Checking "unchecked_css"

Ask for help about NoScript, no registration needed to post
Guest

Checking "unchecked_css"

Post by Guest » Wed Apr 28, 2021 4:09 am

Just to make sure I understand correctly:
Checking "unchecked_css" makes it unchecked and unchecking it makes it checked? :roll:
My english is too bad to come up with a clever name for it but because everything else uses nouns maybe something like "css attack" would be more obviously?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0

User avatar
Giorgio Maone
Site Admin
Posts: 9101
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Checking "unchecked_css"

Post by Giorgio Maone » Wed Apr 28, 2021 5:31 am

"css attack" would be more obvious, but IMHO excessive: by checking the checkbox, you're allowing the site to use any CSS without checks (not necessarily for an attack).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0

Guest

Re: Checking "unchecked_css"

Post by Guest » Wed Apr 28, 2021 6:55 am

I guess "css threat" is excessive, too? Maybe a native english speaker can come up with something nice. "unchecked_css" is confusing.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0

User avatar
Giorgio Maone
Site Admin
Posts: 9101
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Checking "unchecked_css"

Post by Giorgio Maone » Wed Apr 28, 2021 2:55 pm

I'm thinking of using a previous candidate, "unrestricted CSS", which we originally rejected because it seemed too long in characters for the UI layout. But the capabilities list is already two rows long no matter what on Chromium (which restricts the popup width to 800px max), so...
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0

barbaz
Senior Member
Posts: 9942
Joined: Sat Aug 03, 2013 5:45 pm

Re: Checking "unchecked_css"

Post by barbaz » Wed Apr 28, 2021 7:27 pm

Maybe there is no clean win on this one :?

The problem with "unrestricted CSS" is that the current mitigation doesn't "restrict" anything, it just loads CSS differently. What about "uncontrolled CSS"?
*Always* check the changelogs BEFORE updating that important software!
-

fatboy
Senior Member
Posts: 61
Joined: Fri Jul 25, 2014 6:56 am
Contact:

Re: Checking "unchecked_css"

Post by fatboy » Thu Apr 29, 2021 11:26 am

"Do keep the name short though."
What if the name is "unsafe CSS"?
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 SM/2.49.5 NS/2.9.0.14

barbaz
Senior Member
Posts: 9942
Joined: Sat Aug 03, 2013 5:45 pm

Re: Checking "unchecked_css"

Post by barbaz » Thu Apr 29, 2021 4:11 pm

fatboy wrote:
Thu Apr 29, 2021 11:26 am
What if the name is "unsafe CSS"?
That isn't a sharp description of this capability. That reads like un-checking it would result in NoScript actually blocking some CSS. But that is not the case atm.
*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9942
Joined: Sat Aug 03, 2013 5:45 pm

Re: Checking "unchecked_css"

Post by barbaz » Thu May 20, 2021 4:26 pm

barbaz wrote:
Wed Apr 28, 2021 7:27 pm
The problem with "unrestricted CSS" is that the current mitigation doesn't "restrict" anything, it just loads CSS differently. What about "uncontrolled CSS"?
Giorgio could you please address this? Thanks
*Always* check the changelogs BEFORE updating that important software!
-

Quest

Re: Checking "unchecked_css"

Post by Quest » Sun May 23, 2021 5:51 pm

Although the CSS-restriction name discussion goes on I venture to ask:
1. Are there any real security benefits or behavior drawbacks to (un)check these CSS non-restrictions?
2. Some of my custom Per-Site Permissions now have this option checked and some don’t.
These (un)checks have appeared automatically without any actions from my part.
What’s the logic?
Mozilla/5.0 (Windows NT 6.1; rv:88.0) Gecko/20100101 Firefox/88.0

barbaz
Senior Member
Posts: 9942
Joined: Sat Aug 03, 2013 5:45 pm

Re: Checking "unchecked_css"

Post by barbaz » Sun May 23, 2021 6:49 pm

@Quest

(I'm certain those questions were both already asked and answered on this forum, but I can't find it either, so...)

1) Yes. For benefits, please see the sticky - viewtopic.php?f=7&t=26285
The drawback is that the current mitigation may cause a FOUC (flash of unstyled content) and may result in loading some additional resources that wouldn't otherwise be loaded.

2) It should depend on the state of "script" capability:
Giorgio Maone wrote:
Wed Mar 31, 2021 4:42 pm
we assume JavaScript-enabled pages have plenty and more accurate ways to accomplish the same thing
... that CSS PP0 would accomplish.

This is off-topic for this thread, so if you wish to continue this please start a new thread. (If you do we can merge your post and this reply there as well if you like.)
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply