Difficult to maintain the whitelist

[ReporterX]

I can export the whitelist, mass edit the list and import it.
I tried to put # in front of the line as a comment, but then I realize I couldn't. Noscript does not recognize it (unlike what it can in the ABE).

I prefer an interface like ABE where I can mass-edit the list with the ability to put comments.
But even if it is not likely to happen, I hope it could support "comments" in a text file.
So I can put comments in the text file and maintain the whilelist there.
When I import the file, Noscript knows to ignore any line starting with "#".

P.S. In the whitelist options, there is a feature to import/export the list.
I thought it was to import/export whitelist only, but I found out it exports the untrusted list too which is great.
But it is unclear because it does not mention in the interface at all.
I think it would be better if a small line of text (or a tooltip) indicates that.

[Thrawn]

Actually the ability to export and edit the blacklist (and lack of a GUI) is documented at http://noscript.net/features#blacklist

My concern about comments in the whitelist file would be that if you imported it and then exported, the result would not be the same (since it would lack comments).

Why do you need/want to maintain a separate whitelist file? What is your use case?

[ReporterX]

Actually the ability to export and edit the blacklist (and lack of a GUI) is documented at http://noscript.net/features#blacklist

My concern about comments in the whitelist file would be that if you imported it and then exported, the result would not be the same (since it would lack comments).

Why do you need/want to maintain a separate whitelist file? What is your use case?

Yes it is mentioned there, but the issue hasn't been solved.
A good interface should be as self-evident as possible.
Since the "export" is put under the whitelist, it is hard for users to notice it will export both whitelist and untrusted blacklist too.
And we can't rely on users to read through the whole page to find that out.
A line of text or tooltip can be a proper fix for the time being.
In the long run, that part of UI interface should be re-designed, but it will be more work.

I want to maintain the list in a file because I can add comments there.
I have several hundreds in the list already.
Without comments, I will lose track pretty fast.

Of course, if the interface supports adding comments, I would be more than happy to use it instead.
Or an interface which is similar to ABE where you can edit the whitelist (and hopefully blacklist too) in a large textarea, and you can put comments freely.
But both take time.
My suggestion should be much simpler to implement, but it is imperfect.

[Thrawn]

My concern about comments in the whitelist file would be that if you imported it and then exported, the result would not be the same (since it would lack comments).

Why do you need/want to maintain a separate whitelist file? What is your use case?

Since the "export" is put under the whitelist, it is hard for users to notice it will export both whitelist and untrusted blacklist too.

If someone is just exporting the file as a backup, and then importing it afterward, then they won't care what is in it, and the fact that it will restore their blacklist too is a good thing IMHO.

If someone is interested in editing it manually, then they will quickly discover - as you did - that the blacklist is included in the file.

I don't think this is a real problem.

In the long run, that part of UI interface should be re-designed, but it will be more work.

Giorgio has a big job ahead with E10s, but if you're volunteering to do some research and help out, feel free . NoScript is a one-man project, but it is also GPL.

I want to maintain the list in a file because I can add comments there.
I have several hundreds in the list already.
Without comments, I will lose track pretty fast.

Not to put too fine a point on it, but the general consensus is that a NoScript whitelist/blacklist should not be this big.

Use a blocking HOSTS file instead, or Adblock Plus, etc.

Or an interface which is similar to ABE where you can edit the whitelist (and hopefully blacklist too) in a large textarea, and you can put comments freely.

You can implement a blacklist in ABE, if you want:

Code: Select all

Site .evil.com .advertiser.com .unwanted.net
Deny

[barbaz]

Not to put too fine a point on it, but the general consensus is that a NoScript whitelist/blacklist should not be this big.

Use a blocking HOSTS file instead, or Adblock Plus, etc.

Actually, it's not unreasonable for the blacklist aka Untrusted list to be that big. My Untrusted list is about 200 entries long (and it will only get longer)... and that's not counting the http and https prefixed duplicates.
And I already use ABP - that's part of how I decide what's Untrusted in the first place.

You can implement a blacklist in ABE, if you want:

Code: Select all

Site .evil.com .advertiser.com .unwanted.net
Deny

That approach has issues...

[ReporterX]

If someone is just exporting the file as a backup, and then importing it afterward, then they won't care what is in it, and the fact that it will restore their blacklist too is a good thing IMHO.

If someone is interested in editing it manually, then they will quickly discover - as you did - that the blacklist is included in the file.

I don't think this is a real problem.

One issue I could think of is new users coming to ask how to backup/edit the untrusted list too.

