Just to make sure I understand correctly:
Checking "unchecked_css" makes it unchecked and unchecking it makes it checked?
My english is too bad to come up with a clever name for it but because everything else uses nouns maybe something like "css attack" would be more obviously?
Checking "unchecked_css"
Checking "unchecked_css"
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Checking "unchecked_css"
"css attack" would be more obvious, but IMHO excessive: by checking the checkbox, you're allowing the site to use any CSS without checks (not necessarily for an attack).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Re: Checking "unchecked_css"
I guess "css threat" is excessive, too? Maybe a native english speaker can come up with something nice. "unchecked_css" is confusing.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Checking "unchecked_css"
I'm thinking of using a previous candidate, "unrestricted CSS", which we originally rejected because it seemed too long in characters for the UI layout. But the capabilities list is already two rows long no matter what on Chromium (which restricts the popup width to 800px max), so...
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Re: Checking "unchecked_css"
Maybe there is no clean win on this one
The problem with "unrestricted CSS" is that the current mitigation doesn't "restrict" anything, it just loads CSS differently. What about "uncontrolled CSS"?
The problem with "unrestricted CSS" is that the current mitigation doesn't "restrict" anything, it just loads CSS differently. What about "uncontrolled CSS"?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Checking "unchecked_css"
"Do keep the name short though."
What if the name is "unsafe CSS"?
What if the name is "unsafe CSS"?
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 SM/2.49.5 NS/2.9.0.14
Re: Checking "unchecked_css"
That isn't a sharp description of this capability. That reads like un-checking it would result in NoScript actually blocking some CSS. But that is not the case atm.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Checking "unchecked_css"
Giorgio could you please address this? Thanks
*Always* check the changelogs BEFORE updating that important software!
-
Re: Checking "unchecked_css"
Although the CSS-restriction name discussion goes on I venture to ask:
1. Are there any real security benefits or behavior drawbacks to (un)check these CSS non-restrictions?
2. Some of my custom Per-Site Permissions now have this option checked and some don’t.
These (un)checks have appeared automatically without any actions from my part.
What’s the logic?
1. Are there any real security benefits or behavior drawbacks to (un)check these CSS non-restrictions?
2. Some of my custom Per-Site Permissions now have this option checked and some don’t.
These (un)checks have appeared automatically without any actions from my part.
What’s the logic?
Mozilla/5.0 (Windows NT 6.1; rv:88.0) Gecko/20100101 Firefox/88.0
Re: Checking "unchecked_css"
@Quest
(I'm certain those questions were both already asked and answered on this forum, but I can't find it either, so...)
1) Yes. For benefits, please see the sticky - viewtopic.php?f=7&t=26285
The drawback is that the current mitigation may cause a FOUC (flash of unstyled content) and may result in loading some additional resources that wouldn't otherwise be loaded.
2) It should depend on the state of "script" capability:
This is off-topic for this thread, so if you wish to continue this please start a new thread. (If you do we can merge your post and this reply there as well if you like.)
(I'm certain those questions were both already asked and answered on this forum, but I can't find it either, so...)
1) Yes. For benefits, please see the sticky - viewtopic.php?f=7&t=26285
The drawback is that the current mitigation may cause a FOUC (flash of unstyled content) and may result in loading some additional resources that wouldn't otherwise be loaded.
2) It should depend on the state of "script" capability:
... that CSS PP0 would accomplish.Giorgio Maone wrote: ↑Wed Mar 31, 2021 4:42 pm we assume JavaScript-enabled pages have plenty and more accurate ways to accomplish the same thing
This is off-topic for this thread, so if you wish to continue this please start a new thread. (If you do we can merge your post and this reply there as well if you like.)
*Always* check the changelogs BEFORE updating that important software!
-