Other NoScript features in 10?

General discussion about the NoScript extension for Firefox
Post Reply
adjfhnaileugfhdlkng
Posts: 5
Joined: Fri Feb 02, 2018 1:11 pm

Other NoScript features in 10?

Post by adjfhnaileugfhdlkng » Fri Feb 02, 2018 1:23 pm

While there's been quite some talk about the new script blocking UI, I haven't seen any mention of the other features of the old NoScript.
  1. Application Boundaries Enforcer
  2. ClearClick warning
  3. forcing HTTPS for certain sites
What's their status in the new implementation? Do they work already? What's the plan on when they'll come back if not?
Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0

User avatar
Giorgio Maone
Site Admin
Posts: 8743
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Other NoScript features in 10?

Post by Giorgio Maone » Fri Feb 02, 2018 3:09 pm

adjfhnaileugfhdlkng wrote:
  1. Application Boundaries Enforcer
  2. ClearClick warning
Working on those, to be done before Firefox 60 ESR.
adjfhnaileugfhdlkng wrote:forcing HTTPS for certain sites
That won't come back: now you've got a more visible "grant permissions only on HTTPS-served content" in NoScript (the red/green lock icon), while I recommend HTTPS Everywhere to force HTTPS because of its greater flexibility and web content compatibility.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Other NoScript features in 10?

Post by barbaz » Fri Feb 02, 2018 5:07 pm

Giorgio Maone wrote:
adjfhnaileugfhdlkng wrote:forcing HTTPS for certain sites
That won't come back:
:cry:
Giorgio Maone wrote:while I recommend HTTPS Everywhere to force HTTPS because of its greater flexibility and web content compatibility.
Sorry Giorgio but I don't see how HTTPS Everywhere replaces NoScript's HTTPS forcing feature. I only want to force HTTPS on a few selected sites that I specify. That's it. Not every site that supports HTTPS, and not based on some external ruleset.

NoScript Classic HTTPS forcing is perfect for this.

I see no way to do it in HTTPS Everywhere.

What do you suggest?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8743
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Other NoScript features in 10?

Post by Giorgio Maone » Fri Feb 02, 2018 10:08 pm

barbaz wrote: I see no way to do it in HTTPS Everywhere.
HTTPS Everywhere icon > Add a rule for this site
Easy and flexible: by default just forces HTTPS for the current site (two clicks). If you click "Advanced", you can set up your own regular expression-based redirection rule.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Other NoScript features in 10?

Post by barbaz » Fri Feb 02, 2018 10:27 pm

Giorgio Maone wrote:HTTPS Everywhere icon > Add a rule for this site
I'm not seeing this option, either in its popup or options page. I also don't see the option to disable its built-in ruleset and use only custom rules.

Screenshot of the popup - [deleted]
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8743
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Other NoScript features in 10?

Post by Giorgio Maone » Fri Feb 02, 2018 10:53 pm

barbaz wrote:
Giorgio Maone wrote:HTTPS Everywhere icon > Add a rule for this site
I'm not seeing this option, either in its popup or options page. I also don't see the option to disable its built-in ruleset and use only custom rules.

Screenshot of the popup - https://drive.google.com/open?id=1nQzcL ... _wFmzBTasR
Image
I got it both on Firefox 52 and 58.
Might it be a Seamonkey-specific issue? I couldn't find how to open this popup in SM, BTW.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Other NoScript features in 10?

Post by barbaz » Fri Feb 02, 2018 11:01 pm

Giorgio Maone wrote:I got it both on Firefox 52 and 58.
Might it be a Seamonkey-specific issue? I couldn't find how to open this popup in SM, BTW.
I use Waterfox 56.0.4. But I see the same thing in Firefox 58.0.1, new profile, only HTTPS Everywhere installed. I don't have the "Add a rule for this site" option.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8743
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Other NoScript features in 10?

Post by Giorgio Maone » Sat Feb 03, 2018 12:21 am

barbaz wrote:
Giorgio Maone wrote:I got it both on Firefox 52 and 58.
Might it be a Seamonkey-specific issue? I couldn't find how to open this popup in SM, BTW.
I use Waterfox 56.0.4. But I see the same thing in Firefox 58.0.1, new profile, only HTTPS Everywhere installed. I don't have the "Add a rule for this site" option.
No idea of why. I've got the standard AMO version (same as yours, I guess). Do they have any support forum?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Other NoScript features in 10?

Post by barbaz » Sat Feb 03, 2018 5:11 am

I decided to dig through the HTTPS Everywhere code to see if I could find the answer. Apparently it's by design -

Code: Select all

    // Only show the "Add a rule" link if we're on an HTTPS page
    if (/^https:/.test(activeTab.url)) {
      show(e("add-rule-link"));
    }
I was trying to use it on the http version of a page that has both http and https. If I go to a https page, the link is there, and it works.

I guess that makes sense, since HTTPS Everywhere doesn't automatically "know" the HTTPS version exists, and it would be problematic to force HTTPS where there is no HTTPS. Still, this behavior really should be documented beyond a code comment IMO.

As for disabling all built-in rules and using only custom rules, I don't see any way to do this. There seems to be no "manage all rules" interface, or anything like that. I can't even find a "manage all custom rules" interface. In fact, the only way I see to manage rules at all is the popup. Which means you can only manage rules that apply to the current page.

