Page 1 of 2

No script download permissions

Posted: Sun Dec 10, 2017 2:22 pm
by ltron
Addons manager updated no script today and is telling me I need to give permission to no script to be able to download files and read and modify the browser's download history if I want to update. Why does no script require these permissions and is this legitimate?

Re: No script download permissions

Posted: Sun Dec 10, 2017 2:47 pm
by Guest
I wondered myself about this. But then I looked at release notes and all made sense. The download related permissions are needed for the new settings import/export feature.

Re: No script download permissions

Posted: Sun Dec 10, 2017 3:09 pm
by Giorgio Maone
Guest wrote:The download related permissions are needed for the new settings import/export feature.
This :) WebExtensions cannot interact with the local filesystem, except for user driven uploads and downloads, and for the latter this permission is required.

Re: No script download permissions

Posted: Sun Dec 10, 2017 6:32 pm
by tomsch
As far as i understand, WebExtensions now(?) use HTML to make their config pages. Wouldn't it be sufficient to include a "input type=file" for the import and a data-url for the export in the NoScript page?

The thing is, i am a bit unsure whether i want to grand the new rights to any webextension.

Re: No script download permissions

Posted: Sun Dec 10, 2017 8:11 pm
by Myriadorn
tomsch wrote:As far as i understand, WebExtensions now(?) use HTML to make their config pages. Wouldn't it be sufficient to include a "input type=file" for the import and a data-url for the export in the NoScript page?

The thing is, i am a bit unsure whether i want to grand the new rights to any webextension.
I have to agree with you on this. Giving this permission to any web-extension is something I will not do. Guess I'll be staying at v10.1.5.6 for a while.

Re: No script download permissions

Posted: Sun Dec 10, 2017 8:59 pm
by Guest
Can't trust NoScript with downloading files and erasing download history. Sorry.

Re: No script download permissions

Posted: Sun Dec 10, 2017 9:07 pm
by Nielsen
It's generally security-minded people who use noscript, so what everybody will read from the firefox permissions screen is "this addon will download stuff and hide it from you, yes/no?" So, yeah. Maybe find another way that doesn't require that permission?

Re: No script download permissions

Posted: Sun Dec 10, 2017 9:39 pm
by Giorgio Maone
You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.

Re: No script download permissions

Posted: Sun Dec 10, 2017 10:06 pm
by Myriadorn
Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Actually no. And had I known I'd not used it back then.

Re: No script download permissions

Posted: Sun Dec 10, 2017 10:11 pm
by Giorgio Maone
Myriadorn wrote:
Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Actually no. And had I known I'd not used it back then.
Any "legacy" add-on (not just NoScript, even the most stupid glorified bookmaklet) has the same powers as your browser.
It's just like installing another application.
Of course, it's up to you to judge what applications you trust and what you don't (consider NoScript 5 is built-in into the Tor Browser, though).
And the ability to monitor filter all your network traffic (which is required to any content-blocking WebExtension) is already pretty scary (much scarier than the ability to download files, IMHO).

Re: No script download permissions

Posted: Sun Dec 10, 2017 10:13 pm
by Myriadorn
Giorgio Maone wrote:
Myriadorn wrote:
Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Actually no. And had I known I'd not used it back then.
Any "legacy" add-on has the same powers as your browser. It's just like installing another application. Of course, it's up to you to judge what applications you trust and what you don't (consider NoScript 5 is built-in into the Tor Browser, though).
Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.

Re: No script download permissions

Posted: Sun Dec 10, 2017 10:15 pm
by barbaz
Myriadorn wrote:Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
Says the person using Firefox 52 ESR.

Re: No script download permissions

Posted: Sun Dec 10, 2017 10:16 pm
by Myriadorn
barbaz wrote:
Myriadorn wrote:Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
Says the person using Firefox 52 ESR.
Yes, that's the only browser available on this current computer.

Re: No script download permissions

Posted: Sun Dec 10, 2017 10:24 pm
by Giorgio Maone
Myriadorn wrote: Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
So, let me check if I got this right: you find scarier the ability to download a file, after a mandatory prompt and in a location of your choice (or in the Downloads directory) than the ability of monitoring and filtering all your network traffic, which is required by any content-blocking WebExtension (including adblockers and, of course, NoScript)?
And you install only software more scrutinized than the Tor Browser (whose code is under the lens of practically all the security experts of all stripes all the time, including of course NoScript)?

Re: No script download permissions

Posted: Sun Dec 10, 2017 10:25 pm
by barbaz
Myriadorn wrote:Yes, that's the only browser available on this current computer.
Perhaps you should be spending your time asking the admin of your current computer to change that, if this is such a big deal to you?