Page 1 of 1

NS automatically allows Twitter, Facebook, & ???

Posted: Wed Jul 15, 2009 11:48 pm
by IMB4U
I use Firefox 3.0.11 and just upgraded NoScript a couple of days ago to latest version 1.9.5

STRANGE & DIFFERENT: I just noticed something new about this NS version --- but only on a couple of sites so far within the last 20 minutes or so. In 3 websites I visited, NoScript AUTOMATICALLY had allowed Twitter.com for 2 of those sites and Facebook.com on the other website.
The website which NS had automatically allowed Facebook.com was http://www.wusa9.com/news/default.aspx (a Washington DC newspaper), and of note is that there are 8 scripts available to either allow or forbid and none of the others were automatically set to allow including the website of wusa9.com.

Since I have never seen this happen before...and since there are most likely a lot more websites effected like this, I decided to search for an answer and ended up here. I have done nothing whatsoever in changes to my computer or add-ons, etc...I simply downloaded the new version of NoScript.

QUESTIONS: (1) Has anyone else experienced this?
(2) Why would NoScript AUTOMATICALLY have those social websites of Twitter and Facebook already set for being allowed?
(3) Has NoScript decided to select all the social networks perhaps to have automatic status on NoScript?

Yes...I am confused...and concerned....and would appreciate any advice you might have! :o

Re: NS automatically allows Twitter, Facebook, & ???

Posted: Thu Jul 16, 2009 12:00 am
by therube
1. no.
though there is an instance where a Temporary Allow does end up setting the site as ("permanently") Allowed.
URL containing multi-byte character is allowed

2. it shouldn't, & it is not any default of NoScript.
though we have come across a different extension that did ... did something affecting NoScript, adding an XSS exception for itself in NoScript.
Stumbleupon and XSS

3. no.

What other extensions do you have installed?

wusa9 does not add anything to my whitelist for me.
facebook.com does show as a domain that could be Allowed in the context menu.

Re: NS automatically allows Twitter, Facebook, & ???

Posted: Thu Jul 16, 2009 12:24 am
by IMB4U
Hello...and thanks for the reply!

RE: Question #1...I had never visited those 3 sites before, and each time I just happened to use NS to see what scripts might already be turned on, and that is how I discovered that the Twitter.com & the Facebook.com scripts had already been allowed...I had not touched it whatsoever except for clicking on NS. (Weird, huh?)

Anyway, here are my addons I have:
AdblockPlus
BabelFish
BetterPrivacy
Flagfox
IE Tab
MediaWrap
New Tab Homepage
Nuke Anything Enhanced
Open Download
Screengrab
WOT
Plus...I have the Google "English" translation button on my Bookmarks Toolbar

Again, like I said earlier, I just downloaded the newest NS version a couple of days ago...and I had not changed anything to my PC or added any other extensions.

Addendum: I remember now that I also upgraded my AdbockPlus within the last couple of days, also.
----------------------------------------------------------------------------------------------------------------------


...OK, I'm back,again! I've been reviewing info over the last couple of hours and all of a sudden, I remembered something else WEIRD which happened yesterday (after the installlation of latest NS).
I use the Ixquick search engine (for privacy...no tracking) and about a half dozen times yesterday when I simply typed a search & hit go, INSTEAD of being able to simply get connected to a search page, I HAD A POP-UP BOX APPEAR WHICH SAID SOMETHING ABOUT NOSCRIPT PREVENTED IXQUICK FROM USING XSS...and I wasn't allowed to be connected to the search page. About the 3rd time this happened, I noticed either a new icon or the NoScript icon and it was red...I clicked on it and it said something about XSS. I didn't know what was happening because I had never had that happen before, and I especially didn't understand why it would happen to my safe https Ixquick search engine! I remember looking in my NoScript options and noticed a box checked beside XSS which had a blue-colored question mark after it...and since I didn't what to do with it (I honestly don't remember seeing that box in the older version, but was it there?), I simply closed the NoScript back up and tried accessing pages with my Ixquick search engine 2 more times, each with the same end result (no go!). Because I don't know too much about scripts yet, the only option I had was to disable NoScript for the rest of the day so that I could use my search engine.
Today, I had totally forgotten about what had happened yesterday - most likely because I had no problems whatsoever with using my Ixquick search engine...and it was only a few minutes ago that while searching info on the net that I remembered about this incident, so here comes another question...

NEW QUESTION: Because NoScript has the box checked beside XSS in the options, should that have been normal for it to have blocked my search engine from connecting to another page? (Off hand, I wouldn't think so, but I don't know.)
AND...since this was a weird incident, along with the weird incidents of automatically showing Twitter & Facebook already set as allowing scripts which I explained earlier, could there possibly be a bug in this new version of NoScript?

Suggestions/answers will be appreciated!

Re: NS automatically allows Twitter, Facebook, & ???

Posted: Fri Jul 17, 2009 9:55 am
by Giorgio Maone
Regarding automatic allowing of facebook and twitter: there are only two ways for NoScript automatically allowing something, i.e. you having either "Temporarily allow top level sites by default" or "Allow sites opened through bookmarks" checked in NoScript Options|General (none or which are enabled by default).
No other way at all: if you've got those sites in your whitelist and those two checkboxes both unflagged, you (or someone else using your Firefox profile) allowed them manually.

Regarding the XSS warning, I may be able to tell you something if you show me the exact message you get (you can copy & paste the [NoScript XSS] lines appearing in Tools|Error Console when it happens).