Foam Head wrote:Mmm... Beer...
Ahem. Anyhoo...
Yes, I got the pun in the name right off.
Contrary to stereotype, not *everyone* with an interest in puters is lacking in perception of humor.
Foam Head wrote:Consider this example: I know foo.com is bad so I add it to the Blacklist. I want worldofwarcraft.com to work, but I don't want to add it to the Whitelist, so I turn NoScript Options | Advanced | Untrusted | Forbid XSLT off. If I then go to foo.com and it uses XSLT, is it allowed or not? If it's allowed, then what's the point of the Blacklist?
You can make it work. I know nothing of WOW, but just went there, and got it to work without allowing XSLT for foo.anywhere. Give me a few minutes to make and host a screenshot.
Foam Head wrote:IMHO, NoScript has three distinct categories of content. The Whitelist is for sites you want to allow some/all permissions. The Blacklist is for sites you want to deny most/all permissions. Everything not in the White/Black-lists is classified as "unlisted". While "unlisted" is similar to the Blacklist, it's not hard to imagine giving "unlisted" sites a few more permissions than those on the Blacklist. XSLT is a good example since there are very few exploits for it.
Must respectfully disagree with that interpretation. The categorizations are very plain: If you allow all
scripting on a site, that site is defined as "trusted" and "whitelisted", and appears in the UI Whitelist. Any plugins that you have forbidden in UI Plugins are still forbidden. However,
If, and only if, you uncheck "Apply these restrictions to trusted sites too", then your "trusted sites" have full permission to run all of the listed plugins, etc. But that's a conscious user choice, anti-default.
The Blacklist is for sites/domains whose scripts are never even to appear in the menu to beg for permission, unless you point to 'Untrusted". If foo.bar is a 3rd-party that is popping up everywhere, you don't like them, and you are sick of seeing them, the "untrusted" spares you ever seeing them again. By default, additional restriction apply: "Block every object" and "No placeholder for object" coming from sites marked Untrusted, although again, user-configurable.
I've already agreed with you on the ones in the "middle": not marked as "untrusted" nor Whitelisted. I suggested "Forbidden" for "marked as untrusted", and leave "untrusted" for those that have to ask every time.
Foam Head wrote:So rethinking some terminology, I'm still suggesting some NoScript UI changes:
1) Use Whitelist and Blacklist terms as we have been here. They are well known terms so there's no reason to reinvent anything. So, for example, all uses of "untrusted" on the Options pop-up menu would be changed to "Blacklist"; a-la "Blacklist -> Add foo.com to the Blacklist", etc.
Sounds good. The term "blacklist" is used in many other places on the web and in browsers and apps, and is familiar to most users. We get a lot of requests for a "blacklist" or source of blacklists, sort of like the Hosts file service. "Make your own" is the idea behind NS user-control. I support this suggestion.
2) Change the NoScript Options | Whitelist tab to Manage Lists (or Whitelist/Blacklist or even just Lists). Aside from the common Import/Export buttons, you have the lists of sites. I like the idea of one list for all sites with icons, colors, and status text to the right, but two tabs with a list for each would work too.
I don't want to burden Giorgio with having to add color-coding and icons to the UI beyond what's already in the NS Logo (he manages to stay fairly busy, if you've noticed
unless he wants to. I suggested "ScriptLIst", but any of yours is fine. Whatever way is the easiest for Giorgio to demarcate, delineate, or indicate the two different lists is fine with me. Just so, as you said, one can manage both lists from the UI, rather than just the Whitelist. It seems an easy call to prefs.js\user_pref("noscript.untrusted",.
3) Replace NoScript Options | Advanced | <Untrusted|Trusted> tabs and the NoScript Options | Plugins tab with a single NoScript Options | Permissions tab. The Permissions tab has three sub-tabs: Whitelist, Unlisted, and Blacklist. These tabs are a combination of what's currently in the Plugins tab as well as what's in the corresponding NoScript Options | Advanced sub-tab. The Unlisted and Blacklist sub-tabs start with a "Block everything from these sites" option that, when checked, gray out all of the specific options. The Blacklist sub-tab also has a "Always apply all Unlisted permissions" which, when checked, will ensure that everything in the Blacklist gets at least the permissions in the Unlisted sub-tab.
I realize #3 is a big change, but the current Plugins and Advanced | <Untrusted|Trusted> tabs have enough overlap that IMHO it is not obvious to see what's happening to each group. For example, the Apply these restrictions to trusted sites too setting and ClearClick settings seem out of place in a NoScript Options tab named Plugins.
No objection here, although it sounds like a major redesign. Also, the reason (I presume) for the "Advanced" designation is that many home users have no idea what "<a ping", "Web bugs", "Meta-redirections", and "XSLT" are, and so these are blocked by default on non-whitelisted sites for the benefit of such users. Power-users are probably the only ones who should tinker with these, or even be presented with them. We already get complaints that it's too complicated, so you see what a tightrope we're walking here: "Make it so my grandparents can use it without calling me every five minutes" vs. "Make it so that I have fine-grained control over every permission of every object and sub-object from every domain and sub-domain". Uhh, sort of a conflict there.
Perhaps Nan M is right that there should be two versions, not "Pro" in the sense of a premium, paid version, but "Basic" (or "Easy)" and "Advanced": one with minimal UI and user interaction, with easy allow/don't allow this script, and the other with the micro-controls. But supporting two versions is almost twice as much work. Care to visit beautiful Palermo and help, or telecommute and help?
Final thought: If NoScript really doesn't support three groups (i.e. it's really just Whitelist/Trusted sites and "everything else"), then it should never refer to any kind of "untrusted list" or "blacklist". If you want to hide notifications of known bad sites, then make a "hide notifications", "disable notifications", or "quiet" list.
Not bad. It's obvious you've put quite a bit of thought into this, which is greatly appreciated.
The fundamental question: Are there three categories, or only two? (Did I fire six shots, or only five? Do you feel lucky, punk? -- old movie reference). Whichever is the decision, delineate them clearly and allow the user quick access to manage the three or two lists.
For the length of this post, the next beer is on me, gents
.
-Foam
Aaaah, and a fine one it was! (With a great head of foam, of course!)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard