InformAction Forums

Hi,

Can we get an option to not show the XSS pop-up notification? I don't want to be notified. Related to that, how about a button to evoke the XSS pop-up? For example, if you already closed the pop-up and want to view it again.

Unrelated to the above, how about reset buttons for the presets on the option page? I presume there is some thought on the defaults (script, object and fetch) being disabled on the default settings, and I would like an easy option to reset them.

Still on the presets options, a minor tweak is not having the trusted and untrusted presets on separate tabs that you have to click on, just have them all displayed at once, now that the options page are divided into sections this makes little sense.

If you mean you do not wan't XSS protection anymore, there is a option to disable it in the NS-Settings/Advanced.

If you wan't the XSS protection to work but wish you didn't need to allow/block the same popup every time, there is the "Always allow/Always block" option in the popup, which will allow/block the particular request automatically.

Next to the enable/disable XSS button is "Clear XSS Choices" that resets all the choices you have made.

There is a reset button for ALL options in the top-right corner of the Settings page, but I guess that's not exactly what you wished for.

By default the settings are:

DEFAULT: frame, fetch, other
TRUSTED: all
UNTRUSTED: none

NoscriptUser1 wrote: Still on the presets options, a minor tweak is not having the trusted and untrusted presets on separate tabs that you have to click on, just have them all displayed at once, now that the options page are divided into sections this makes little sense.

I Agree.

Maybe my post wasn't clear, I'm not looking for instructions on the options menu. I will clarify, I know I can disable XSS protection altogether, I know there are options in the XSS pop-up, and the "Clear XSS choices" in the settings, these are all clearly labelled.

What I want is to automatically always block XSS, and for the XSS pop-up to not show up, I clarify again, I do not want to disable XSS protection. My second suggestion is pretty clear, I want a button on the NS panel (the toolbar panel), to have an option to re-show that XSS pop-up, in the event there is an XSS attempt.

As you said, I'm not looking for a reset everything button, just an easy way to reset the presets, JUST the presets.

Thanks for clarification.

The current design clearly expects that the XSS warnings are few and far between. I assume you encounter them slightly more often?

The visual popup does have the advantage that, since false positives are likely going to break something, you will at least instantly know what is the cause.

No, I in fact, like you said, encounter XSS attempts very rarely.

Yes, I agree that the pop-up does have its advantages like you said, I just want an option to not see it, that's why I suggested the XSS button.

I assume since Giorgio hasn't replied, he's not interested in implementing this, and I understand that. Hey, Giorgio said (in his blog) that if you have suggestions, make it known. Doesn't hurt to try.

There is something that I do want some explanation on, and that is how often and serious XSS attempts are, I did some reading on this, and saw a recent post by Giorgio himself here regarding this. Before I made this post, I even thought to disable XSS protection, but decided I'd rather put up with the inconvenience of the pop-ups. If XSS was that serious and common, surely there would be more browser addons or built-in browser options to deal with it.

My suggestions on the UI tweaks to the presets section should still be considered though, it'll make it just a bit better, IMO.

NoscriptUser1 wrote:I assume since Giorgio hasn't replied, he's not interested in implementing this,

Not a safe assumption. Giorgio is very busy, maybe he just hasn't had time to reply yet.

NoscriptUser1 wrote:how often and serious XSS attempts are,

Well it shouldn't happen much often. But it's very serious. For example, if a malicious site can run its scripts in the context of your bank site, your bank password and personal information could be stolen and your bank account drained.

skriptimaahinen wrote:

NoscriptUser1 wrote: Still on the presets options, a minor tweak is not having the trusted and untrusted presets on separate tabs that you have to click on, just have them all displayed at once, now that the options page are divided into sections this makes little sense.

I Agree.

+1

NoscriptUser1 wrote:If XSS was that serious and common, surely there would be more browser addons or built-in browser options to deal with it.

The current chosen approach by most browsers is CSP (Content Security Policy), which lets web pages to define a set of rules for scripts and content that is supposed to be on the page. If for example someone managed to inject some extra javascript on the page, the browser would compare it to the rules, notice that it is not in compliance and block it. However, since setting up the rules is voluntary and even if set up, there could be holes, there is some room left for the XSS protection in NoSCript to be meaningful.

NoscriptUser1 wrote:I assume since Giorgio hasn't replied, he's not interested in implementing this, and I understand that. Hey, Giorgio said (in his blog) that if you have suggestions, make it known. Doesn't hurt to try.

Sorry for the late answer. I took note of all your RFEs, and they actually make sense.
Unfortunately I can't tell you if and when I can get at them, because there are many higher priority things to do yet for Classic-Quantum parity.

BTW, the tweak on the presets UI may appear to the be simplest, but it's actually quite hard because a lot of code is reused from the per-site premissions UI, which supports only one customization row to be shown at the same time.

NoscriptUser1 wrote: surely there would be more browser addons or built-in browser options to deal with it.

IE has been the first browser to "copy" NoScript's XSS filter, and then Chrome followed ("XSS auditor"), but both are deemed much less effective than NoScript's by the security researchers specializing in this field.
Firefox didn't ever get its own built-in XSS protection, even though there's been a bug about implementing it opened for almost a decade now: I guess that every time somebody starts to working at it, he/she soon realizes how difficult is to develop and maintain, and gives up on the premise that Firefox users can install NoScript if they want.

Okay, I understand, thank you for your time and keep up the good work.