Giorgio has a big job ahead with E10s, but if you're volunteering to do some research and help out, feel free . NoScript is a one-man project, but it is also GPL.

Yes I could try if you think I could help, but how?
I know little about programming.

Not to put too fine a point on it, but the general consensus is that a NoScript whitelist/blacklist should not be this big.

Use a blocking HOSTS file instead, or Adblock Plus, etc.

Oh! Why? Performance or memory issues?
Are you trying to suggest we shouldn't add websites to either whitelist or blacklist if we don't visit them often?
I could see it is quite an annoyance if there is a practical limit on the numbers of sites we can add into the whitelist + untrusted blacklist.

I don't really count how many websites I will visit more than once, but it is going to be more than several hundreds, not to say the third-party websites you want to "untrust". More and more websites like to call other websites now when you visit it.
It is quite normal for users to browse more than several hundreds. Some users like to explore the Internet.
I need to go to different websites for research too.

Adblock Plus is used to block ad contents, although you can also use it to block scripts site-wide, but it is less convenient than NoScript.
It has a good commenting system.
But unless I dump Noscript all together, I still need to keep both lists.
For example if I block all scripts, plugins, embeddings etc. to run in www.greysite.com via Adblock Plus.
Noscript will still ask me every time I visit this site or any site which calls this site. I have to add it to untrusted if I don't want to get being bugged every time.
Adblock Plus cannot provide all features offered by Noscript, so I have to stick with noscript whitelist + untrusted blacklist.

You can implement a blacklist in ABE, if you want:

Code: Select all

Site .evil.com .advertiser.com .unwanted.net
Deny

As far as I know, untrusted list and the above code does not function the same.
For example, you can't access the site at all if you add the site to the above codes in ABE.
You can still access the site but the site is restricted if you add it to the untrusted list.

If you want to make the code work in ABE, you need to add them to the whitelist.
So this does not help to reduce the numbers of entries in whitelist + untrusted list either.

[ReporterX]

Not to put too fine a point on it, but the general consensus is that a NoScript whitelist/blacklist should not be this big.

Use a blocking HOSTS file instead, or Adblock Plus, etc.

Actually, it's not unreasonable for the blacklist aka Untrusted list to be that big. My Untrusted list is about 200 entries long (and it will only get longer)... and that's not counting the http and https prefixed duplicates.
And I already use ABP - that's part of how I decide what's Untrusted in the first place.

I'm actually using HOSTS, ABP and Noscript now.

I'm trying to help the average Joe to use Noscript, but they often find it annoying since Noscript keeps breaking sites.
I would like to keep a big list of sites (whitelist + untrusted) so Noscript can be much quieter.
The list is going to be really long.
But as long as there is noticeable performance hit or memory hogging issue, I don't care.
It is long for good reasons.

You can implement a blacklist in ABE, if you want:

Code: Select all

Site .evil.com .advertiser.com .unwanted.net
Deny

That approach has issues...

So it seems ABE is less effective than the normal whitelist + untrusted list, performance-wise.

[barbaz]

(Maybe also useful see viewtopic.php?f=10&t=18287 which asks for similar?)

One issue I could think of is new users coming to ask how to backup/edit the untrusted list too.

That's why it's documented on the features page

Yes I could try if you think I could help, but how?
I know little about programming.

I've read elsewhere that Giorgio is going to release NoScript 3, which is already e10s-aware, in order to deal with that.

Not to put too fine a point on it, but the general consensus is that a NoScript whitelist/blacklist should not be this big.

Use a blocking HOSTS file instead, or Adblock Plus, etc.

Oh! Why? Performance or memory issues?

The issue with long whitelists is that having too many entries can hang the GUI. There are a lot of forum topics about that.
I've yet to see an issue with long blacklist.

If you want to make the code work in ABE, you need to add them to the whitelist.
So this does not help to reduce the numbers of entries in whitelist + untrusted list either.

You're correct, that's not the same thing as Untrusted. I've suggested to you a rule that would be more like script-blocking a site.
And it's not needed to add it to the whitelist unless your use case for ABE is to manage JS permissions for that site.

I'm trying to help the average Joe to use Noscript, but they often find it annoying since Noscript keeps breaking sites.
I would like to keep a big list of sites (whitelist + untrusted) so Noscript can be much quieter.
The list is going to be really long.
But as long as there is noticeable performance hit or memory hogging issue, I don't care.
It is long for good reasons.

