No script download permissions

Ask for help about NoScript, no registration needed to post

Re: No script download permissions

Postby Myriadorn » Sun Dec 10, 2017 10:28 pm

Giorgio Maone wrote:
Myriadorn wrote:Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.

So, let me check if I got this right: you find scarier the ability to download a file, after a mandatory prompt and in a location of your choice (or in the Downloads directory) than the ability of monitoring and filtering all your network traffic, which is required by any content-blocking WebExtension (including adblockers and, of course, NoScript)?
And you install only software more scrutinized than the Tor Browser (whose code is under the lens of practically all the security experts of all stripes all the time, including of course NoScript)?

,
Now that you've educated me on the dangers of 5x and the timely arrival of FF57 and the ability to actually make sure no extension can, I want both. I will of course wait and see if there's a way for NS to be updated to allow this, if not I'll just look elsewhere. Nothing more dramatic than that. But thank you for your reply, it was very informative in several ways.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Myriadorn
 
Posts: 5
Joined: Sun Dec 10, 2017 8:07 pm

Re: No script download permissions

Postby Giorgio Maone » Sun Dec 10, 2017 10:41 pm

Myriadorn wrote:a way for NS to be updated to allow this

"allow this" what?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8640
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: No script download permissions

Postby Malorn » Mon Dec 11, 2017 12:01 am

The extent to which programs could modify things is certainly frightening to realize. May I inquire why 'modify download history' is also something that is required to function?

It was also mentioned that:
Giorgio Maone wrote:download a file, after a mandatory prompt and in a location of your choice


Reading the permission being granted and what firefox says about it, is this actually the case? It would seem to say that we are granting the extension the ability to download things without consulting the user. I mean, just about anything can download something with our permission, including just about any random website, it would seem strange to have to grant an extension the ability to ask us something.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Malorn
 

Why does NoScript need to control my download history?

Postby Ryan1729 » Mon Dec 11, 2017 12:04 am

Firefox says that the newest version of NoScript requires a new permission, specifically the ability to: "Download files and read and modify the browser's download history". Why does NoScript need to do this?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Ryan1729
 
Posts: 1
Joined: Sun Dec 10, 2017 11:57 pm

Re: No script download permissions

Postby barbaz » Mon Dec 11, 2017 12:16 am

Threads merged. Please see Giorgio's post on the first page of this thread.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8724
Joined: Sat Aug 03, 2013 5:45 pm

Re: No script download permissions

Postby tomsch » Mon Dec 11, 2017 12:40 am

Giorgio Maone wrote:And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API

Ah okay, thank you for your reply.

As i am used to NoScript for a long time - not knowing Giorgio can look over my shoulder while i'm downloading kawaii-cat-girls-eating-poo.jpeg :D - but enjoing the option to allow some features of a webpage and dening the others it's too bad i can't use NoScript without giving it (for me and my workflow unnecessary) permissions. Also while NoScript is all about using the web without giving unnecessary permissions.
But since there is no other way i think i will eventually update. :/

But yeah - to allow NS to read and modify my whole download history in exchange just for the convenience not to have to select all content in a textarea, copying this into my favourite editor and saving it as "my-settings.json" (if i want that someday at all) but to have a button which opens a SaveAs-Dialog is... meh not the way i like to go.

Maybe someday Mozilla add "optional features" to WebExtensions that users can choose which privileges to give and the extension works in a custom mode then.

Malorn wrote:May I inquire why 'modify download history' is also something that is required to function?
As far as i understand MDN there is just a "one-size permission to fit them all" which enables the whoole donwload api for the extension. Even if NoScript just need a single function of this api (open save-as prompt) you have to give it full access to the api.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
tomsch
 
Posts: 6
Joined: Wed Nov 22, 2017 9:03 pm

Re: No script download permissions

Postby barbaz » Mon Dec 11, 2017 12:49 am

*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8724
Joined: Sat Aug 03, 2013 5:45 pm

Re: No script download permissions

Postby TheSuperSquirrel » Mon Dec 11, 2017 4:42 am

Well I, for one, appreciate the update! I greatly missed the ability to export and import when I had to refresh Firefox!
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
TheSuperSquirrel
 
Posts: 3
Joined: Sun Nov 26, 2017 4:55 am

NoScript Update Needs Download Permissions?

Postby dranved » Mon Dec 11, 2017 5:17 pm

With the new NoScript update, it states that it now has to have permissions to download files and read your download history. What is the explanation on why the script would need to download files or view your history? Seems like a security risk on the surface.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
dranved
 
Posts: 5
Joined: Wed Nov 22, 2017 11:23 pm

Re: No script download permissions

Postby barbaz » Mon Dec 11, 2017 5:29 pm

Threads merged.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8724
Joined: Sat Aug 03, 2013 5:45 pm

Re: No script download permissions

Postby peetaur » Thu Dec 14, 2017 11:22 am

I like the way Nielsen puts it... that is just what it sounds like, and the opposite of what you'd like to see in a security product: "this addon will download stuff and hide it from you, yes/no?"

I have no desire to export anything... I'd rather just wipe it blank (also removing the default whitelist). You should make it optional. You should stick to the principle of least privilege. An acceptable compromise that respects the principles would be for it to only allow downloads from specific domains, modify history only for those downloads, and save files only to specific places ... but I have no idea if firefox supports that.

Thanks for this very useful product, and I understand why it is like that, and that it was way worse before Firefox 57, but it could be much better...please don't ignore this problem.
Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
peetaur
 
Posts: 3
Joined: Tue Nov 28, 2017 9:36 pm

Re: No script download permissions

Postby Giorgio Maone » Thu Dec 14, 2017 11:54 am

peetaur wrote:You should make it optional. You should stick to the principle of least privilege. An acceptable compromise that respects the principles would be for it to only allow downloads from specific domains, modify history only for those downloads, and save files only to specific places ... but I have no idea if firefox supports that.

I agree it would be nice, but Firefox doesn't support that (nor Chrome). "downloads" is not among the permissions which can be given on demand.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8640
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: No script download permissions

Postby barbaz » Fri Sep 14, 2018 1:35 pm

@Alexander, your post is not related to NoScript's use of the "downloads" permission, so it was split to viewtopic.php?f=7&t=25202

Locking thread since NoScript no longer uses the "downloads" permission for a long time now.
https://hackademix.net/2017/12/11/noscript-and-the-downloads-permission/ wrote:Dec 18th 2017 Update

NoScript 10.1.6 reimplements the "Export" button functionality in a more convoluted way, which doesn't require the "downloads" permissions anymore though :) Enjoy!
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8724
Joined: Sat Aug 03, 2013 5:45 pm

Previous

Return to NoScript Support

Who is online

Users browsing this forum: Google [Bot] and 24 guests