Blocking images for untrusted sites

[pirlouy]

Hello,

Noscript has so much features, and it's a long time I did not touch it.
I like the fact you can block all "embed" content with placeholder, even for whitelisted sites. But I miss one thing: I can't block images for "untrusted" sites. It would be cool to have a placeholder for images from sites which are not considered as trusted (for example, RequestPolicy allows that).

ps: is there a thread about options redesign, or some plans ?

[al_9x]

http://forums.informaction.com/viewtopi ... 981#p16981

[pirlouy]

Thanks for that link, but I don't feel like decrypting all your thread right now. Maybe later if I don't have another answer.
But thank you for that hint.

[al_9x]

The relevant part is the ability to refer to untrusted sites in ABE, that's been requested.

[pirlouy]

So to summarize, what I ask is a feature actually not implemented, even in the advanced module ABE. Isn't it ?
Personally, I'd like it not to be in ABE, since it is a module for advanced users, and what I ask is, I think, a common feature.

[Tom T.]

Firefox Tools > Options > Content > Load images automatically > Exceptions.

Add the desired sites to the Exceptions list. Done.

[pirlouy]

Thanks for the answer, but it's clearly not a usable solution. I like the concept of Noscript or Request Policy with their "trusted" sites (or whitelist). By default, I trust the domain I'm on, then I allow other sites content thanks to an accessible whitelist.
Do you think Giorgio could be interested in this feature ?

Noscript, RequestPolicy, AB+ all have some interesting features, but each one has drawbacks. Of course, you can use them all together, but that's not the recommended settings I think.

[Tom T.]

Thanks for the answer, but it's clearly not a usable solution. I like the concept of Noscript or Request Policy with their "trusted" sites (or whitelist). By default, I trust the domain I'm on, then I allow other sites content thanks to an accessible whitelist.

I did realize that you wanted automatic, on-the-fly blocking of images from Untrusted. Just offering a quick work-around. I tend to visit mostly the same sites, except when doing user support. So the image blocks are already in the Fx list, and not a big deal.

Noscript, RequestPolicy, AB+ all have some interesting features, but each one has drawbacks. Of course, you can use them all together, but that's not the recommended settings I think.

Why not? NS+RP is actually *recommended* by both developers, Giorgio and Justin Samuel of RP. (Justin says so on his page - NS and RP don't compete, but work together beautifully.)

That combo is enough for me that I don't even need ABP. Very few images come through from from untrusted sites, and if they're innocuous, it doesn't matter (IMHO). But lots of people run all three, and aside from a very occasional issue (there's a thread here that described an ABP block-tab triggering NS's ClearClick clickjacking protection -- there will be a workaround version, if there isn't one already), most users seem to think they play very nicely together. Give it a try -- you can always disable or uninstall ABP if needed. I wouldn't think of dumping RP, myself.

Do you think Giorgio could be interested in this feature ?

Only Giorgio can speak for Giorgio, but in working with him for almost three years now, the general philosophy is that NS is intended to block *executable* content, which definitely has the potential to be damaging and/or privacy-invasive. The only exception that comes to mind is Options > Advanced > Untrusted > Forbid "Web bugs", which are usually single-pixel clear GIFs or other still image format. Not executable, but the page calls to the source for the image - an ad agency or whatever -- thus revealing that your IP viewed that page, ad, e-mail, whatever. Otherwise, still images that don't cover other elements (clickjacking) may be annoying, but usually harmless. I block them at Yahoo Mail because they're distracting.

ps: is there a thread about options redesign, or some plans ?

There's an entire sub-forum, "NoScript Development". Have fun browsing it!

ETA: You might wish to consider using a HOSTS file service that blocks the entire connection to a list of reported ad, malware, or tracking sites, though not everyone likes that idea. *Personal opinion only*, I've used http://winhelp2002.mvps.org/hosts.htm -- updated about once a month, and blocks more than 16,000 sites. If I type, say, www dot doubleclick dot net in the Address bar, I get a "Can't connect" message -- the browser can't fetch images or scripts or anything else from that site, even if it or I tries to. If you do this, it's better to change the mapped "block" destination from their 127.0.0.1 (localhost) to 255.255.255.0 or 0.0.0.0. But you must make sure that the very first entry remains

Code: Select all

127.0.0.1  localhost

The usual disclaimer: I have no connection to that site, personal or financial, and can't be held responsible for what they do, or for your use of it. But I've been satisfied with it for some years now. IMHO. YMMV.

[pirlouy]

I tend to visit mostly the same sites, except when doing user support.

I think a lot of users (including me) go on new sites everyday for any reason... Of course, there are favorite sites you go more often, but it's impossible to say you visit the same sites everyday.

So the image blocks are already in the Fx list, and not a big deal.

...For you.
For me, it's not usable.

Why not? NS+RP is actually *recommended* by both developers, Giorgio and Justin Samuel of RP. (Justin says so on his page - NS and RP don't compete, but work together beautifully.)

For me, there should be only one extension which modifies content settings of webpages. For performance reason, avoiding collision, easier for users an other reasons I don't think right now.
No, RequestPolicy and Noscript are not complementary for me, since they both have common settings (it's also the case with AB+).

