FF 14, Click-to-Play and Noscript

[tlu]

Today I downloaded FF 14 (on Kubuntu 12.04) in order to test the new click-to-play functionality in combination with Noscript - and it looks realy, really good!

You have to set "plugins.click_to_play" to "true" which means that any plugins are blocked by default. You'll see a placeholder which you have to click in order to execute the plugin. And there is a new button at the left corner of the address line which looks like this for Youtube:



If you click it, it asks you: " Would like to activate the plugins on this page?", and you have the choice between:

"Always activate plugins for this site"
"Never activate plugins for this site"
"Not now"

as shown on here.

The interesting point is that plugins are blocked even with the Noscript default settings, i.e. if "NoScript Options/Embeddings/Apply these restrictions to whitelisted sites too" is NOT toggled. In other words: CTP takes precedence over the Noscript settings. I believe that this has become possible with the CTP integration introduced in Noscript 2.3.8. Thanks a lot, Giorgio!

This is the best of two worlds, IMHO: Plugins are blocked by default even with Noscript default settings on all whitelisted sites (which reduces the attack surface considerably), but you can still instruct FF to remember the permission to execute plugins for specific sites. Note, however, that this feature is only site-specific but not yet plugin-specific - but this is should come pretty soon (see the last paragraph here.)

[Tom T.]

If you click it, it asks you: " Would like to activate the plugins on this page?", and you have the choice between:

"Always activate plugins for this site"
"Never activate plugins for this site"
"Not now"

So, there is no choice to activate, say, Flash for a *single* YouTube video, without allowing all YT videos forever? (in Firefox)
Disappointing. I was hoping for click-to-play individual objects.

The interesting point is that plugins are blocked even with the Noscript default settings, i.e. if "NoScript Options/Embeddings/Apply these restrictions to whitelisted sites too" is NOT toggled.

So, if Apply to whitelisted is *not* checked, you're saying that Fx will still block them? Cool.

But if Apply to whitelisted *is* checked, does the Fx permission override NS?
If so, then there's an impossible situation: You can't have selective allow *at all*. (again, using YT as an example).

I hope it doesn't. Then one could check to allow all Flash at YT in Fx, but place NS in default-deny Flash mode.
Which is already the case for this user, so the new feature is meaningless. But it does provide *something" for non-NS users.
But it's the same situation as IE's "all-or-nothing" script permissions on a given site. You allow everything on the page, or nothing at all.
(Which is one of many reasons why I switched from IE to Fx+NS, back in the day.)

In other words: CTP takes precedence over the Noscript settings.

Again, I hope only in deny, and not in allow. Could you please clarify?

This is the best of two worlds, IMHO: Plugins are blocked by default even with Noscript default settings on all whitelisted sites (which reduces the attack surface considerably), but you can still instruct FF to remember the permission to execute plugins for specific sites. Note, however, that this feature is only site-specific but not yet plugin-specific - but this is should come pretty soon (see the last paragraph here.)

Plugin-specific isn't much better. YouTube isn't trying to run Java on my machine.
Per-object-specific is what's needed. IMHO. YMMV.

as shown on https://msujaws.wordpress.com/2012/04/2 ... n-plugins/

There is a known issue with long links being broken.
Workaround is to wrap in URL tags. Please re-post the URL?

[tlu]

So, if Apply to whitelisted is *not* checked, you're saying that Fx will still block them? Cool.

Yes, indeed.

But if Apply to whitelisted *is* checked, does the Fx permission override NS?
If so, then there's an impossible situation: You can't have selective allow *at all*. (again, using YT as an example).

If this option IS checked in Noscript then the "normal" Noscript placeholder is displayed, if it is NOT checked then the CTP placeholder is displayed.

In other words: CTP takes precedence over the Noscript settings.

Again, I hope only in deny, and not in allow. Could you please clarify?

See my answer above. If you allow plugins on, say, YT permanently and above NS option IS checked then the NS placeholder is shown so they wouldn't be executed automatically. To summarize: If you use CTP in FF14, checking that NS option is not recommended, IMHO, as CTP offers the same functionality (it's just another placeholder) while offering more flexibility at the same time (as you can define permanent permissions for specific sites). That's how I see it.

Plugin-specific isn't much better. YouTube isn't trying to run Java on my machine.

I think it is much better. If I need Java only on one or two (trustworthy) sites but not on others (although it's embedded in them), it is definitely an improvement security-wise.

Per-object-specific is what's needed. IMHO. YMMV.

Perhaps that will come at a later stage. Although I'm not sure how this can be easily done for sites like YT. CTP is an important step towards more security but if Mozilla made it too complicated, most users would refuse to use it.

Workaround is to wrap in URL tags. Please re-post the URL?

Done

[Tom T.]

But if Apply to whitelisted *is* checked, does the Fx permission override NS?
If so, then there's an impossible situation: You can't have selective allow *at all*. (again, using YT as an example).

If this option IS checked in Noscript then the "normal" Noscript placeholder is displayed, if it is NOT checked then the CTP placeholder is displayed.

So, you're saying that if you *do* enable CTP *and* lock down Embeddings (checking everything on the page), there is no redundant clicking: Clicking the NS placeholder at a YT video will let it play, and Fx will honor NS's choice -- meaning that NS overrides Fx here?

And the site (YT or whoever) is *not* thereby automatically whitelisted in Fx CTP? -- which would be the ideal situation IMHO.

In other words: CTP takes precedence over the Noscript settings.

Again, I hope only in deny, and not in allow. Could you please clarify?

... If you use CTP in FF14, checking that NS option is not recommended, IMHO, as CTP offers the same functionality (it's just another placeholder) while offering more flexibility at the same time (as you can define permanent permissions for specific sites). That's how I see it.

I'm afraid I don't. NS gives me *video-specific* (single-ID-object-specific) control and permission. Which is much more finely-grained than site-specific.
I don't want to allow *all* YT vids. I wish to allow only the one I want to play at the moment. Reading your link, that is not possible, and apparently not coming soon, from Fx CTP.

Plugin-specific isn't much better. YouTube isn't trying to run Java on my machine.

I think it is much better. If I need Java only on one or two (trustworthy) sites but not on others (although it's embedded in them), it is definitely an improvement security-wise.

Well, yes, I agree, but I wasn't thinking at the time that the first generation CTP allowed "all" plugins at the w/l site, because that seemed almost useless, and kind of dumb. Imagine a site that tried to load both Flash and Silverlight -- and maybe Java.
So per-plugin should have been Step 1, IMHO. But yes, plugin-specific is a big improvement by comparison.

Per-object-specific is what's needed. IMHO. YMMV.

Perhaps that will come at a later stage. Although I'm not sure how this can be easily done for sites like YT.

NoScript manages to do it...

They could include NS as a default, with an opt-in first-run splash screen. Which is no different from making CTP opt-in for the new user.
(Is Fx reinventing the wheel here, little by little? )

CTP is an important step towards more security but if Mozilla made it too complicated, most users would refuse to use it.

Understood, and for the non-tech user who won't even try NS, agree that it's a step in the right direction.
Perhaps if CTP gets users accustomed to the concept of specific permission, then the transition to full-on NoScript protection (add-on or default install with opt-in) would be much easier.