Wide open by default?

General discussion about the NoScript extension for Firefox
Post Reply
Etaoin Shrdlu
Posts: 6
Joined: Tue Nov 21, 2017 2:08 am

Wide open by default?

Post by Etaoin Shrdlu »

I always liked how NoScript blocked everything by default, letting me pick those (few) scripts and domains which I trusted/needed/wanted, but with the new version it seems almost everything is allowed. Furthermore, the increased granularity makes the allow/deny list rather unwieldy, as the screengrab below illustrates:

Image

This is what I get when viewing an article (which includes a video) on the Independent's website. Total overload! How do I "block everything"? And why the *^&% is Facebook "allowed"? If there is one organisation I wish to block with extreme prejudice it is them... And how did "adservice.google.com" become "trusted"? Not in a million years would I set that as "trusted"! And what's with all those IP addresses that are allowed!?
Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
robinp
Posts: 3
Joined: Tue Nov 21, 2017 2:54 am

Re: Wide open by default?

Post by robinp »

Etaoin Shrdlu wrote:I always liked how NoScript blocked everything by default, letting me pick those (few) scripts and domains which I trusted/needed/wanted, but with the new version it seems almost everything is allowed. Furthermore, the increased granularity makes the allow/deny list rather unwieldy, as the screengrab below illustrates:
yeah, i agree, this is rather odd. if i have to deny every script i don't want, visiting a page is going to be seriously tedious.

also, what in the context of this extension does "Default" mean? it appears to mean "do not block", but there is no way to set what "default" means.

to fix this, i uninstalled noscript, but when i reinstalled after closing and restarting firefox, the same trusted/untrusted domains were in the whitelist file. how do i do this, without hand-editing the firefox "prefs.js" file to remove all instances of "noscript"?
Mozilla/5.0 (Windows NT 6.2; rv:48.0) Gecko/20100101 Firefox/48.0
8-bit
Senior Member
Posts: 99
Joined: Thu Mar 16, 2017 7:43 pm

Re: Wide open by default?

Post by 8-bit »

robinp wrote:
Etaoin Shrdlu wrote:I always liked how NoScript blocked everything by default, letting me pick those (few) scripts and domains which I trusted/needed/wanted, but with the new version it seems almost everything is allowed. Furthermore, the increased granularity makes the allow/deny list rather unwieldy, as the screengrab below illustrates:
yeah, i agree, this is rather odd. if i have to deny every script i don't want, visiting a page is going to be seriously tedious.

also, what in the context of this extension does "Default" mean? it appears to mean "do not block", but there is no way to set what "default" means.

to fix this, i uninstalled noscript, but when i reinstalled after closing and restarting firefox, the same trusted/untrusted domains were in the whitelist file. how do i do this, without hand-editing the firefox "prefs.js" file to remove all instances of "noscript"?
First, to answer Etaoin, Facebook is not allowed in the picture you posted. The green lock just shows that it is a secure site - a red unlocked lock shows a non-secure (http) site. Facbook is set to default in your picture. Default blocks the script. Also if you have google whitelisted then adservice.google.com will, by default, be whitelisted - easily changeable though.

robinp - Default does not mean do not block. Deafult blocks scripts. When on a site, click on the NS icon in the toolbar, click Default and it will show a list of what the default options are. Allowing the script is NOT checked so by default it is BLOCKED. There are other options as well you can set for default - you will see them when you follow the steps I just outlined.

Also, when you click on the NS icon in the toolbar you can click on "Trusted", but then click on the little clock next to it - then it will be a "temporary allow" trust. It will not be put into your permanent whitelist.


Lemee know...
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Etaoin Shrdlu
Posts: 6
Joined: Tue Nov 21, 2017 2:08 am

Re: Wide open by default?

Post by Etaoin Shrdlu »

8-bit wrote:First, to answer Etaoin, Facebook is not allowed in the picture you posted. The green lock just shows that it is a secure site - a red unlocked lock shows a non-secure (http) site. Facbook is set to default in your picture. Default blocks the script. Also if you have google whitelisted then adservice.google.com will, by default, be whitelisted - easily changeable though.
Aha! I was unsure what the green/red locked/unlocked padlock icon actually meant, this makes it a little clearer - though still rather confusing imo.
8-bit wrote:robinp - Default does not mean do not block. Deafult blocks scripts. When on a site, click on the NS icon in the toolbar, click Default and it will show a list of what the default options are. Allowing the script is NOT checked so by default it is BLOCKED. There are other options as well you can set for default - you will see them when you follow the steps I just outlined.
Right, this is where I went wrong: I checked "script" under "default" for one domain, thinking it would only apply to the domain I had "expanded", but I understand now that this changed the behaviour of the "default" rule globally. All "default" checkboxes now unchecked and blocking seems to work again.

