.php
Go to the menu Defense+|Advanced|Image Execution Control Settings|Detect shellcode injections to confirm it is enabled.
Comodo used to offer this protection in a separate application. See http://forums.comodo.com/comodo_memory_ ... ion-b97.0/
Here is a free application to test if your PC is vulnerable: http://forums.comodo.com/comodo_memory_ ... 541.0.html


Here is an explanation of why Comodo's patented software buffer overflow protection is better than DEP: https://forums.comodo.com/frequently_as ... 237.0.html
BTW, I have no financial or other connection to Comodo -- I'm just a user.

Tom T. wrote:Enhancing user safety, to me, includes encouraging full use of NS capability, but not to continue after understanding the other party does not care to do so.


I am willing to use default-deny with JavaScript when someone shows me a vulnerability that I can't counter-measure in a more user-friendly way. I am not concerned about being wrong -- I look forward to someone sharing the insight that helps me improve my security. And I don't intend to attack anyone on the (all-volunteer) NoScript team. If someone offered a free and more user-friendly protection against JavaScript than default-deny, wouldn't the NoScript team embrace it in spite of years of hard work spent on default-deny?

Tom T. wrote:P. S. Just out of curiosity, may I ask to what it is you aspire? :)

I aspire in a spiritual sense: truth, knowledge, compassion, love, etc.

Take care
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Feature Request: treat JavaScript like other plugins

Post by Alan Baxter » Sun Oct 04, 2009 5:13 am

Aspirant wrote:As my opening post mentions, NoScript fails to display a placeholder for Silverlight on the Netflix site, so my only option today is to toggle NoScript's forbid option on the Silverlight plug-in.

That may be a bug, but I'm an unable to find a place on the netflix site that uses silverlight. Do I have to be a member or something to test it out? I do see the silverlight placeholders on the ms silverlight site, http://silverlight.net/. Could you give us a more detailed test case so we can see whether it's a bug? That said, sometimes the lack of a placeholder isn't a bug. In that case the status bar icon will indicate that some content is being blocked, and the object can still be Temporarily allowed from the Blocked Objects submenu.

Since you don't use Silverlight, please confirm my bug scenario with another plug-in. For example:
- allow JavaScript globally
- remove YouTube from your whitelist
- forbid flash plug-ins
- uncheck the option "Apply these restrictions to trusted sites too"
- play a video on YouTube and notice that there is no placeholder for the Flash plug-in (but I expect a placeholder)
- check the option "Apply these restrictions to trusted sites too"
- play a video on YouTube and notice that there is now a placeholder for the Flash plug-in

This is expected behavior because Globally Allow effectively whitelists everything (that hasn't been marked as untrusted).

Edit: Just to clarify,
- play a video on YouTube and notice that there is no placeholder for the Flash plug-in (but I expect a placeholder)

There wasn't a placeholder for me because the Flash clip was playing, as expected. Did you mean something different, i.e. no placeholder and the clip was not present or playing?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Aspirant
Junior Member
Posts: 27
Joined: Mon Sep 28, 2009 12:21 am

Re: Feature Request: treat JavaScript like other plugins

Post by Aspirant » Sun Oct 04, 2009 4:14 pm

Alan Baxter wrote:That may be a bug, but I'm an unable to find a place on the netflix site that uses silverlight. Do I have to be a member or something to test it out? I do see the silverlight placeholders on the ms silverlight site, http://silverlight.net/. Could you give us a more detailed test case so we can see whether it's a bug?

I experience the Silverlight problem with NoScript on the Netflix.com site when playing a streaming video from the Instant Queue. I believe you do have to be a member to try this, but you could sign up for the 30-day free trial and then cancel. I save about USD 70 per month by canceling all but the broadcast channels from my cable operator. I pay now USD 11 per month for cable television service and USD 17 per month for Netflix to have 3 DVDs at a time. You could reduce the Netflix fee to USD 9 per month for 1 DVD at a time and still have unlimited access to streaming movies. Please note that Netflix streaming videos only work on an administrator account on a PC.
Alan Baxter wrote:sometimes the lack of a placeholder isn't a bug. In that case the status bar icon will indicate that some content is being blocked, and the object can still be Temporarily allowed from the Blocked Objects submenu.

Because globally allowing JavaScript effectively whitelists/allows all sites, temporarily allowing the Netflix site doesn't help. And I can't temporarily allow the blocked Silverlight object because Netflix jumps immediately to an error page when I click on Play with Silverlight forbidden. Please try this to see what I mean.
Alan Baxter wrote:Edit: Just to clarify,
- play a video on YouTube and notice that there is no placeholder for the Flash plug-in (but I expect a placeholder)

There wasn't a placeholder for me because the Flash clip was playing, as expected. Did you mean something different, i.e. no placeholder and the clip was not present or playing?

I also experienced the Flash clip playing when there was no placeholder. The reason this is unexpected by the user is because the user checked the option to forbid the Flash plug-in. While Giorgio implemented globally-allowed JavaScript by effectively whitelisting all sites, I (as a fellow programmer) believe that it can be done without changing the whitelist. This is why I requested that JavaScript is given a separate forbid option in the Plugins menu. It allows the user the option of globally allowing JavaScript without globally allowing all scripts/plugins. More flexibility!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Feature Request: treat JavaScript like other plugins

Post by Alan Baxter » Sun Oct 04, 2009 4:59 pm

Aspirant wrote:I experience the Silverlight problem with NoScript on the Netflix.com site when playing a streaming video from the Instant Queue. I believe you do have to be a member to try this, but you could sign up for the 30-day free trial and then cancel.

I'll leave it up to Giorgio to investigate the Netflix issue further.

I can't temporarily allow the blocked Silverlight object because Netflix jumps immediately to an error page when I click on Play with Silverlight forbidden. Please try this to see what I mean.

Perhaps Giorgio can work around that. In the meantime you'll have to continue to uncheck Forbid Silverlight while watching the Netflix streaming videos.

I also experienced the Flash clip playing when there was no placeholder. The reason this is unexpected by the user is because the user checked the option to forbid the Flash plug-in.

As it says at the top of the Plugins tab, the "Forbid" options apply only to untrusted sites. All sites are "trusted" in Globally Allow mode. This is the behavior I expect and desire. If you want a Forbid option to apply to trusted sites too, you must check Apply these restrictions to trusted sites too so that the checked object types will be blocked on all sites.

While Giorgio implemented globally-allowed JavaScript by effectively whitelisting all sites, I (as a fellow programmer) believe that it can be done without changing the whitelist. This is why I requested that JavaScript is given a separate forbid option in the Plugins menu. It allows the user the option of globally allowing JavaScript without globally allowing all scripts/plugins. More flexibility!

I agree, it can be done. Something like that may be on Giorgio's "NoScript Future Enhancements" list, possibly due to your request here. I appreciate your suggestions.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Feature Request: treat JavaScript like other plugins

Post by Grumpy Old Lady » Sun Oct 04, 2009 5:29 pm

Hi Alan - just popping in on a borrowed portable, and I couldn't go away without putting my 2 cents in here.
It's so sad when a NS novice is getting themselves tied in knots and it seems like you've tried every angle to help.

quoth aspirant - and I've highlighted what appears to be the central problem that aspirant is facing when using the blocked objects on a particular site -
Because globally allowing JavaScript effectively whitelists/allows all sites, temporarily allowing the Netflix site doesn't help. And I can't temporarily allow the blocked Silverlight object because Netflix jumps immediately to an error page when I click on Play with Silverlight forbidden. Please try this to see what I mean.


That reads as though in this particular case aspirant believes that JS needs to be blocked before navigating to the plugin, if the plugin is to possibly work to aspirant's satisfaction.
If this is the case, then it's a usability glitch for aspirant to get over per visit and not a reason for NS to change its central whitelisting design - ie forbid all, then allow selectively - to some weird kind of allow-all-then-blacklist-if-something-doesn't-work-for-a-novice.
quoth aspirant
It allows the user the option of globally allowing JavaScript without globally allowing all scripts/plugins. More flexibility!

I don't see how this isn't achieved by checking "apply these restrictions to trusted sites" in the plugins tab - I fancy that this is a usability problem with a particular site.

Hi aspirant,
I think that if you want your particular problem with a membership site that requires significant security relaxation to join (ie parting with real life identity and financial details) to be looked at by the team, then I think that you should rather take the risk yourself (ie pm your logon details to a moderator, or to Giorgio himself) for testing your problem, than suggest one of the team takes a risk themselves.
There is also the option of your providing screenshots of the difficult pages - together with your NS configuration - for the team to look at.

This thread belongs in support with a Netflix title - there may be other Netflix users with the same problem.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Post Reply