NoScript More Aggressive?

General discussion about the NoScript extension for Firefox
OldNick
Posts: 5
Joined: Tue Jun 30, 2009 9:34 pm

NoScript More Aggressive?

Post by OldNick »

FF vn 3.0.1.1
NS vn 1.9.9.3
Win XP sp2

I am not trying to start a fight. I use and value NoScript.

But since the last couple of updates, I am finding that NS has become quite aggressive, unless something else has happened to my setup. I do not _think_ that is the case.

Probably the most noticeable thing is that I use google advanced search as my home page. If I have NS in control of that, I lose info, and the cursor does not automatically show up in the search text box. NS off, and everything is fine. I think NS actually interfered with _this_ site until I turned it off. I have it temporary allow for this site right now.

I am finding myself having to temporarily allow (or for Google Search permanently) more and more pages to let me press buttons, enter text etc. It would seem strange to me that the Web has suddenly taken on a new form that has changed so many sites.

I am asking the question, but also asking if there is any setting on FF that may be interfering with NS.

Thanks for any help and advice

Nick
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript More Aggressive?

Post by therube »

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090617 SeaMonkey/2.0b1pre
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript More Aggressive?

Post by Tom T. »

OldNick wrote:FF vn 3.0.1.1
NS vn 1.9.9.3
That would be a typo, as the third decimal is still "3" or "4" or "5".
It sounds as though you are running the previous stable release, 1.9.3.3.
It can't hurt to try the latest stable release, 1.9.5 (which includes other long-awaited enhancements; won't discuss here). There have been many bugs fixed since 1.9.3.3; please give the latest version a try and let us know if it helps. Thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
OldNick
Posts: 5
Joined: Tue Jun 30, 2009 9:34 pm

Re: NoScript More Aggressive?

Post by OldNick »

OK. Thanks I have already tried that. I tried the other stuff up to rebuilding a profile, but not including. So far no luck.

Nick
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript More Aggressive?

Post by Giorgio Maone »

OldNick wrote: If I have NS in control of that
do you mean "if google.com and google.co.uk are forbidden"?
If they're not allowed, there's no wonder autofocus doesn't work, since it's a JavaScript function.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)
OldNick
Posts: 5
Joined: Tue Jun 30, 2009 9:34 pm

Re: NoScript More Aggressive?

Post by OldNick »

As far as I know they are not forbidden. I have now completely recreated the Mozilla profile to a new folder, and NoScript still stops Google search from working, unless I actually allow it. I find I am simply allowing just about every site.

And please do not "No wonder" me. It may not be a wonder to you, but the behaviour of NS has changed on the last short time.

Nick
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript More Aggressive?

Post by therube »

URL of your home page?

>the cursor does not automatically show up in the search text box

Again that points to JavaScript being disabled.

>more and more pages to let me press buttons

URLs where this occurs? Again, these buttons may rely on JavaScript to operate.

You have done a Reset?

>NoScript still stops Google search from working

In what way? Only in positioning the cursor? Or are no results returned?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090627 SeaMonkey/2.0b1pre
Cambot
Posts: 1
Joined: Tue Jul 07, 2009 1:01 pm

Re: NoScript More Aggressive?

Post by Cambot »

Like the originator of this thread I, too, have noticed that NoScript is more intrusive and less accommodating than I remember it being in the past. I came to this forum for that very reason. I am using 1.9.5 as of yesterday. Prior to that I was using 1.9.3 as I recall. I have what I believe is the latest version of FireFox.

I will give two examples. I tried to get a printable version of an article at the Wall Street Journal. NoScript, of course, jumped into the fray. I selected Allow All Scripts on this Page. The screen refreshed but didn't give me the printable version. I had to click on Allow All Scripts three separate times to finally get the printable version to display.

Another example, I voted on a movie at IMDB. After doing so the screen refreshed with almost no content. I selected Allow All Scripts This Page and the screen refreshed but with only a tiny bit more information. After several iterations I gave up and just searched for another title.

I seem to recall that when I clicked on Allow All Scripts This Page in the past, it did exactly that. I have been recommending NoScript to novice users but I can no longer do so because they would be completely confused by this behavior. I hope this is a temporary aberration.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript More Aggressive?

Post by Giorgio Maone »

Cambot wrote: I had to click on Allow All Scripts three separate times to finally get the printable version to display. [...]
I selected Allow All Scripts This Page and the screen refreshed but with only a tiny bit more information. [...]
I seem to recall that when I clicked on Allow All Scripts This Page in the past, it did exactly that.
What you're describing is not NoScript becoming more aggressive, but those sites becoming more obtrusive with scripts including other scripts including other scripts ad libitum.
"Allow all script in this page" has this contract: NoScript will allow all the scripts currently visible in the page, i.e. those shown in the menu.
If other scripts are not currently present but will be included by the scripts you're going to execute, there's no way for NoScript to "foresee" them (until you execute the first batch of scripts).

On the other hand, changing NoScript's behavior to "Allow all the scripts, present and future, included by this page" would be stupid from a security point of view, since a very common form of infection nowadays comes from "legitimate" sites which are injected with 3rd party malicious scripts, usually coming from Chinese or Russian domains. While "Allow all scripts" keeps behaving like it does today, you've got a chance to catch "suspect" domains in the list before allowing them, at the (comparatively small) price of reiterating the allow action on particularly moronic sites with mindless matrioska-like script nesting schemes.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: NoScript More Aggressive?

Post by GµårÐïåñ »

I was about to express that myself but Giorgio very eloquently already beat me to it. The fact is that NoScript is a security tool, not a convenience tool and as is often the case with ANY security tool, it requires a bit of proactive and intentional action and interaction on the part of the user. Any security solution that you set and forget will inevitably fail you and make you regret you weren't more involved because it makes assumptions and decisions on your behalf that can undoubtedly be defeated since the human decision making element is removed. The behavior you are describing might as well be "Allow Scripts Globally" if there is no need to ACTUALLY know what you are allowing.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
User avatar
Foam Head
Senior Member
Posts: 57
Joined: Sun May 03, 2009 5:35 pm

Re: NoScript More Aggressive?

Post by Foam Head »

Giorgio Maone wrote: "Allow all script in this page" has this contract: NoScript will allow all the scripts currently visible in the page, i.e. those shown in the menu.
If other scripts are not currently present but will be included by the scripts you're going to execute, there's no way for NoScript to "foresee" them (until you execute the first batch of scripts).

On the other hand, changing NoScript's behavior to "Allow all the scripts, present and future, included by this page" would be stupid from a security point of view, since a very common form of infection nowadays comes from "legitimate" sites which are injected with 3rd party malicious scripts, usually coming from Chinese or Russian domains.
I completely understand your point and agree that it this the more responsible and more secure way to go, but IMHO you are missing the key point: Temporarily allow all this page is a user's way of saying "I give up on being secure, just make this page display properly." When you define Temporarily allow all this page this way, all of the recent posts about Temporarily allow all this page not working 100% and requiring multiple uses to work make sense.

From a use case point of view, I can't see any reason why you'd want to allow the current scripts and, upon a reload that revealed more scripts, would also *not* want to load those. And even if there was a reason to load some "waves" of scripts but not others, how would I know when to stop loading?

As I said, I agree that the current implementation is more secure. And I can't speak about the prevalence of the attacks you mentioned. However, because users are using Temporarily allow all this page as a "give up" and I don't see any viable use case for the current implementation, IMHO, Temporarily allow all this page should be changed to "Allow all the scripts, present and future, included by this page". If you think there is a meaningful amount of risk in making this change, add "(dangerous)" after Temporarily allow all this page like you have done with Allow Scripts Globally.

-Foam
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript More Aggressive?

Post by Tom T. »

Foam Head wrote:
Giorgio Maone wrote: "Allow all script in this page" has this contract: NoScript will allow all the scripts currently visible in the page, i.e. those shown in the menu.
If other scripts are not currently present but will be included by the scripts you're going to execute, there's no way for NoScript to "foresee" them (until you execute the first batch of scripts).

On the other hand, changing NoScript's behavior to "Allow all the scripts, present and future, included by this page" would be stupid from a security point of view, since a very common form of infection nowadays comes from "legitimate" sites which are injected with 3rd party malicious scripts, usually coming from Chinese or Russian domains.
I completely understand your point and agree that it this the more responsible and more secure way to go, but IMHO you are missing the key point: Temporarily allow all this page is a user's way of saying "I give up on being secure, just make this page display properly." When you define Temporarily allow all this page this way, all of the recent posts about Temporarily allow all this page not working 100% and requiring multiple uses to work make sense.

From a use case point of view, I can't see any reason why you'd want to allow the current scripts and, upon a reload that revealed more scripts, would also *not* want to load those. And even if there was a reason to load some "waves" of scripts but not others, how would I know when to stop loading?
<snip>
-Foam
I've had this happen to me. Upon allowing one script, when the page reloads, *the color change in the icon* alerts you that the new page is trying to load more scripts that weren't in the first one. This *gives you a chance to vet these new scripts* before allow.

Some users may regard TAATP as a "give up". To me, and maybe to others, it means, "I've seen all the domains trying to load scripts on this page, and they're all acceptable to me". When the situation changes, I appreciate the opportunity to re-assess.

"Security is the opposite of convenience". If everyone were honest, you wouldn't go around with that key chain (or whatever) in your pocket. There would be no need for locks on your house, car, bicycle, etc. It would be much more convenient (plus you wouldn't forget where you left your keys, like hare-brain here ;) ). Unfortunately, there are dishonest people in the world; hence the locks and keys, and hence the "locks" on your browswer, and the "keys" of w/l, allow, TA, etc. (My, we're in a metaphorical mood today! :D ) NS is for security. Giorgio cites a real-world threat. I don't know the "percent" of occurrence -- no one has exact figures. Conficker: 2 million? 12 million? ... but random surveys/audits have shown 80-90 % of home PCs have *some* form of malware.

Preventing the possibility of a legitimate site infected with a 3rd-party malicious script bot-netting your machine, etc., is worth a few extra clicks - else why run NS?
.... how would I know when to stop loading?
You stop loading when the function you want is working properly, and you stop loading when you see scripts from domains that you don't trust -- or even that you don't need. This gets into "what is a trusted site?", but you're way above that level, Foam.

I wish sites wouldn't do this multi-layer loading, but they do; the web keeps getting more and more complex, usually for no good purpose; and Giorgio responded appropriately. The ire should be directed at the attacker (overly-complex and unsecurely-coded sites), not at the defender.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript More Aggressive?

Post by therube »

when the page reloads, *the color change in the icon* alerts you that the new page is trying to load more scripts that weren't in the first one. This *gives you a chance to vet these new scripts* before allow.
I don't necessarily notice the icon, but I do realize whether the page works as expected or not.
"I've seen all the domains trying to load scripts on this page, and they're all acceptable to me". When the situation changes, I appreciate the opportunity to re-assess.
Agreed. The first go-around, at least I have acknowledged what was on the list. Might not have any clue what it means, but I've seen it, & decided to go ahead in any case. Now after that, if another 12 domains would pop in & those too would automatically be allowed, no way that I would want that.
give up
Yep, I've run into a case or two that had me reaching for that Give UP! button.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090705 SeaMonkey/2.0b1pre
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: NoScript More Aggressive?

Post by Alan Baxter »

Foam Head wrote:However, because users are using Temporarily allow all this page as a "give up" and I don't see any viable use case for the current implementation
I don't use it that way. I use it the same way Tom T. and therube do. I do not want it to be changed.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: NoScript More Aggressive?

Post by Grumpy Old Lady »

It's a pile on, but here's my 2c for the record
Quoth therube
I don't necessarily notice the icon, but I do realize whether the page works as expected or not. [...]Agreed. The first go-around, at least I have acknowledged what was on the list. Might not have any clue what it means, but I've seen it, & decided to go ahead in any case.
Same here, and if a page then wants to pull another babushka doll out of that one, I give up on the service, or whomever and take my eyes and/or my business somewhere else - and mostly this decision is not for security (since I could always research it, couldn't I) but for the time-waste these webmasters create for people with even half a brain.

Edit: removing suggestion of personal details.
Last edited by Grumpy Old Lady on Tue Oct 20, 2009 8:13 am, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1) Gecko/20090624 Firefox/3.5
Post Reply