No script download permissions

Ask for help about NoScript, no registration needed to post
Myriadorn
Posts: 5
Joined: Sun Dec 10, 2017 8:07 pm

Re: No script download permissions

Post by Myriadorn »

Giorgio Maone wrote:
Myriadorn wrote: Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
So, let me check if I got this right: you find scarier the ability to download a file, after a mandatory prompt and in a location of your choice (or in the Downloads directory) than the ability of monitoring and filtering all your network traffic, which is required by any content-blocking WebExtension (including adblockers and, of course, NoScript)?
And you install only software more scrutinized than the Tor Browser (whose code is under the lens of practically all the security experts of all stripes all the time, including of course NoScript)?
,
Now that you've educated me on the dangers of 5x and the timely arrival of FF57 and the ability to actually make sure no extension can, I want both. I will of course wait and see if there's a way for NS to be updated to allow this, if not I'll just look elsewhere. Nothing more dramatic than that. But thank you for your reply, it was very informative in several ways.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: No script download permissions

Post by Giorgio Maone »

Myriadorn wrote:a way for NS to be updated to allow this
"allow this" what?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Malorn

Re: No script download permissions

Post by Malorn »

The extent to which programs could modify things is certainly frightening to realize. May I inquire why 'modify download history' is also something that is required to function?

It was also mentioned that:
Giorgio Maone wrote:download a file, after a mandatory prompt and in a location of your choice
Reading the permission being granted and what firefox says about it, is this actually the case? It would seem to say that we are granting the extension the ability to download things without consulting the user. I mean, just about anything can download something with our permission, including just about any random website, it would seem strange to have to grant an extension the ability to ask us something.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Ryan1729
Posts: 1
Joined: Sun Dec 10, 2017 11:57 pm

Why does NoScript need to control my download history?

Post by Ryan1729 »

Firefox says that the newest version of NoScript requires a new permission, specifically the ability to: "Download files and read and modify the browser's download history". Why does NoScript need to do this?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: No script download permissions

Post by barbaz »

Threads merged. Please see Giorgio's post on the first page of this thread.
*Always* check the changelogs BEFORE updating that important software!
-
tomsch
Posts: 6
Joined: Wed Nov 22, 2017 9:03 pm

Re: No script download permissions

Post by tomsch »

Giorgio Maone wrote:And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API
Ah okay, thank you for your reply.

As i am used to NoScript for a long time - not knowing Giorgio can look over my shoulder while i'm downloading kawaii-cat-girls-eating-poo.jpeg :D - but enjoing the option to allow some features of a webpage and dening the others it's too bad i can't use NoScript without giving it (for me and my workflow unnecessary) permissions. Also while NoScript is all about using the web without giving unnecessary permissions.
But since there is no other way i think i will eventually update. :/

But yeah - to allow NS to read and modify my whole download history in exchange just for the convenience not to have to select all content in a textarea, copying this into my favourite editor and saving it as "my-settings.json" (if i want that someday at all) but to have a button which opens a SaveAs-Dialog is... meh not the way i like to go.

Maybe someday Mozilla add "optional features" to WebExtensions that users can choose which privileges to give and the extension works in a custom mode then.
Malorn wrote:May I inquire why 'modify download history' is also something that is required to function?
As far as i understand MDN there is just a "one-size permission to fit them all" which enables the whoole donwload api for the extension. Even if NoScript just need a single function of this api (open save-as prompt) you have to give it full access to the api.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: No script download permissions

Post by barbaz »

*Always* check the changelogs BEFORE updating that important software!
-
TheSuperSquirrel
Posts: 3
Joined: Sun Nov 26, 2017 4:55 am

Re: No script download permissions

Post by TheSuperSquirrel »

Well I, for one, appreciate the update! I greatly missed the ability to export and import when I had to refresh Firefox!
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
dranved
Posts: 5
Joined: Wed Nov 22, 2017 11:23 pm

NoScript Update Needs Download Permissions?

Post by dranved »

With the new NoScript update, it states that it now has to have permissions to download files and read your download history. What is the explanation on why the script would need to download files or view your history? Seems like a security risk on the surface.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: No script download permissions

Post by barbaz »

Threads merged.
*Always* check the changelogs BEFORE updating that important software!
-
peetaur
Posts: 3
Joined: Tue Nov 28, 2017 9:36 pm

Re: No script download permissions

Post by peetaur »

I like the way Nielsen puts it... that is just what it sounds like, and the opposite of what you'd like to see in a security product: "this addon will download stuff and hide it from you, yes/no?"

I have no desire to export anything... I'd rather just wipe it blank (also removing the default whitelist). You should make it optional. You should stick to the principle of least privilege. An acceptable compromise that respects the principles would be for it to only allow downloads from specific domains, modify history only for those downloads, and save files only to specific places ... but I have no idea if firefox supports that.

Thanks for this very useful product, and I understand why it is like that, and that it was way worse before Firefox 57, but it could be much better...please don't ignore this problem.
Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: No script download permissions

Post by Giorgio Maone »

peetaur wrote:You should make it optional. You should stick to the principle of least privilege. An acceptable compromise that respects the principles would be for it to only allow downloads from specific domains, modify history only for those downloads, and save files only to specific places ... but I have no idea if firefox supports that.
I agree it would be nice, but Firefox doesn't support that (nor Chrome). "downloads" is not among the permissions which can be given on demand.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: No script download permissions

Post by barbaz »

@Alexander, your post is not related to NoScript's use of the "downloads" permission, so it was split to https://forums.informaction.com/viewtop ... =7&t=25202

Locking thread since NoScript no longer uses the "downloads" permission for a long time now.
https://hackademix.net/2017/12/11/noscript-and-the-downloads-permission/ wrote:Dec 18th 2017 Update

NoScript 10.1.6 reimplements the "Export" button functionality in a more convoluted way, which doesn't require the "downloads" permissions anymore though :) Enjoy!
*Always* check the changelogs BEFORE updating that important software!
-
Locked