NoScript vulnerability: ctrl-T inadvertently allows sites!

[Peter, a fan of NoScript]

For some time I've been noticing that sites had been added to the whitelist without me doing it. Today I finally figured it out. Control-T is a keyboard shortcut that I use all the time to open a new tab in Firefox. Problem is, if the Noscript submenu is open, it interprets Control-T to mean allow the current website!! This is very unfortunate, as it's something that I bet has happened to many of us, without realising, resulting in a major and irreversible vulnerability. Is there a way to disable the keyboard shortcuts in Noscript? Or can you remove Ctrl-T in the next upgrade? Thanks for any help!

[therube]

True.
Though I would think it not a typical or easy action to perform?
The site is only Temporarily Allowed.

3.11 Q: One of the NoScript keyboard shortcuts overrides a shortcut used by another important extension of mine (e.g. Web Developer). What can I do?

[Alan Baxter]

For some time I've been noticing that sites had been added to the whitelist without me doing it. Today I finally figured it out. Control-T is a keyboard shortcut that I use all the time to open a new tab in Firefox. Problem is, if the Noscript submenu is open, it interprets Control-T to mean allow the current website!! This is very unfortunate, as it's something that I bet has happened to many of us, without realising, resulting in a major and irreversible vulnerability. Is there a way to disable the keyboard shortcuts in Noscript? Or can you remove Ctrl-T in the next upgrade? Thanks for any help!

Actually, it's worse than you think: the Control key isn't even necessary: just pressing the "T" is sufficient. This isn't one of the keyboard shortcuts that therube is referencing in his response. His suggestion doesn't seem to address the problem. If you look carefully, you can see that it's caused by the keyboard accelerators underlined in the NoScript menu (just like any popup context menu, by the way). In fact, if you inadvertently pressed "A" or "M" while the right NoScript menu is popped up, you can cause sites to be permanently whitelisted. Sorry, but I don't know how you can disable that.

[saywot]

Welcome to the world of unintended keyboard acceleration effects
Interesting definition of major vulnerability. Permanent whitelisting of a current top-level site that is presumably going to be revisited (because having it in the whitelist isn't going to be a problem if it's never revisited...unless it's a site that other sites invite to run third-party scripts) is kind of not high on my own definition list of vulnerabilities - else I would mostly be whitelisting a top level site I was regularly revisiting - for functionality - or toggling Temporarily Allow at each visit - at which point I would straight away discover the inadvertent Permanent Allow. The alternative of having a regularly visited site running scripts without a user's knowledge? Not in my opinion a "major" vulnerability - more an inconvenience because scripts take resources.

I'd be interested to find out how the original poster discovered the unintended additions to the permanent whitelist if not in the course of the usual alert NS user's activities.
Nothing above is to dispute the original poster's own findings, but I'd be very interested to see examples of their unintended vulnerable whitelistings.

This user had the devil's own fun getting used to the extra keyboard accelerators in .NET applications. Dismissing windows holding focus, sudden changes of font etc etc. Fun and games until the clashes were worked out.

[therube]

> just pressing the "T" is sufficient ...

You're right. Neat.

[Mike A.]

Problem is, if the Noscript submenu is open...

Just curious, how would the NoScript menu inadvertently be open? Perhaps try disabling the following on the General tab of NoScript Options.

Open permissions menu when mouse hovers over NoScript's icon

Is there a way to disable the keyboard shortcuts in Noscript?

Yes, there is. Remove the string values for the following preferences in about:config.

noscript.keys.toggle
noscript.keys.ui

[Guest]

> just pressing the "T" is sufficient ...

You're right. Neat.

Weird doesn't seem to work for me. Press T or Ctrl+T only causes it highlight the "Temporarily allow" option but doesn't actually select it until press enter.

[Mike A.]

Press T or Ctrl+T only causes it highlight the "Temporarily allow" option but doesn't actually select it until press enter.

This functionality was removed with v 2.1.3rc4 because it was deemed problematic for some reason.

I have the following post requesting this feature (menu accelerator) be added back.

"(Temporarily) Allow all on this page" access keys

[Keyboardist]

Darn. So this is why keyboard shortcuts are missing from this version of NS? That is most unfortunate. I reassigned the shortcut combo to open the menu using Ctrl+Shift+S, because I have limited mobility in my arms and hands, using the mouse alone is very limiting. When I used the Ease of Access Sticky Keys feature where I can press each key of the combo one at a time, and the arrow keys, it works so much better for me.

I'm sorry for the Ctrl+T guy but I hope the NS brainiacs will reconsider and put the feature back in the Options. Perhaps just not allow that combo. Thanks so much. I'm a long, long time fan and think NS is amazing and I really hope Mozilla is kicking NS some big donations.

[barbaz]

@ Keyboardist: if

https://noscript.net/faq#qa3_11
about:config -> noscript.keys.tempAllowPage

isn't the feature you would like, can you please explain in more detail what exactly you would like a NoScript keyboard shortcut for? Thanks.