For this reason, I find HTTPS Everywhere's UI inadequate for my case, so I won't be using it, sorry.

Thanks Giorgio for trying to help me, sorry it didn't work out.
*Always* check the changelogs BEFORE updating that important software!
-

adjfhnaileugfhdlkng
Posts: 5
Joined: Fri Feb 02, 2018 1:11 pm

Re: Other NoScript features in 10?

Post by adjfhnaileugfhdlkng » Sun Feb 04, 2018 7:49 pm

Thanks for the responses :)

As long as the sites work, forcing HTTPS on more sites than I specified is totally fine with me. I just had no use for HTTPS Everywhere yet, because NoScript did it's job already. It still doesn't seem to be a suitable replacement for me:

My usecase for forcing HTTPS is having rules which are a little broader than useful for most people, such as "*.wiki*.org" and using exceptions for the few non-working sites, or rules for sites which use a certificate only valid for a partner site.

Is this (mainly exceptions, regexp seem to be supposed to work and I guess invalid cert doesn't matter) possible with HTTPS Everywhere or a similiar addon?
Is it possible to import the list from NoScript (converting with a regexp or womething is fine ofcourse) and export the custom rules in case I'd need to switch again? My list of rules is long enough that I had to optimize it in the past because it was emptied due to being to long :D

Also, I haven't found a way to edit custom rules in HTTPS Everywhere. Now I don't know whether my wildcard testing rule did actually save, but it doesn't work and I can't edit it...
Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0

adjfhnaileugfhdlkng
Posts: 5
Joined: Fri Feb 02, 2018 1:11 pm

Re: Other NoScript features in 10?

Post by adjfhnaileugfhdlkng » Fri Mar 16, 2018 12:54 pm

I've done some more research regarding HTTPSEverywhere by now and found that apparently there is no way (that still works after Firefox 57) to sanely use custom rules at all, aside from the hidden debug textbox which says "Warning: This should only be used for debugging rulesets. This feature is not guaranteed to work reliably for regular usage."

So, Giorgio, where is this "greater flexibility" of HTTPS Everywhere?
Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Other NoScript features in 10?

Post by barbaz » Fri Mar 16, 2018 2:22 pm

@adjfhnaileugfhdlkng You might want to take a look at Redirector.
*Always* check the changelogs BEFORE updating that important software!
-

adjfhnaileugfhdlkng
Posts: 5
Joined: Fri Feb 02, 2018 1:11 pm

Re: Other NoScript features in 10?

Post by adjfhnaileugfhdlkng » Wed Mar 21, 2018 11:42 am

Thanks, it's good enough to finally update from Firefox 56. Here's a short how-to for converting the NoScript list, in case anyone's interested: https://pastebin.com/WU10a9pM (it's on pastebin.com because the spam filter here felt triggered.)
Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

adjfhnaileugfhdlkng
Posts: 5
Joined: Fri Feb 02, 2018 1:11 pm

Re: Other NoScript features in 10?

Post by adjfhnaileugfhdlkng » Wed Mar 21, 2018 3:37 pm

Code: Select all

First, sort out rules which only match a certain subdomain (only five in my case, so I'm adding them manually). For the others, convert the list to "include patterns" for Redirector:
 sed -i -r -e 's/\./\\\\\./g' -e 's/\*/\(\.\*\)/g' -e 's/^\\\\\./http\:\/\/\(\.\*\\\\\.\)\?/g' -e 's/$/\(\/\.\*\)\?\$/' noscript-https-converting-for-redirector.txt
Now the difficult part: Generating the "redirect URL". Entries without TLD will need to be added manually.
 sed -i -r -e 's/^http\:\/\/\(\.\*\\\\\.\)\?(.*)\\\\\.([a-z]{2,8})\(\/\.\*\)\?\$$/\0\nhttps\:\/\/\$1\1\.\2\$2/g' noscript-https-converting-for-redirector.txt
On entries with wildcards, you now need to replace "(.*)\" by "$2" and adjust the "$2" on the end of the line to "$3". (Done manually)
Almost done, just place the JSON skeleton around this list:
 sed -i -r -e 's/^http\:.*$/\{\n  \"includePattern\"\: \"\0\"\,/g' -e 's/^https\:.*/  \"redirectUrl\"\: \"\0\"\,\n  \"patternType\"\: \"R\"\,\n  \"appliesTo\"\:\[\"main_frame\"\,\"sub_frame\"\,\"stylesheet\"\,\"script\"\,\"image\"\,\"object\"\,\"xmlhttprequest\"\,\"other\"\]\n\},/g' noscript-https-converting-for-redirector.txt
And as the last step, complete the JSON by adding
 { "redirects": [
as the first line to the file, remove the comma in the last line and add "]}" instead. Congratulations, you should now have a file importable to the addon Redirector.

For the exclusion rules, I'm adding them manually to the redirects they belong to. Since the list is searchable (I used to copy the old NoScript list into a text editor if I was searching for an entry) this is quite easy, and I can take this opportunity to check whether the sites are actually still unavailable over HTTPS.
-

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Other NoScript features in 10?

Post by barbaz » Wed Mar 21, 2018 3:40 pm

adjfhnaileugfhdlkng wrote:the spam filter here felt triggered.)
I was able to post it for you. Let us know if you would like it reformatted.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply