NoScript and website detection. FIGHT BACK!!

Ask for help about NoScript, no registration needed to post
3453245
Posts: 6
Joined: Sat Dec 30, 2017 1:17 pm

NoScript and website detection. FIGHT BACK!!

Post by 3453245 » Sun Dec 31, 2017 1:54 am

I am finally going to post about this issue now. I meant to for some years in fact, but never did, mainly because it's not that prevalent and can somewhat be worked around.
Does NoScript "development" have some kind of weird "honor" system policy? What am I talking about? For a few years now, some (greedy/scummy websites) have been "detecting" NS and either blocking the site until turned off or "hassling" you with "please whitelist us" windows or such b/s. Prime example; pcgamer.com

Now let's all skip sentimental b/s and get down to business. First, I wish to get an official answer from the NS team. Is that -being detected- something you accept and don't want to counter? If the answer is "yes", then at least I know where we stand.

If it's not, then what are you doing to counter such "detection"? I have no issue with NS becoming somewhat like the DRM cat and mouse game; fix websites detection, they find new ways to detect NS, you counter, etc.. I assume that NS is not trying to obfuscate itself at all since ever? As more and more sites detect and block you, you realize people will stop using you. Is that what you want? You get paid by some sites to not cloak? There would definitely be some ways to make it harder for sites to know NS is used. Or not? Or is Mozilla not allowing this? What's happening in this dirty business?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0

Pansa
Senior Member
Posts: 318
Joined: Fri Nov 24, 2017 10:30 pm

Re: NoScript and website detection. FIGHT BACK!!

Post by Pansa » Sun Dec 31, 2017 3:17 am

The website detect that the script isn't running.
It probably has a portion of the script that "sends" something, and if it doesn't (because NS is preventing it from running), then the server sends you a different document.

On many pages the issue can be circumvented by only running the script of the page itself, but not the slew of of embedded and imported scripts from other domains.

This isn't really Noscripts job, though. No script doesn't scan what a script DOES, it only scans what general type the script is, and where it is from.
It is your job to make the distinction who you trust or not.
Many pages don't work to begin with, if you don't want to trust the page itself to run a script, or a number of their own subdomains/alternative sources, but most do if you just don't allow the 3rd party scripts.
If you don't trust the page you are trying to visit with it's own scripts, but said provider insists on running them, you are at an impasse.
You have to decide which is more important to you.
That is not what Noscript is for.

So in a sense you are already beating the "detection" if you allow pcgamer itself to run a script, because they think that if they can run THEIR script, that you alos run the adds and tracking and all that fun. Which you don't have to thanks to noscript.

So what you want is basically a tool that scans all scripts for individual "send" hooks, and instead of just not doing the send, you want the tool to find what it sends, and send "something" that is sufficient without everything else running. That is entirely non trivial, and I doubt it can be done on a "free" basis of one dev.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

barbaz
Senior Member
Posts: 9567
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and website detection. FIGHT BACK!!

Post by barbaz » Sun Dec 31, 2017 3:51 am

3453245, are you trying to make yourself look like a crank? If you want to be taken seriously around here, ask your questions in a neutral way and lose the conspiracy theories.

Now, you want to know what this "detection" is? The site is not detecting NoScript. It's an anti-adblock system. NoScript is tripping it by blocking the script(s) it needs.

NoScript is a security tool, not an anti-adblock circumvention tool. So your choice is to either allow whatever the site needs to work, or visit a different site.


BTW, the "NS team" consists of only Giorgio. We mods are just volunteers doing support in our spare time.
*Always* check the changelogs BEFORE updating that important software!
-

Pansa
Senior Member
Posts: 318
Joined: Fri Nov 24, 2017 10:30 pm

Re: NoScript and website detection. FIGHT BACK!!

Post by Pansa » Sun Dec 31, 2017 6:11 am

Looked at PCgamer a bit closer.

If you run NO scripts on the page, it doesn't redirect to begin with. And you can read the articles just fine.
If you only allow …pcgamer.com you will get the error redirect.
If you additionally allow http static.pcgamer.futurecdn . net the site works fine again.

Basically the base page checks whether it can reach futurecdn.
If you forbid both, fine. If you allow both, fine.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

3453245
Posts: 6
Joined: Sat Dec 30, 2017 1:17 pm

Re: NoScript and website detection. FIGHT BACK!!

Post by 3453245 » Tue Jan 16, 2018 1:44 pm

this site is also funny actually, since i got no notification email, and yes i set it to always send email for new replies - from the getgo. i came back and was going to post why nobody replied only to find some. (an no, it's not in my junk folder) though it might be phpbb. not all, but other phpbb sites also , from memory, seem to have issues with sending email notifications for replies. or maybe it's a combination of phpbb and email domain.

as for noscript being detected or adblock, it works together sometimes so maybe noscript could be more hidden. surely that would help it's case of being a security tool anyway. the point is, noscript could obfuscate code and things for it's own good anyway.

as for pc gamer site, that was just a recent example. other sites also do that and if i don't allow at least the main domain, theere is no point browsing, so don't say go elswhere, it's silly. i do allow main domains and many other sites as required. and yeah, my next destination will be the adblock site, if they even have one... i know they are on the take, since it was reported before...
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0

Pansa
Senior Member
Posts: 318
Joined: Fri Nov 24, 2017 10:30 pm

Re: NoScript and website detection. FIGHT BACK!!

Post by Pansa » Tue Jan 16, 2018 2:19 pm

3453245 wrote: other sites also do that and if i don't allow at least the main domain, theere is no point browsing.
as for pc gamer site, that was just a recent example.
Why? If I can read the content without enabling scripts on the main side, then there is a point in browsing them.

And for any other example there is also regularly a combination of "call" and "reply" without actually enabling most of the ad content that the checks think they check for but actually don't.
The sites don't expect Noscript, they expect adblockers. And in their expectation they believe that checking basically "javascript: yes, but the other thing: no = adblock = error" even if you can easily run the whole check without actually having the adds and tracking.

as for noscript being detected or adblock, it works together sometimes so maybe noscript could be more hidden. surely that would help it's case of being a security tool anyway. the point is, noscript could obfuscate code and things for it's own good anyway.
You don't understand how noscript works. There is no "hiding" because there is no "being in the open" to begin with.
It's entirely local. The website doesn't KNOW what you are doing at all. Your computer runs (or doesn't run) scripts, and the people writing those scripts have error conditions in them, with consequences.
No script just allows those or doesn't depending on your choices, and if your choices cause the programmed conditions, you get the consequences.
They don't know what is keeping the page from loading the way THEY intend it to, and factually they rarely if ever check properly for it either (because considering the myriads of browsers that would cause more errors than help them).
They do a very minimalistic check, and if you account for that, you are fine.
Most sites either work with actually NO scripts, at least as far as reading the material, and most of the rest works if you find the combination of "call and check" and enable those, without actually enabling all the rest of the scripts.
(like in the pcgamer case. it's merely the mainpage, and the cdn, the site tries to run like 10 other scripts including the adds, and you need none of them.)
Same goes for pages like wikia or others.

What you want is completely outside of the scope of this tool, and it is literally impossible to provide this without a fleet of programmers reacting to individual cases.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

Post Reply