Option to supress XSS pop-up. And some UI tweaks.

Ask for help about NoScript, no registration needed to post

Option to supress XSS pop-up. And some UI tweaks.

Postby NoscriptUser1 » Mon Jul 09, 2018 10:55 am

Hi,

Can we get an option to not show the XSS pop-up notification? I don't want to be notified. Related to that, how about a button to evoke the XSS pop-up? For example, if you already closed the pop-up and want to view it again.

Unrelated to the above, how about reset buttons for the presets on the option page? I presume there is some thought on the defaults (script, object and fetch) being disabled on the default settings, and I would like an easy option to reset them.

Still on the presets options, a minor tweak is not having the trusted and untrusted presets on separate tabs that you have to click on, just have them all displayed at once, now that the options page are divided into sections this makes little sense.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
NoscriptUser1
 

Re: Option to supress XSS pop-up. And some UI tweaks.

Postby skriptimaahinen » Mon Jul 09, 2018 7:38 pm

If you mean you do not wan't XSS protection anymore, there is a option to disable it in the NS-Settings/Advanced.

If you wan't the XSS protection to work but wish you didn't need to allow/block the same popup every time, there is the "Always allow/Always block" option in the popup, which will allow/block the particular request automatically.

Next to the enable/disable XSS button is "Clear XSS Choices" that resets all the choices you have made.

There is a reset button for ALL options in the top-right corner of the Settings page, but I guess that's not exactly what you wished for.

By default the settings are:

DEFAULT: frame, fetch, other
TRUSTED: all
UNTRUSTED: none

NoscriptUser1 wrote:Still on the presets options, a minor tweak is not having the trusted and untrusted presets on separate tabs that you have to click on, just have them all displayed at once, now that the options page are divided into sections this makes little sense.

I Agree.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
skriptimaahinen
Senior Member
 
Posts: 117
Joined: Wed Jan 10, 2018 7:37 am

Re: Option to supress XSS pop-up. And some UI tweaks.

Postby NoscriptUser1 » Tue Jul 10, 2018 5:19 am

Maybe my post wasn't clear, I'm not looking for instructions on the options menu. I will clarify, I know I can disable XSS protection altogether, I know there are options in the XSS pop-up, and the "Clear XSS choices" in the settings, these are all clearly labelled.

What I want is to automatically always block XSS, and for the XSS pop-up to not show up, I clarify again, I do not want to disable XSS protection. My second suggestion is pretty clear, I want a button on the NS panel (the toolbar panel), to have an option to re-show that XSS pop-up, in the event there is an XSS attempt.

As you said, I'm not looking for a reset everything button, just an easy way to reset the presets, JUST the presets.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
NoscriptUser1
 

Re: Option to supress XSS pop-up. And some UI tweaks.

Postby skriptimaahinen » Tue Jul 10, 2018 6:43 am

Thanks for clarification.

The current design clearly expects that the XSS warnings are few and far between. I assume you encounter them slightly more often?

The visual popup does have the advantage that, since false positives are likely going to break something, you will at least instantly know what is the cause.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
skriptimaahinen
Senior Member
 
Posts: 117
Joined: Wed Jan 10, 2018 7:37 am

Re: Option to supress XSS pop-up. And some UI tweaks.

Postby NoscriptUser1 » Wed Jul 11, 2018 7:27 am

No, I in fact, like you said, encounter XSS attempts very rarely.

Yes, I agree that the pop-up does have its advantages like you said, I just want an option to not see it, that's why I suggested the XSS button.

I assume since Giorgio hasn't replied, he's not interested in implementing this, and I understand that. Hey, Giorgio said (in his blog) that if you have suggestions, make it known. Doesn't hurt to try.

There is something that I do want some explanation on, and that is how often and serious XSS attempts are, I did some reading on this, and saw a recent post by Giorgio himself here regarding this. Before I made this post, I even thought to disable XSS protection, but decided I'd rather put up with the inconvenience of the pop-ups. If XSS was that serious and common, surely there would be more browser addons or built-in browser options to deal with it.

My suggestions on the UI tweaks to the presets section should still be considered though, it'll make it just a bit better, IMO.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
NoscriptUser1
 

Re: Option to supress XSS pop-up. And some UI tweaks.

Postby barbaz » Wed Jul 11, 2018 12:40 pm

NoscriptUser1 wrote:I assume since Giorgio hasn't replied, he's not interested in implementing this,

Not a safe assumption. Giorgio is very busy, maybe he just hasn't had time to reply yet.

NoscriptUser1 wrote:how often and serious XSS attempts are,

Well it shouldn't happen much often. But it's very serious. For example, if a malicious site can run its scripts in the context of your bank site, your bank password and personal information could be stolen and your bank account drained.

skriptimaahinen wrote:
NoscriptUser1 wrote:Still on the presets options, a minor tweak is not having the trusted and untrusted presets on separate tabs that you have to click on, just have them all displayed at once, now that the options page are divided into sections this makes little sense.

I Agree.

+1
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8621
Joined: Sat Aug 03, 2013 5:45 pm

Re: Option to supress XSS pop-up. And some UI tweaks.

Postby skriptimaahinen » Wed Jul 11, 2018 7:10 pm

NoscriptUser1 wrote:If XSS was that serious and common, surely there would be more browser addons or built-in browser options to deal with it.

The current chosen approach by most browsers is CSP (Content Security Policy), which lets web pages to define a set of rules for scripts and content that is supposed to be on the page. If for example someone managed to inject some extra javascript on the page, the browser would compare it to the rules, notice that it is not in compliance and block it. However, since setting up the rules is voluntary and even if set up, there could be holes, there is some room left for the XSS protection in NoSCript to be meaningful.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
skriptimaahinen
Senior Member
 
Posts: 117
Joined: Wed Jan 10, 2018 7:37 am

Re: Option to supress XSS pop-up. And some UI tweaks.

Postby Giorgio Maone » Wed Jul 11, 2018 11:56 pm

NoscriptUser1 wrote:I assume since Giorgio hasn't replied, he's not interested in implementing this, and I understand that. Hey, Giorgio said (in his blog) that if you have suggestions, make it known. Doesn't hurt to try.

Sorry for the late answer. I took note of all your RFEs, and they actually make sense.
Unfortunately I can't tell you if and when I can get at them, because there are many higher priority things to do yet for Classic-Quantum parity.

BTW, the tweak on the presets UI may appear to the be simplest, but it's actually quite hard because a lot of code is reused from the per-site premissions UI, which supports only one customization row to be shown at the same time.

NoscriptUser1 wrote: surely there would be more browser addons or built-in browser options to deal with it.

IE has been the first browser to "copy" NoScript's XSS filter, and then Chrome followed ("XSS auditor"), but both are deemed much less effective than NoScript's by the security researchers specializing in this field.
Firefox didn't ever get its own built-in XSS protection, even though there's been a bug about implementing it opened for almost a decade now: I guess that every time somebody starts to working at it, he/she soon realizes how difficult is to develop and maintain, and gives up on the premise that Firefox users can install NoScript if they want.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8604
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: Option to supress XSS pop-up. And some UI tweaks.

Postby NoscriptUser1 » Thu Jul 12, 2018 8:20 am

Okay, I understand, thank you for your time and keep up the good work.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
NoscriptUser1
 


Return to NoScript Support

Who is online

Users browsing this forum: Majestic-12 [Bot] and 13 guests