Forum Registration and Capcha

[NS001]

I came to the forum because I was unable to register with a website because Capcha was being blocked by NoScript. Low and behold when I came to this site to register it needed Capcha but it didn't say it was required. Fortunately I had realized that with 'Allow Scripts Globally' turned on the Capcha form would work correctly. However when I enter Google.com into the white list the Capcha form does not display properly.

So how do I fully accommodate Capcha and nothing else using NoScript?

[dhouwn]

If I remember correctly, for ReCaptcha you need either have the site that hosts the Captcha, Recaptcha and Google allowed, or the first two not allowed for it to work.

[Tom T.]

This forum is apparently not using google for recaptchas now. The scripts showing in the menu (when I tried to reply without first logging in) are:

Code: Select all

-http://api.recaptcha.net
-recaptcha.net

So you may choose which level to allow: all of recaptcha.net or only those sites which use the specific sub-domain api.recaptcha.net.

At other sites, look in the NS menu to see what domain, such as perhaps google, is hosting the recaptcha script.

[NS001]

Thanks for the help - but could you be more specific as I have no technical experience with NoScript.

When under Add-ons I disable NoScript I get the Capcha form with blue buttons just like I do under IE 10. When I 'Temporarily allow all this page' the form again displays correctly. Having placed api.recaptcha.net AND google.com on the whitelist the form does NOT display correctly. When I removed these from the white list and restarted Firefox the Capcha form still displays incorrectly and without the blue buttons.

So prescriptively what individual steps must be taken to get the form to display correctly?

PS: It would be nice to have a one click option to enable Capcha and credit card authentication forms from Visa and MasterCard. When I 'allow scripts globally' I forget to turn it off when next I relaunch Firefox. Master overrides are always abused - I remember a machine some years ago that had a key lock and the operators had broken the key into the lock so the machine was always working with the safeties off.

[Thrawn]

It would be nice to have a one click option to enable Capcha and credit card authentication forms from Visa and MasterCard.

If they're always coming from the same domain, then you can permanently whitelist that domain; problem solved. If not, then there's no way for NoScript to identify 'this is a Visa/Mastercard form'.

When I 'allow scripts globally' I forget to turn it off when next I relaunch Firefox.

Yeah, it's not a recommended option. You're better off with 'Temporarily Allow All This Page' - but depending on the page, you may need to use it more than once, as scripts try to import scripts from third-party sites.

[Tom T.]

... When I 'Temporarily allow all this page' the form again displays correctly. Having placed api.recaptcha.net AND google.com on the whitelist the form does NOT display correctly. When I removed these from the white list and restarted Firefox the Capcha form still displays incorrectly and without the blue buttons.

So prescriptively what individual steps must be taken to get the form to display correctly?

I'm sorry I did not make it clear that the steps must be individualized to each site.

When the captcha does not appear, open the NoScript menu and look for options to Allow or Temporarily Allow various script sources.
The one that contains the word "captcha" or "recaptcha" should be the one required to display the captcha.
Because Google bought reCaptcha a few years ago, it may be necessarily also to allow Google or some sub-domain, such as recapcha.google.com or google-recaptcha -- the possible variants are many. But they should be apparent from the above.

At this forum, adding "recaptcha.net" to your Whitelist will display the captcha, and may cover many more sites that you encounter.

As Thrawn noted, this is much safer than Globally Allow, and even if that option is used, Temporarily Allow Globally at least gives the fail-safe of autmatically terminating the global allow when the browser is closed.

If you continue to have problems, please check whether any of the following add-ons may be causing problems: AdBlockPlus, Ghostery, RequestPolicy, or any other image-blocking or ad-blocking program.

I hope this helps.

[NS001]

Thanks again.

The drop down ONLY sees recaptcha.net and google.com offering to forbid or temp allow.

There is under Untrusted(1) an entry for informaction.com but it does not effect outcomes.

Noscript is the only add-on affecting Capcha.

Using Inspect Element Q I can see nested api URLs to Google.com that NoScript is ignoring in the drop down (hence no blue buttons).

I suppose it comes down to being a bit odd that the forum that supports Noscript cannot display Capcha blue buttons correctly unless NoScript is disabled in some way. The other gotcha is that I usually do a temp allow all whenever I visit new sites (I know, I know!) but this does not allow Capcha to display blue buttons.

On another laptop that does not have NoScript installed and very few add-ons my wife couldn't complete her online purchase because a Visa security form did not display at all. Plan B is now to go to IE10 and try doing things there and this usually works. The big issue for us is that temp allowing all of the page is no guarantee that the security form will actually display correctly. Frustrating!

PS: I am a PayPal subscriber to the NoScript cause.

[Tom T.]

The drop down ONLY sees recaptcha.net and google.com offering to forbid or temp allow.

There is under Untrusted(1) an entry for informaction.com but it does not effect outcomes.

