How to determine necessary permissions?

Ask for help about NoScript, no registration needed to post
wsmith84
Posts: 3
Joined: Tue Sep 17, 2024 6:22 pm

How to determine necessary permissions?

Post by wsmith84 »

How can I determine exactly which permissions the tab I'm currently looking at is using? I specifically said tab here, and not page, because the permissions can change and/or stack up across multiple redirections as part of a single user action.

The overall goal here is to be able to optimize NoScript's security by avoiding the need to grant extra, wide permissions because it's too difficult or time-consuming to ferret out exactly what's specifically necessary by hand. I'm using the latest version of Firefox, in case that matters.

It's becoming increasingly common that I'll be on a site where things aren't working (for example, the account registration process on this very site) and the only way I can proceed is to completely disable NoScript for the current tab...since all the highlighted permissions in the drop-down are already granted. I have a couple of ideas on how this could be solved:

1. Does NoScript keep a log anywhere of which permissions are being triggered? Something with output like this (the specific format isn't relevant, just something with these contents and reasonably machine-parseable would be ideal):

Code: Select all

Site                    | Remote site         | Permission | Action
----------------------- | ------------------- | ---------- | ------
forums.informaction.com | www.google.com      | script     | allow-temp
www.example.com         |                     | media      | deny
www.example.com         | content.example.com | font       | allow
I'm aware -- at least, I think this is how it works -- that the permissions that show up with red backgrounds in the drop-down are the ones being used by the current page, but that's not always enough. For example, when a site redirects through several pages, the contents of that drop-down change dynamically as it goes between transitions, and even if you can see the changes (which is by no means guaranteed) you certainly don't have time to click on anything.

It'd be awesome to have a real-time log like this directly in the tab's UI, so you don't have to worry about whether you're seeing activity in a global log that's being generated by other tabs. You'd think it'd be obvious, but for example Google is in so many pages now because of its CAPTCHA stuff, not to mention sites like CloudFlare, jQuery, jsdelivr...you get the idea. :)

2. Does NoScript have a "learning mode", where it automatically grants any permission that's triggered, and then goes back to normal when you switch back to "enforcing" mode (the normal behaviour)? Better yet, if it had an option to make any "learned" permissions as temporary, which would be good for stuff like this forum's account registration where you have to allow third-party requests to Google for it's CAPTCHA stuff but you don't want those permissions set permanently. Also better yet if it displayed a report with a list of added permissions when you switch back to normal mode.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
barbaz
Senior Member
Posts: 10916
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to determine necessary permissions?

Post by barbaz »

wsmith84 wrote: Tue Sep 17, 2024 6:56 pm It's becoming increasingly common that I'll be on a site where things aren't working (for example, the account registration process on this very site) and the only way I can proceed is to completely disable NoScript for the current tab...since all the highlighted permissions in the drop-down are already granted.
What do you mean "all the highlighted permissions in the drop-down"?

How have you configured your TRUSTED preset?
Do your permissions for these sites involve site-specific permissions (i.e. set to CUSTOM, and the "Enable these capabilities when top page matches" drop-down has entries other than "ANY SITE")?
wsmith84 wrote: Tue Sep 17, 2024 6:56 pm 1. Does NoScript keep a log anywhere of which permissions are being triggered?
No, but it has been requested - viewtopic.php?t=26249
wsmith84 wrote: Tue Sep 17, 2024 6:56 pm 2. Does NoScript have a "learning mode", where it automatically grants any permission that's triggered, and then goes back to normal when you switch back to "enforcing" mode (the normal behaviour)? Better yet, if it had an option to make any "learned" permissions as temporary, [...] Also better yet if it displayed a report with a list of added permissions when you switch back to normal mode.
NoScript doesn't currently have such feature. It would be an interesting way to deal with sites that require payment or similar: enable "learning" permissions that were DEFAULT, then make your payment/order/etc, then review the added temporary permissions after the fact and set needed ones permanent - resulting in better security than always using "Disable restrictions for this tab".

However, in basically any other scenario this would be dangerous: a malicious script only needs one chance to do damage, and it would automatically be allowed when this learning mode were enabled. But then again, the existing "Disable restrictions for this tab" option has the same caveat Image
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
wsmith84
Posts: 3
Joined: Tue Sep 17, 2024 6:22 pm

Re: How to determine necessary permissions?

