No script download permissions

Ask for help about NoScript, no registration needed to post

No script download permissions

Postby ltron » Sun Dec 10, 2017 2:22 pm

Addons manager updated no script today and is telling me I need to give permission to no script to be able to download files and read and modify the browser's download history if I want to update. Why does no script require these permissions and is this legitimate?
Mozilla/5.0 (Linux; Android 7.0; SHIELD Tablet Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Safari/537.36
ltron
 

Re: No script download permissions

Postby Guest » Sun Dec 10, 2017 2:47 pm

I wondered myself about this. But then I looked at release notes and all made sense. The download related permissions are needed for the new settings import/export feature.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Guest
 

Re: No script download permissions

Postby Giorgio Maone » Sun Dec 10, 2017 3:09 pm

Guest wrote:The download related permissions are needed for the new settings import/export feature.

This :) WebExtensions cannot interact with the local filesystem, except for user driven uploads and downloads, and for the latter this permission is required.
Mozilla/5.0 (Android 7.1.1; Mobile; rv:58.0) Gecko/58.0 Firefox/58.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8252
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: No script download permissions

Postby tomsch » Sun Dec 10, 2017 6:32 pm

As far as i understand, WebExtensions now(?) use HTML to make their config pages. Wouldn't it be sufficient to include a "input type=file" for the import and a data-url for the export in the NoScript page?

The thing is, i am a bit unsure whether i want to grand the new rights to any webextension.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
tomsch
 
Posts: 6
Joined: Wed Nov 22, 2017 9:03 pm

Re: No script download permissions

Postby Myriadorn » Sun Dec 10, 2017 8:11 pm

tomsch wrote:As far as i understand, WebExtensions now(?) use HTML to make their config pages. Wouldn't it be sufficient to include a "input type=file" for the import and a data-url for the export in the NoScript page?

The thing is, i am a bit unsure whether i want to grand the new rights to any webextension.


I have to agree with you on this. Giving this permission to any web-extension is something I will not do. Guess I'll be staying at v10.1.5.6 for a while.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Myriadorn
 
Posts: 5
Joined: Sun Dec 10, 2017 8:07 pm

Re: No script download permissions

Postby Guest » Sun Dec 10, 2017 8:59 pm

Can't trust NoScript with downloading files and erasing download history. Sorry.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Guest
 

Re: No script download permissions

Postby Nielsen » Sun Dec 10, 2017 9:07 pm

It's generally security-minded people who use noscript, so what everybody will read from the firefox permissions screen is "this addon will download stuff and hide it from you, yes/no?" So, yeah. Maybe find another way that doesn't require that permission?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Nielsen
 
Posts: 1
Joined: Sun Dec 10, 2017 8:57 pm

Re: No script download permissions

Postby Giorgio Maone » Sun Dec 10, 2017 9:39 pm

You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8252
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: No script download permissions

Postby Myriadorn » Sun Dec 10, 2017 10:06 pm

Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.


Actually no. And had I known I'd not used it back then.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Myriadorn
 
Posts: 5
Joined: Sun Dec 10, 2017 8:07 pm

Re: No script download permissions

Postby Giorgio Maone » Sun Dec 10, 2017 10:11 pm

Myriadorn wrote:
Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.


Actually no. And had I known I'd not used it back then.

Any "legacy" add-on (not just NoScript, even the most stupid glorified bookmaklet) has the same powers as your browser.
It's just like installing another application.
Of course, it's up to you to judge what applications you trust and what you don't (consider NoScript 5 is built-in into the Tor Browser, though).
And the ability to monitor filter all your network traffic (which is required to any content-blocking WebExtension) is already pretty scary (much scarier than the ability to download files, IMHO).
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8252
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: No script download permissions

Postby Myriadorn » Sun Dec 10, 2017 10:13 pm

Giorgio Maone wrote:
Myriadorn wrote:
Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.


Actually no. And had I known I'd not used it back then.

Any "legacy" add-on has the same powers as your browser. It's just like installing another application. Of course, it's up to you to judge what applications you trust and what you don't (consider NoScript 5 is built-in into the Tor Browser, though).


Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Myriadorn
 
Posts: 5
Joined: Sun Dec 10, 2017 8:07 pm

Re: No script download permissions

Postby barbaz » Sun Dec 10, 2017 10:15 pm

Myriadorn wrote:Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.

Says the person using Firefox 52 ESR.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7989
Joined: Sat Aug 03, 2013 5:45 pm

Re: No script download permissions

Postby Myriadorn » Sun Dec 10, 2017 10:16 pm

barbaz wrote:
Myriadorn wrote:Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.

Says the person using Firefox 52 ESR.


Yes, that's the only browser available on this current computer.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Myriadorn
 
Posts: 5
Joined: Sun Dec 10, 2017 8:07 pm

Re: No script download permissions

Postby Giorgio Maone » Sun Dec 10, 2017 10:24 pm

Myriadorn wrote:Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.

So, let me check if I got this right: you find scarier the ability to download a file, after a mandatory prompt and in a location of your choice (or in the Downloads directory) than the ability of monitoring and filtering all your network traffic, which is required by any content-blocking WebExtension (including adblockers and, of course, NoScript)?
And you install only software more scrutinized than the Tor Browser (whose code is under the lens of practically all the security experts of all stripes all the time, including of course NoScript)?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8252
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: No script download permissions

Postby barbaz » Sun Dec 10, 2017 10:25 pm

Myriadorn wrote:Yes, that's the only browser available on this current computer.

Perhaps you should be spending your time asking the admin of your current computer to change that, if this is such a big deal to you?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7989
Joined: Sat Aug 03, 2013 5:45 pm

Next

Return to NoScript Support

Who is online

Users browsing this forum: Google [Bot] and 6 guests