So you're going to make use of the whitelist/blacklist subscription feature? Cool.
But if the whitelist is too long, given the major performance issue, I'm not sure they wouldn't be better off with Scripts Globally Allowed and only your Untrusted subscription. It would be worth considering.

[ReporterX]

(Maybe also useful see viewtopic.php?f=10&t=18287 which asks for similar?)

One issue I could think of is new users coming to ask how to backup/edit the untrusted list too.

That's why it's documented on the features page

Yes you are right. I found that out by myself too.
Still it does not reduce the need to make a better interface design.
If the users need to read through the documentation to understand it, it is not a good design.

Great applications are those whose novice users rarely need to refer to the manuals or online help. The difference between good and great is often the degree to which the application and its interface are self-evident. From your choice of labels and widget captions to the arrangement of widgets on the screen, every interface design decision you make needs to be tested by users. Your goal is to create an interface that needs no explanation.

Here talks about the principles of designing a GUI in details. Read it if you are interested.

The issue with long whitelists is that having too many entries can hang the GUI. There are a lot of forum topics about that.
I've yet to see an issue with long blacklist.

How many (approximately) is many (to cause the hanging)?
The GUI is still loading fine..... so far. Hopefully I'm not going to hit the limit pretty much soon.
So is it only the GUI is affected? So if you don't access to the GUI, will it still run fine?
Since the untrusted list does not have a GUI, is that why there is no issue?

So you're going to make use of the whitelist/blacklist subscription feature? Cool.
But if the whitelist is too long, given the major performance issue, I'm not sure they wouldn't be better off with Scripts Globally Allowed and only your Untrusted subscription. It would be worth considering.

Sounds interesting, but I think it will defeat the purpose of security - which is a big reason why I wish the average Joe to install it.
The best thing Noscript brings to enhance the security of Firefox is not to run scripts by default.
btw untrusted blacklist is going to be noticeably longer than whitelist (well there are more bad guys than good guys on the Internet ).

[barbaz]

Yes you are right. I found that out by myself too.
Still it does not reduce the need to make a better interface design.
If the users need to read through the documentation to understand it, it is not a good design.

Great applications are those whose novice users rarely need to refer to the manuals or online help. The difference between good and great is often the degree to which the application and its interface are self-evident. From your choice of labels and widget captions to the arrangement of widgets on the screen, every interface design decision you make needs to be tested by users. Your goal is to create an interface that needs no explanation.

Well, if that's true, I've yet to find a single "great application"
Usually when I'm trying a new software it takes me only a few minutes before I'm stuck thinking "how do I do _____ ?" and off to the search engines (and seems that half the time I've found a software bug or known limitation ).

Interesting link, thanks.

Back on topic though, it's normally enough for average users to go to the Untrusted submenu and (Temp)Allow the site(s) they don't want to be Untrusted.
You are a power user, so it's not unreasonable you would need to look at the docs to find how to manually edit the Untrusted list.

How many (approximately) is many (to cause the hanging)?

One forum topic said there were "thousands".

So is it only the GUI is affected? So if you don't access to the GUI, will it still run fine?

The whitelist GUI hanging is the only problem I'm aware of. I haven't yet run into an issue with a long Untrusted list, but that doesn't mean there isn't one.

Sounds interesting, but I think it will defeat the purpose of security - which is a big reason why I wish the average Joe to install it.
The best thing Noscript brings to enhance the security of Firefox is not to run scripts by default.
btw untrusted blacklist is going to be noticeably longer than whitelist (well there are more bad guys than good guys on the Internet ).

As you know NoScript isn't *only* about blocking scripts and plugins...

[ReporterX]

Well, if that's true, I've yet to find a single "great application"
Usually when I'm trying a new software it takes me only a few minutes before I'm stuck thinking "how do I do _____ ?" and off to the search engines (and seems that half the time I've found a software bug or known limitation ).

Program design is a big topic.
How you group and arrange the options in the interface is important too.

Back on topic though, it's normally enough for average users to go to the Untrusted submenu and (Temp)Allow the site(s) they don't want to be Untrusted.
You are a power user, so it's not unreasonable you would need to look at the docs to find how to manually edit the Untrusted list.

The first thing I found was the pref string provided in NoScript, and I thought I had to edit the untrusted list there (a very long one line text which is very hard to scan and edit).
At that time I didn't realise I could export the untrusted list via the whitelist menu (how could you expect it was there?)
It is much easier to edit now. Silly me.

How many (approximately) is many (to cause the hanging)?

One forum topic said there were "thousands".

My list is still safe then.