Questions about new 'noscript' option

Ask for help about NoScript, no registration needed to post
guest

Questions about new 'noscript' option

Post by guest » Tue Feb 16, 2021 3:26 pm

Thanks for the new version 11.2.1!

Usually I have scripts disabled on websites which work fine without it. Now I need to enable the new 'noscript' option on some of them to make them work (or set the site to trusted).

What's the use of this? Shouldn't the default preset have this option enabled by default? Why does the trusted preset have this option, too?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

User avatar
Giorgio Maone
Site Admin
Posts: 9131
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Questions about new 'noscript' option

Post by Giorgio Maone » Tue Feb 16, 2021 3:40 pm

The "noscript" pseudo-capability should, indeed, be enabled by default in the DEFAULT preset.
In facts, that's the case if you install from scratch, and it was supposed to be the case if you upgraded from any version < 1.2.1rc4.
Unfortunately a little typo bug sneaked in, and the latter does not actually apply.
I'm trying to rush a quick minor update to limit the "damage", thanks.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

Quest

Re: Questions about new 'noscript' option

Post by Quest » Tue Feb 16, 2021 5:01 pm

And what's the purpose of this option?
What differences there are if allowed or not?
And should it be allowed and what if not?
Mozilla/5.0 (Windows NT 6.1; rv:85.0) Gecko/20100101 Firefox/85.0

User avatar
Giorgio Maone
Site Admin
Posts: 9131
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Questions about new 'noscript' option

Post by Giorgio Maone » Tue Feb 16, 2021 6:44 pm

Quest wrote:
Tue Feb 16, 2021 5:01 pm
And what's the purpose of this option?
What differences there are if allowed or not?
It controls whether the <noscript> element is rendered or not (included emulating meta refreshes inside the element).
It's your choice, depending on the site. It has been requested by users who perceived some fallback content/behavior as an annoyance.
Personally I think it's better for the element to be rendered (NoScript emulates it on purpose, indeed, since CSP script blocking wouldn't render it per-se), and in facts the DEFAULT preset is meant to have it checked (even though, unfortunately, it didn't happen for upgrades from 11.2 because of the aforementioned bug).

It controls whether the <noscript> element is rendered or not (included emulating meta refreshes inside the element).
It's your choice, depending on the site. It has been requested by users who perceived some substitution content/behavior as an annoyance.
Quest wrote:
Tue Feb 16, 2021 5:01 pm
And should it be allowed and what if not?
Personally I think it's better to render <noscript> elements because it often contains useful fallbacks. NoScript emulates it on purpose, indeed, since CSP script blocking wouldn't render it per-se.
Because of this, the DEFAULT preset is meant to have it checked (even though, unfortunately, it didn't happen for upgrades from 11.2 because of the aforementioned bug).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

barbaz
Master Bug Buster
Posts: 9986
Joined: Sat Aug 03, 2013 5:45 pm

Re: Questions about new 'noscript' option

Post by barbaz » Wed Feb 17, 2021 3:13 am

guest wrote:
Tue Feb 16, 2021 3:26 pm
Why does the trusted preset have this option, too?
Sorry if I missed it, but I wonder the same but don't see the answer above? What does "noscript" capability do when enabled for a site that has scripts allowed?

And shouldn't this be enabled by default for Untrusted preset too?
Temporarily off forum staff at my own request
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 9131
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Questions about new 'noscript' option

Post by Giorgio Maone » Wed Feb 17, 2021 6:33 am

barbaz wrote:
Wed Feb 17, 2021 3:13 am
guest wrote:
Tue Feb 16, 2021 3:26 pm
Why does the trusted preset have this option, too?
Sorry if I missed it, but I wonder the same but don't see the answer above? What does "noscript" capability do when enabled for a site that has scripts allowed?
It has it to avoid surprise when cascading restrictions.
barbaz wrote:
Wed Feb 17, 2021 3:13 am
And shouldn't this be enabled by default for Untrusted preset too?
My reasoning is that if you mark a site as UNTRUSTED you probably don't care (or even want to avoid) possibly annoying and/or tracking replacement content.
It's configurable, anyway.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

barbaz
Master Bug Buster
Posts: 9986
Joined: Sat Aug 03, 2013 5:45 pm

Re: Questions about new 'noscript' option

Post by barbaz » Wed Feb 17, 2021 6:17 pm

Giorgio Maone wrote:
Wed Feb 17, 2021 6:33 am
barbaz wrote:
Wed Feb 17, 2021 3:13 am
guest wrote:
Tue Feb 16, 2021 3:26 pm
Why does the trusted preset have this option, too?
Sorry if I missed it, but I wonder the same but don't see the answer above? What does "noscript" capability do when enabled for a site that has scripts allowed?
It has it to avoid surprise when cascading restrictions.
Thanks. Just to make sure I have it right:
  • on actually script-allowed sites, it does nothing;
  • when "Cascade top documents restrictions..." is enabled, it controls:
    • whether <noscript> elements are shown in nominally-script-allowed subdocuments of script-blocked pages;
    • whether <noscript> elements are shown in script-blocked subdocuments of script-allowed pages.
Is this correct and complete?
Temporarily off forum staff at my own request
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 9131
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Questions about new 'noscript' option

Post by Giorgio Maone » Wed Feb 17, 2021 8:25 pm

barbaz wrote:
Wed Feb 17, 2021 6:17 pm
Giorgio Maone wrote:
Wed Feb 17, 2021 6:33 am
barbaz wrote:
Wed Feb 17, 2021 3:13 am
What does "noscript" capability do when enabled for a site that has scripts allowed?
It has it to avoid surprise when cascading restrictions.
Thanks. Just to make sure I have it right:
  • on actually script-allowed sites, it does nothing;
  • when "Cascade top documents restrictions..." is enabled, it controls:
    • whether <noscript> elements are shown in nominally-script-allowed subdocuments of script-blocked pages;
    • whether <noscript> elements are shown in script-blocked subdocuments of script-allowed pages.
Is this correct and complete?
Yes, it is (pending bugs ;) )
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

barbaz
Master Bug Buster
Posts: 9986
Joined: Sat Aug 03, 2013 5:45 pm

Re: Questions about new 'noscript' option

Post by barbaz » Wed Feb 17, 2021 8:28 pm

Thanks Giorgio :) I updated viewtopic.php?p=93552#p93552 with this information.
Temporarily off forum staff at my own request
*Always* check the changelogs BEFORE updating that important software!
-

noni

Re: Questions about new 'noscript' option

Post by noni » Mon Mar 15, 2021 7:00 pm

i couldn't understand what's the purpose of this new "noscript" checkbox.

in Default and Untrusted i have nothing checked and i like it that way,i have no issues with it.
and in Trusted everything is checked apart from ping and "noscript".
for my use case;does checking "noscript" decrease the level of security i look for?

or could some one please provide a simpler explanation of this new checkbox?

Thanks.
Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

barbaz
Master Bug Buster
Posts: 9986
Joined: Sat Aug 03, 2013 5:45 pm

Re: Questions about new 'noscript' option

Post by barbaz » Mon Mar 15, 2021 7:21 pm

noni wrote:
Mon Mar 15, 2021 7:00 pm
i couldn't understand what's the purpose of this new "noscript" checkbox.

in Default and Untrusted i have nothing checked and i like it that way,i have no issues with it.
and in Trusted everything is checked apart from ping and "noscript".
for my use case;does checking "noscript" decrease the level of security i look for?

or could some one please provide a simpler explanation of this new checkbox?

Thanks.
As said above -
Giorgio Maone wrote:
Tue Feb 16, 2021 6:44 pm
It controls whether the <noscript> element is rendered or not (included emulating meta refreshes inside the element).
It's your choice, depending on the site. It has been requested by users who perceived some substitution content/behavior as an annoyance.
A "<noscript> element" contains content that should only be shown when scripts are disabled. For technical reasons, the browser does not show these with NoScript's method of blocking scripts, so NoScript must emulate the correct behavior. When this checkbox is unchecked, NoScript does not emulate the <noscript> element on script-disabled pages, resulting in <noscript> elements not being shown at all.

For security it doesn't matter whether it's checked or not.
Temporarily off forum staff at my own request
*Always* check the changelogs BEFORE updating that important software!
-

noni

Re: Questions about new 'noscript' option

Post by noni » Mon Mar 15, 2021 9:11 pm

i think i understand.
I'll keep it unchecked.
Thanks @barbaz
Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

Post Reply