Why must I "Temporarily allow all this page" REPEATEDLY?
Posted: Thu Mar 08, 2012 7:47 am
Many users have asked, "Why do I have to 'temporarily allow all this page' several times in a row?" -- in one case, as many as 15 times.
"Why doesn't 'Temp-allow all' do just that?"
This is not a NoScript problem; it's a vital protection against a rather distasteful trend on the Web. Example:
You visit goodsite.com and allow it. You find that it needs to temp-allow siteA.com, siteB, and siteC. You "temp-allow all".
The page reloads, and once the scripts from siteA.com are allowed to run, they call scripts from siteX.com, siteY.com, and siteZ.com.
This is what I call "cascading scripts" - probably not official terminology. (Hey, it should be. )
The reason NoScript doesn't automatically allow that third tier of scripts to run is that you presumably made a decision that A, B, and C were trustworthy. But you didn't know that X, Y, and Z would follow. Maybe you don't trust them. At least, you should have a chance to decide for yourself, look them up in mywot, check here, check other sources, etc.
Unfortunately, there's nothing to stop X or Y or Z from calling additional scripts, maybe from evil.com. (It's happened, and a user got infected.) You would have to vet them or TA them, too. It's annoying, but NoScript is giving you full control, protecting your safety at the price of a bit of inconvenience. Blame the annoyance on sites that use this type of garbage, rather than on the tool that protects you from it. In other words, don't shoot the messenger.
If you truly want all scripts coming to that site to be enabled, you can go to NS menu > General and check "Scripts Globally Allowed (dangerous)". Then don't forget to uncheck it before going elsewhere. Personally, I'd rather run as few scripts as possible, so rather than temp-allow every generation of these cascading scripts, I'd just TA one at a time until I find what the page really *needs* to run. Then you'll know for the future.
Most of the later scripts are data-miners, ad agencies, marketers, connections to Facebook and other social sites that you might not want running at the moment, etc. I share your dismay at the inconvenience, but this is the way the Web is going, and it's vital to have NoScript to prevent these resource-hogging, privacy-invasive, and possibly malicious scripts from running.
A list of more than 100 script sources that are essentially advertising and/or data mining, and therefore rarely necessary, is here.
Note that when you don't allow these data-miners and some other scripts, there may be a Surrogate Script set to run by default, to keep the page happy while protecting your privacy. So you should be able to mark them Untrusted, which means they'll never show up in the menu again. This makes for a much shorter menu list. If you ever actually need the real script (rare), you can still point to Untrusted in NS menu and temp-allow.
To see the list of script sources that have NoScript surrogates, open about:config, and in the Filter bar, type
surr
(that's enough to bring up the list).
For a plain-English list of said sources, a bit easier to read than the about:config listings, see this sticky post, which may or may not be up-to-date after a new surrogate is added, depending on time constraints of the Support Team.
I hope that this is helpful. This post is intended to be made sticky, but as always, feedback, questions, and suggestions are welcome.
-- Tom T.
"Why doesn't 'Temp-allow all' do just that?"
This is not a NoScript problem; it's a vital protection against a rather distasteful trend on the Web. Example:
You visit goodsite.com and allow it. You find that it needs to temp-allow siteA.com, siteB, and siteC. You "temp-allow all".
The page reloads, and once the scripts from siteA.com are allowed to run, they call scripts from siteX.com, siteY.com, and siteZ.com.
This is what I call "cascading scripts" - probably not official terminology. (Hey, it should be. )
The reason NoScript doesn't automatically allow that third tier of scripts to run is that you presumably made a decision that A, B, and C were trustworthy. But you didn't know that X, Y, and Z would follow. Maybe you don't trust them. At least, you should have a chance to decide for yourself, look them up in mywot, check here, check other sources, etc.
Unfortunately, there's nothing to stop X or Y or Z from calling additional scripts, maybe from evil.com. (It's happened, and a user got infected.) You would have to vet them or TA them, too. It's annoying, but NoScript is giving you full control, protecting your safety at the price of a bit of inconvenience. Blame the annoyance on sites that use this type of garbage, rather than on the tool that protects you from it. In other words, don't shoot the messenger.
If you truly want all scripts coming to that site to be enabled, you can go to NS menu > General and check "Scripts Globally Allowed (dangerous)". Then don't forget to uncheck it before going elsewhere. Personally, I'd rather run as few scripts as possible, so rather than temp-allow every generation of these cascading scripts, I'd just TA one at a time until I find what the page really *needs* to run. Then you'll know for the future.
Most of the later scripts are data-miners, ad agencies, marketers, connections to Facebook and other social sites that you might not want running at the moment, etc. I share your dismay at the inconvenience, but this is the way the Web is going, and it's vital to have NoScript to prevent these resource-hogging, privacy-invasive, and possibly malicious scripts from running.
A list of more than 100 script sources that are essentially advertising and/or data mining, and therefore rarely necessary, is here.
Note that when you don't allow these data-miners and some other scripts, there may be a Surrogate Script set to run by default, to keep the page happy while protecting your privacy. So you should be able to mark them Untrusted, which means they'll never show up in the menu again. This makes for a much shorter menu list. If you ever actually need the real script (rare), you can still point to Untrusted in NS menu and temp-allow.
To see the list of script sources that have NoScript surrogates, open about:config, and in the Filter bar, type
surr
(that's enough to bring up the list).
For a plain-English list of said sources, a bit easier to read than the about:config listings, see this sticky post, which may or may not be up-to-date after a new surrogate is added, depending on time constraints of the Support Team.
I hope that this is helpful. This post is intended to be made sticky, but as always, feedback, questions, and suggestions are welcome.
-- Tom T.