For now, I don't use AB+ because it's not adapted to "power users", it's impossible to whitelist easily or temporarily, and Wladimir is not interested. AB+ is nice if you use a filterset, else it's quite limited.
RequestPolicy is my preferred solution, but it lacks the ability to block embed content (thanks to a placeholder).
Noscript, despite a lot of options, can't block all contents of a not trusted site (images for example), but it is very good at blocking embed content (which is not the case of Flashblock for example). Plus it is supposed to have other security tools I don't really understand (need ?) but I believe it.

There's an entire sub-forum, "NoScript Development". Have fun browsing it!

Giorgio does surely not want to receive lessons of dumb users like me, but I'll try to open a thread of what bothers me...

ETA: You might wish to consider using a HOSTS file service that blocks the entire connection

This is like AB+, it's not easily usable, since you can't temporarily unblock, and more generally I'm not interested in Hosts solution, especially because like filter list, it's impossible to keep these list updated: Internet changes every minutes !

Thanks for your answer !

[Tom T.]

I tend to visit mostly the same sites, except when doing user support.

I think a lot of users (including me) go on new sites everyday for any reason... Of course, there are favorite sites you go more often, but it's impossible to say you visit the same sites everyday.

I''m sorry that the language was not clear. "Tend to" = "generally, usually, much of the time". E-mail. online bank and other financial institutions, some news sources (not allowing scripting there, *usually*)... Never said the same sites every day; sorry if it was misunderstood that way. New sites get configured when I go there for the first time. Temp-allow unless I think it'll be a regular one.

So the image blocks are already in the Fx list, and not a big deal.

...For you. For me, it's not usable.

Perhaps. There are only four entries in the Fx Image Exceptions at the moment:

Code: Select all

login.yahoo.com mail.yahoo.com us.bc.yahoo.com ying.com

because as said, I find them distracting and annoying.

Why not? NS+RP is actually *recommended* by both developers, Giorgio and Justin Samuel of RP. (Justin says so on his page - NS and RP don't compete, but work together beautifully.)

For me, there should be only one extension which modifies content settings of webpages. For performance reason,

If anything, you get a gain in performance from each. Less scripting loading and fewer images loading = faster loading.

avoiding collision

What collision? If you are at goodsite.com, and NS blocks script called from evil.com, and RP blocks images from evil.com, that's not a collision. No harm is done. If anything, it's *redundancy*, which provides an added measure of safety.

It was Giorgio who recommended RP to me in the first place. I've never encountered any "collision issue" or anything else that broke a page.

easier for users

Agreed that there is one more tool to use. I don't use the default whitelists in RP at all, but you certainly may. Note that they are localized, at your option, plus "international", and prompt you to choose upon install. You can always change later.

No, RequestPolicy and Noscript are not complementary for me, since they both have common settings (it's also the case with AB+).

The settings are doing different things. In essence, you're asking Giorgio to add RP to NS. I *like* being able to see images without script running (news site?) or allow script without images loading (e-mail.)

There's always a trade-off: Security+privacy versus convenience. If everyone were honest, we wouldn't need to carry around these bulky key chains. No need to lock your home, car, etc. But there are dishonest people in the world. So we take reasonable, though somewhat less convenient, measures to protect ourselves.

For now, I don't use AB+ because it's not adapted to "power users",

I don't use it because it's unnecessary. With NS + RP, I almost never see ads anyway.

it's impossible to whitelist easily or temporarily, and Wladimir is not interested. AB+ is nice if you use a filterset, else it's quite limited.

Agree. I used to use the old AdBlock (Original), which was user-based, not subscription- based, but it was not supported past Fx 2.

RequestPolicy is my preferred solution, but it lacks the ability to block embed content (thanks to a placeholder).
Noscript, despite a lot of options, can't block all contents of a not trusted site (images for example), but it is very good at blocking embed content (which is not the case of Flashblock for example).

Which is exactly why to use both. *Try it*, and if you have questions, we'll try to answer them, though of course those that are specific to RP should be asked there. But if it's a settings question for a given site or sample of sites, involving both tools, I don't think anyone would mind if you posted here.

There's an entire sub-forum, "NoScript Development". Have fun browsing it!

Giorgio does surely not want to receive lessons of dumb users like me, but I'll try to open a thread of what bothers me...

There are no dumb questions. We ask only that you take a little time to browse through the NoScript FAQ and NoScript "Features" Page page, to learn more about this great tool. And for a specific problem, search the forum to see if it's already been addressed. After that, ask away!

Plus it is supposed to have other security tools I don't really understand (need ?) but I believe it.

Absolutely. Again, the FAQ and Features page should explain, but if you don't understand ... well, that's why we're here.

ETA: You might wish to consider using a HOSTS file service that blocks the entire connection

This is like AB+, it's not easily usable, since you can't temporarily unblock,

Most of the sites in there, you don't want to unblock, believe me. Ads, adware, tracking cookies, spyware...

and more generally I'm not interested in Hosts solution, especially because like filter list, it's impossible to keep these list updated: Internet changes every minutes !