Post by wsmith84 »

barbaz wrote: Tue Sep 17, 2024 8:43 pmWhat do you mean "all the highlighted permissions in the drop-down"?
I mean, like, when you open the NoScript menu from the toolbar icon to assign permissions, click Custom, and some of the permissions checkboxes have a red background. Not just the checkbox itself that's red when you check it, but the entire background color of the <div> the permission selector is in. Like there's a big red bubble behind the whole "script" area.

Sorry, should have clarified I was talking about the "Custom" part; just realized most people probably don't even use that. :lol:
barbaz wrote: Tue Sep 17, 2024 8:43 pm How have you configured your TRUSTED preset?
Do your permissions for these sites involve site-specific permissions (i.e. set to CUSTOM, and the "Enable these capabilities when top page matches" drop-down has entries other than "ANY SITE")?
I don't use "TRUSTED" at all. When I install NoScript in a new browser, the first thing I do is pull up the "Per-site Permissions" and delete everything. I only assign permissions via the "CUSTOM" pane, for that specific host name (including for the site itself); I never use "ANY SITE". It's a holdover from the old days when I used to use RequestPolicy alongside NoScript. :)

EDIT: Actually, I take that back...I caved a bit and turned on "noscript" to DEFAULT and TRUSTED 'cause even I had to admit to myself that not having that seemed a bit silly. But other than that, they're empty. UNTRUSTED is of course empty.
barbaz wrote: Tue Sep 17, 2024 8:43 pm No, but it has been requested - viewtopic.php?t=26249
I knew it! I did try a search, I promise. :) I'll check that topic out and see if I feel like I can add anything. I see you're a "Senior Member"; is there a preferred way to add a "me too" to a topic, like a vote or something, without cluttering up the replies with a literal "me too" comment?
barbaz wrote: Tue Sep 17, 2024 8:43 pm NoScript doesn't currently have such feature. It would be an interesting way to deal with sites that require payment or similar: enable "learning" permissions that were DEFAULT, then make your payment/order/etc, then review the added temporary permissions after the fact and set needed ones permanent - resulting in better security than always using "Disable restrictions for this tab".
Yes! That's exactly the kind of workflow I'd love to see.
barbaz wrote: Tue Sep 17, 2024 8:43 pm However, in basically any other scenario this would be dangerous: a malicious script only needs one chance to do damage, and it would automatically be allowed when this learning mode were enabled. But then again, the existing "Disable restrictions for this tab" option has the same caveat Image
Agree on both counts. It's a power tool that needs to be used carefully to be effective...but that's also true of NoScript itself. Everyone's entitled to their own opinion, of course, but I'm always of the opinion that when a decision has to be made, the default should be to empower the users who are invested enough in the software to want to dive in and really push it to its limits.

To rephrase what you just said: when it comes to potentially letting the fox into the henhouse from a single lapse, "Temporarily disable NoScript for this tab" and "Enter Learning Mode for this tab" both open the same attack surface while they're active. The only difference is that at least with "learning mode", you have a chance to close the door after the first time, 'cause with the former option you're just gonna always disable everything whenever you visit.

Another option, since you seem to have the stomach for reading multiple paragraphs at a time ( ;) ) would be to have the learning mode just present a list of triggered permissions after each page load, and let the user decide what to enable. If any changes are made, the page reloads just like it normally does when you change something, and the process repeats. I guess that's more of a "guided setup" mode than a "learning mode" per se, but it does close that "race condition" window. I'd probably use it myself on most sites, to keep from having one pass that reaches out to 37 ad affiliate partner sites on every page load if you don't block them. heh
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
wsmith84
Posts: 3
Joined: Tue Sep 17, 2024 6:22 pm

Re: How to determine necessary permissions?

Post by wsmith84 »

Just as another data point, I experienced this "issue" again while logging in to Discord today. It prompted me for a CAPTCHA, and even though:
  1. The CAPTCHA wasn't showing on the page
  2. NoScript's toolbar icon had a red "(1)" badge showing that it had blocked at least one element
...every permission shown as necessary was already granted. I'm assuming this is because of either a redirection or a navigation-less AJAX request of some kind; either way it's invisible to the user and they only way I can think of to bypass it is simply to disable NoScript entirely for the tab.

EDIT: Also encountering these symptoms trying to log in to my doctor's online portal. Again, not to belabor the point but this is not a complaint against NoScript; it's doing its job just fine. It just would be super nice if there were some kind of logging or something to make fine-tuning the ruleset easier (eliminate the trial-and-error parts, etc.).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
Post Reply