InformAction Forums

Giorgio Maone wrote:

Myriadorn wrote: Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.

So, let me check if I got this right: you find scarier the ability to download a file, after a mandatory prompt and in a location of your choice (or in the Downloads directory) than the ability of monitoring and filtering all your network traffic, which is required by any content-blocking WebExtension (including adblockers and, of course, NoScript)?
And you install only software more scrutinized than the Tor Browser (whose code is under the lens of practically all the security experts of all stripes all the time, including of course NoScript)?

,
Now that you've educated me on the dangers of 5x and the timely arrival of FF57 and the ability to actually make sure no extension can, I want both. I will of course wait and see if there's a way for NS to be updated to allow this, if not I'll just look elsewhere. Nothing more dramatic than that. But thank you for your reply, it was very informative in several ways.

Myriadorn wrote:a way for NS to be updated to allow this

"allow this" what?

The extent to which programs could modify things is certainly frightening to realize. May I inquire why 'modify download history' is also something that is required to function?

It was also mentioned that:

Giorgio Maone wrote:download a file, after a mandatory prompt and in a location of your choice

Reading the permission being granted and what firefox says about it, is this actually the case? It would seem to say that we are granting the extension the ability to download things without consulting the user. I mean, just about anything can download something with our permission, including just about any random website, it would seem strange to have to grant an extension the ability to ask us something.

Firefox says that the newest version of NoScript requires a new permission, specifically the ability to: "Download files and read and modify the browser's download history". Why does NoScript need to do this?

Threads merged. Please see Giorgio's post on the first page of this thread.

Giorgio Maone wrote:And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API

Ah okay, thank you for your reply.

As i am used to NoScript for a long time - not knowing Giorgio can look over my shoulder while i'm downloading kawaii-cat-girls-eating-poo.jpeg - but enjoing the option to allow some features of a webpage and dening the others it's too bad i can't use NoScript without giving it (for me and my workflow unnecessary) permissions. Also while NoScript is all about using the web without giving unnecessary permissions.
But since there is no other way i think i will eventually update. :/

But yeah - to allow NS to read and modify my whole download history in exchange just for the convenience not to have to select all content in a textarea, copying this into my favourite editor and saving it as "my-settings.json" (if i want that someday at all) but to have a button which opens a SaveAs-Dialog is... meh not the way i like to go.

Maybe someday Mozilla add "optional features" to WebExtensions that users can choose which privileges to give and the extension works in a custom mode then.

Malorn wrote:May I inquire why 'modify download history' is also something that is required to function?

As far as i understand MDN there is just a "one-size permission to fit them all" which enables the whoole donwload api for the extension. Even if NoScript just need a single function of this api (open save-as prompt) you have to give it full access to the api.

Well I, for one, appreciate the update! I greatly missed the ability to export and import when I had to refresh Firefox!

With the new NoScript update, it states that it now has to have permissions to download files and read your download history. What is the explanation on why the script would need to download files or view your history? Seems like a security risk on the surface.

Threads merged.

I like the way Nielsen puts it... that is just what it sounds like, and the opposite of what you'd like to see in a security product: "this addon will download stuff and hide it from you, yes/no?"

I have no desire to export anything... I'd rather just wipe it blank (also removing the default whitelist). You should make it optional. You should stick to the principle of least privilege. An acceptable compromise that respects the principles would be for it to only allow downloads from specific domains, modify history only for those downloads, and save files only to specific places ... but I have no idea if firefox supports that.

Thanks for this very useful product, and I understand why it is like that, and that it was way worse before Firefox 57, but it could be much better...please don't ignore this problem.

peetaur wrote:You should make it optional. You should stick to the principle of least privilege. An acceptable compromise that respects the principles would be for it to only allow downloads from specific domains, modify history only for those downloads, and save files only to specific places ... but I have no idea if firefox supports that.

I agree it would be nice, but Firefox doesn't support that (nor Chrome). "downloads" is not among the permissions which can be given on demand.

@Alexander, your post is not related to NoScript's use of the "downloads" permission, so it was split to https://forums.informaction.com/viewtop ... =7&t=25202

Locking thread since NoScript no longer uses the "downloads" permission for a long time now.

https://hackademix.net/2017/12/11/noscript-and-the-downloads-permission/ wrote:Dec 18th 2017 Update

NoScript 10.1.6 reimplements the "Export" button functionality in a more convoluted way, which doesn't require the "downloads" permissions anymore though Enjoy!