Very true. But the same 16,000 sites (at the moment) still need to be blocked always, plus whatever are added in the monthly updates.
When new sites emerge, NS's default-deny policy protects you, until you decide whether the site should be trusted.

btw, do you care to list some sites that are Untrusted, but whose images come through and offend you? Why are you visiting the Untrusted site -- which is *not* the same as a default-denied site?

Thanks for your answer !

You're welcome. I wish you'd try NS+RP. Earlier, you said it was "ideal, but not recommended". Later, it was that you preferred not to have both, even though it *is* recommended. (I too can do without ABP, although some swear by it.) So here's another recommendation. Try it, and say what you don't like.

In any event, I really don't see the need, or likelihood, of an auto-block of still images on Untrusted sites. My Untrusted list is only two lines long, and consists mostly of data-miners and some ad agencies. Why would I want to see images from them, or visit their sites?

[pirlouy]

What collision?

For example, if you have AB+ and Noscript installed, if you block some stuff with Noscript, AB+ will not show the same thing each time: sometimes it will show some stuff blocked by Noscript, sometimes it won't. It's the same with Flashblock and AB+ for example.

Using 2 extensions for content does not mean page will load faster; I remember Noscript (first versions) and GreaseMonkey were not working well together. It will always be the case, even if Mozilla creates some kind of priorities for extension (I read some stuff for that with Google Chrome which now uses the order of extensions installation).

I think Giorgio doesn't "recommend" RP; he just allows people to use it since both works well together (yes, I use both).
In fact, if I ask for placeholder for images, it's because it's easier to detect when a useful script has been blocked. For that, RP is really nice.

ps (re-reading myself): When I said "AB+ is not adapted to power users", it's a bit clumsy, since you can create powerful filter; I meant you can't use it if you plan to block everything then whitelist quickly.

[Tom T.]

What collision?

For example, if you have AB+ and Noscript installed, if you block some stuff with Noscript, AB+ will not show the same thing each time: sometimes it will show some stuff blocked by Noscript, sometimes it won't. It's the same with Flashblock and AB+ for example.

So don't use ABP, as we both agree it's not ideal. My recommendation was to use RP, which doesn't cause this "collision" issue that ABP and Flashblock have. I say again, I've been using the two for years.

Using 2 extensions for content does not mean page will load faster;

Depends on the extensions, obviously. Some will slow it down. But the less stuff loading or being called across sites, the better, surely.

I remember Noscript (first versions) and GreaseMonkey were not working well together.

Very few first versions of anything work perfectly, no matter how much beta testing goes on. Does NS not work well with GM now?

I think Giorgio doesn't "recommend" RP; he just allows people to use it since both works well together (yes, I use both).

Sorry, he recommended it to me personally, which is why I have it. I wasn't aware of it at the time.

How can he "allow" them to use it? He can't disallow them to use it unless he deliberately writes NS to break RP. Not going to happen.

Since you use RP, I'm not sure what the issue is here. Once again, why do you want to visit Untrusted sites at all? Everything in the universe is blocked by default, except for the minimal whitelist, which has been expanded a bit for the convenience of novices, and should be fine-tuned by power users. So there is no need to mark a site as Untrusted unless you really never want to see it. So ... why would you be seeing images at sites you don't want to visit?

Sorry that I don't understand. Please provide some sample URLs of sites you visit, but don't want to see images.

[pirlouy]

Aha, You don't understand me. Or rather I'm not clear enough.

Forget the "trusted" notion, just imagine Script and images were the same thing in Noscript. So, if you whitelist some sites, it would allow script + images.

For now, I use RP to block external content (including images + script) and I use Noscript for all embed stuff with placeholders. It works well, znd I don't have issues.
What I was asking is just a RP setting which would have allowed me to use NS only.

[Tom T.]

Aha, You don't understand me. Or rather I'm not clear enough.

It's not a matter of who is "to blame", but no, I did not understand, and still don't. That is why I keep asking for a sample web site, so I can see what it is that you want blocked, at what kind of site.

Forget the "trusted" notion, just imagine Script and images were the same thing in Noscript. So, if you whitelist some sites, it would allow script + images.

Script and images are very different things in reality, although I think I did understand your wish: You wanted NS and RP combined in one tool:

What I was asking is just a RP setting which would have allowed me to use NS only.

That's throwing quite an additional burden on the (sole) developer of NS, whose attention is geared toward meeting emergent threats, bringing NS 3.x to the desktop, and other security enhancements, bug fixes, etc. I would rather that those priorities be maintained.

Also, NS is already too complicated for some users. Many posts here: "I love NS, but my spouse/parent/child/whatever won't touch it". Using NS + RP is a bit much for some users. Adding RP capability and settings would just complicate the GUI, FAQ, etc., even more. Users like yourself who are fully comfortable with all of NS's features can easily handle RP, as you do. It may be a very slight inconvenience to have to configure settings for two tools instead of one, but in view of the above, I really can't support the idea of combining the capabilities.

Still, in all fairness, I'll ask NS developer Giorgio Maone to speak his mind on the issue.