Aha! Got it.

I reproduced your situation by removing informaction.com from the whitelist and temp-allowing recaptcha.net only.
Then I pretended to be registering at the forum.
As you say, no other scripts show in the main menu.
However, the captcha is delivered by an IFRAME. I assume you have these blocked in NS Options > Embeddings, as I do.

Please ensure that Iin NS Options > Appearance you have checked (Show...) Blocked Objects, and in Options > Embeddings, Show placeholder icon. (IIRC, these are default settings.)

Therefore, by pointing to Blocked Objects in the main menu, you will see a number of choices slide out, including

Temporarily allow <IFRAME>@http://api.recaptcha.net/noscript

Clicking this produces the captcha. (This is the best choice, because the entries with *@http etc. are "wildcards", allowing all objects, versus allowing only an IFrame.)

Alternatively, clicking the placeholder icon (red NS logo above the captcha box) will display the captcha. If you have Embeddings set to "Ask for confirmation before temporarily unblocking an object" (safest), the confirmation box provides the info:

Code: Select all

Temporarily allow http://api.recaptcha.net/noscript?k=6LcM6QsAAAAAAJS48GY1​b_JNHal1t5mJq7n-I-ws
(application/x-unknown <IFRAME> / http://forums.informaction.com)

This lets you know that recaptcha.net is attempting to insert a frame (I-FRAME) into informaction.com. Good safety info to make a decision in all other cases, too.

BTW, I never see blue "buttons". I guess you mean the "I'm a human" link? (or "try again" link"?)

Using Inspect Element Q I can see nested api URLs to Google.com that NoScript is ignoring in the drop down (hence no blue buttons).

Not relevant, as per above. Allowing the iframe and recaptcha.net is all that is required.

I suppose it comes down to being a bit odd that the forum that supports Noscript cannot display Capcha blue buttons correctly unless NoScript is disabled in some way.

No, it's that NoScript is so conscientious of your safety that it will not allow objects, including iframes, to be inserted into pages without your permission -- even at NoScript's own pages. The objects come from an external source, so NS protects you until you choose to allow them via the menu or placeholder icon. No disabling is necessary.

The other gotcha is that I usually do a temp allow all whenever I visit new sites (I know, I know!) but this does not allow Capcha to display blue buttons.

As noted, script permissions are not enough, because they fail to protect you against other potential threats such as iframes, which could be malicious.
ETA: "TA All this page" refers to scripts only, and not to plugins (Flash, Java) and other objects like frame or iframe. (Another safety feature.)

OK, no lecture on using temp allow all per se, but doing so at a new site is pretty much the same as Allow Globally (dangerous), because you don't know which third-party scripts will be called, including evil ones. Also, even if you later refine the permissions at this new site, *the damage may already be done* from malware or whatever installed by that original temp-allow. So going back later and finding out which scripts are required is kind of like locking the barn after the cows have all departed.

The only legit uses of TA All IMHO are:
1) A site you *thoroughly* trust throws a bunch of script sources at you in the menu, *and you trust those names as well*. TA ALL is indeed quicker than a dozen individual TA permissions. (But be prepared for the situation described in the sticky post, Why must I "Temporarily allow all this page" REPEATEDLY?, which is well worth reading.)

2) A machine is shared by a user comfortable with NS and by one who can't be bothered (spouse, boy/girlfriend, roommate, parent, child, grandparent, etc.).
For the latter, TA All is still safer than disabling NS, because NS's other, user-transparent, protections still are at work. (XSS, Clickjacking, ABE, etc.)

On another laptop that does not have NoScript installed and very few add-ons my wife couldn't complete her online purchase because a Visa security form did not display at all.

Try disabling the other add-ons, or create a new profile from scratch, and see if the form then displays.

Plan B is now to go to IE10 and try doing things there and this usually works.

That's because IE is much more promiscuous than Firefox+NoScript. IE lets almost anything through, so stuff works.
Leaving your car unlocked avoids the inconvenience of locking yourself out of your car. But it also makes it easier for thieves.
Security and convenience are always a trade-off, and anyone who thinks NS is inconvenient should know how inconvenient it is to have your computer become infected, bank accounts drained, credit cards and identity stolen, machine becomes part of a zombie botnet and is used to send thousands of spams a day, law enforcement smashes down the door because your machine has been sending/receiving kidporn, etc......

The big issue for us is that temp allowing all of the page is no guarantee that the security form will actually display correctly. Frustrating!

Hopefully, you now have enough info to diagnose and fix the issue. If not, feel free to post back.

PS: I am a PayPal subscriber to the NoScript cause.

On behalf of NS developer Giorgio Maone, thank you very much.
However, please be assured that the Support Team of unpaid, part-time volunteers strives to give the best service possible to all users, regardless of their donation status, which we have no way of knowing anyway.

Cheers,
- Tom