Thanks!
Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
JacksonFireX
Posts: 7
Joined: Tue Nov 21, 2017 11:44 am

Re: Wide open by default?

Post by JacksonFireX »

8-bit wrote:
robinp wrote:
Etaoin Shrdlu wrote:I always liked how NoScript blocked everything by default, letting me pick those (few) scripts and domains which I trusted/needed/wanted, but with the new version it seems almost everything is allowed. Furthermore, the increased granularity makes the allow/deny list rather unwieldy, as the screengrab below illustrates:
yeah, i agree, this is rather odd. if i have to deny every script i don't want, visiting a page is going to be seriously tedious.

also, what in the context of this extension does "Default" mean? it appears to mean "do not block", but there is no way to set what "default" means.

to fix this, i uninstalled noscript, but when i reinstalled after closing and restarting firefox, the same trusted/untrusted domains were in the whitelist file. how do i do this, without hand-editing the firefox "prefs.js" file to remove all instances of "noscript"?
First, to answer Etaoin, Facebook is not allowed in the picture you posted. The green lock just shows that it is a secure site - a red unlocked lock shows a non-secure (http) site. Facbook is set to default in your picture. Default blocks the script. Also if you have google whitelisted then adservice.google.com will, by default, be whitelisted - easily changeable though.

robinp - Default does not mean do not block. Deafult blocks scripts. When on a site, click on the NS icon in the toolbar, click Default and it will show a list of what the default options are. Allowing the script is NOT checked so by default it is BLOCKED. There are other options as well you can set for default - you will see them when you follow the steps I just outlined.

Also, when you click on the NS icon in the toolbar you can click on "Trusted", but then click on the little clock next to it - then it will be a "temporary allow" trust. It will not be put into your permanent whitelist.


Lemee know...
Thanks for the comment points @8-bit + @robinp + @Etaoin Shrdlu

Myself and others from Girgio's official blog along with an active /r/firefox thread discussing the newest NoScript v10.1.1 for Firefox 57 Quantum on reddit, are experiencing a bit of the opposite with regards to "default showing = allow script CHECKED , allow scripts globally is UNCHECKED in the NS-options section.

I realize this project for firefox 57+/webextension, is going to be a great work in progress that will be adjusted but best to bring in the findings.

I'm going to requote my comment from Girgio's blog:
JacksonFireX wrote: here is a safe for work screenshot (see imgur link below) I took from checking out a recipe site I visit often. Mind that I don't have a single whitelist to the majority of urls (including no whitelisted CDN's) of this website and always manually/temporarily allow each url.

As soon as I visited the site, the video started automatically playing!! Obviously, old-NS would never have allowed that to even happen :) I noticed that every item on the list from top of the main url to bottom under "default" has "allow script checked" - I don't have "allow scripts globally" in the v10 options. url's like newreclic/scorecardsearch/revsci/googletagmanager all show "allow script checked under the default bubble to the left"

NoScript v10.1.1 testing: Firefox-57.0 (64-bit) Quantum / win7-64 OS - recipe website screenshot
Image

In the screenshot, I just clicked newrelic as an the example under default. Every url item shows the same options checked (including the allow script).

On old NS, these same urls would be there to allow/temp/untrust but would be pre-blocked - I keep them there unchanged to monitor what websites are throwing onto the page and why I fell in love with NS! For this same site example on old NS versions, normally I temporarily allow the main url address, the media-allrecipes, brightcove and a couple select urls depending on the type of page I am visiting.

I also noticed things like doubleclick being showed to "allow script" under default while on youtube.

I was taken off guard when the video started playing. This seems to be the case on a lot of other websites where you normally need to manually allow these permissions (e.g. permanently or temporary).
Etaoin Shrdlu wrote: Right, this is where I went wrong: I checked "script" under "default" for one domain, thinking it would only apply to the domain I had "expanded", but I understand now that this changed the behaviour of the "default" rule globally. All "default" checkboxes now unchecked and blocking seems to work again.

Now, @Etaoin Shrdl did mention a point from @8-bit's default comment point. If you uncheck the main domain/url, it will uncheck every url under the default bubble that's not custom/whitelisted (i.e. trusted).

That said based on everyone's comments in this current thread, as soon as you check the 1st domain under the default bubble such as the recipe website screenshot, it will "Auto-Check allow scripts under every default listed url bubble including newrelic/scorecardsearch/CDNs's/etc (excluding untrusted/whitelisted)" + if you "Uncheck the main url, it will uncheck everything except for untrusted/whitelisted" - I tested this to the imgur-allrecipes site link. With previous NS-Older versions, this was never an issue to worry about with the old-style menus... Further, this same situation seems to replicate if you go to the CUSTOM bubble and temporarily allow the main recipe website url - The video will start playing if you refresh the screen or click play, but in older versions of NS, the media player would not load (properly blocked) and you had to manually allow the CDN-media networks permission (e.g. permanently or temporarily) - very different from the observed case here.

Other reddit comments to this default-scripts topic can be found here:

NoScript 10.1.1 WebExtension is finally released - Reddit /r/firefox thread

Code: Select all

https://www.reddit.com/r/firefox/comments/7eclem/noscript_1011_webextension_is_finally_released/dq4bez6/
NoScript doesn't block as default?

Code: Select all

https://www.reddit.com/r/firefox/comments/7egtv9/noscript_doesnt_block_as_default/
Thanks for the input and hope this helps others to troubleshoot this topic set.

p.s. @moderators : please consider merging this topic if appropriate to a more suitable thread and/or if it will help provide a more effective discussion awareness, thank you! There was one more related thread here: Thread Title: "Default = Allow everything in Noscript 10?" - https://forums.informaction.com/viewtop ... =7&t=23632
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Etaoin Shrdlu
Posts: 6
Joined: Tue Nov 21, 2017 2:08 am

Re: Wide open by default?

Post by Etaoin Shrdlu »

I would humbly propose the following simple changes to the UI:

1) Add a dedicated icon for temporarily trusting a resource. As it currently is, one has to click to "trust" and then click to "trust temporarily". Since both actions are about as common (in my case "trust temporarily" is more frequent!) it would make sense to be able to do so with one click.

2) Change the HTTPS indicator to the green padlock used by FF, with no icon or a faint grey padlock for unsecure resources. The meaning of these should be more obvious to newcomers, without competing with the NoScript buttons for attention.

3) Remove the duplicate "forbidden" NoScript "S" icon/button. A resource should be allowed by clicking the plain "S", while blocking a resource should be done by clicking the "forbidden" "S". What purpose does the duplication serve?

Example:

Image

Edit: Still puzzled by a few things:

1) Why do the URLs sometimes include the scheme (e.g. http://) and sometimes not?
2) What does the "wss://" scheme represent?
3) URLs are sometimes shown in black, sometimes in red, what does this signify?
Last edited by Etaoin Shrdlu on Tue Nov 21, 2017 5:44 pm, edited 1 time in total.
Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Wide open by default?

Post by barbaz »

Etaoin Shrdlu wrote:Example:

Image
I like this mockup. Maybe Mark as Untrusted could be done by clicking on the forbid icon when a domain is already Forbidden. And a click on the status could allow setting as Custom.
Image
*Always* check the changelogs BEFORE updating that important software!
-
mangray
Posts: 3
Joined: Tue Nov 21, 2017 4:28 pm

Re: Wide open by default?

Post by mangray »

Something else has struck me, all settings affect all sides!
If you press Custom then the selected setting should only be on the active page
affect. But does not work "yet". You have to give the developer a little more time
is the first new version.
nice day
mangray
Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0
bobblebob
Posts: 16
Joined: Mon Nov 20, 2017 6:58 pm

Re: Wide open by default?

Post by bobblebob »

https://postimg.org/image/k7ck7rid7/

Is it ok to have media, frame, font, webgl and other ticked for the default action? Can anything nasty get through with only those ticked?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Wide open by default?

Post by barbaz »

bobblebob wrote:Is it ok to have media, frame, font, webgl and other ticked for the default action? Can anything nasty get through with only those ticked?
I believe that to get similar behavior to classic NoScript, you want to un-tick "media", "font", and "webgl". I'm not sure what "other" is.
*Always* check the changelogs BEFORE updating that important software!
-
mangray
Posts: 3
Joined: Tue Nov 21, 2017 4:28 pm

Re: Wide open by default?

Post by mangray »

But if you change a setting then affects all Seten and not only on the active! All the buttons you change are the same on all pages. You can not say on this page I do not allow media on the other one. Everything changes synchronously and not (yet) individually!

nice day
mangray
Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0
robinp
Posts: 3
Joined: Tue Nov 21, 2017 2:54 am

Re: Wide open by default?

Post by robinp »

8-bit wrote: robinp - Default does not mean do not block. Deafult blocks scripts. When on a site, click on the NS icon in the toolbar, click Default and it will show a list of what the default options are. Allowing the script is NOT checked so by default it is BLOCKED. There are other options as well you can set for default - you will see them when you follow the steps I just outlined.

Also, when you click on the NS icon in the toolbar you can click on "Trusted", but then click on the little clock next to it - then it will be a "temporary allow" trust. It will not be put into your permanent whitelist.
marvellous, thanks. i'm not sure how i clicked that wrong. anyhow, it's working as i would expect now, cheers for the advice.

this is great, keep it up ma1
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Post Reply