Permissions Change
-
- Posts: 1
- Joined: Fri Sep 13, 2024 1:23 pm
Permissions Change
Hi,
Using Brave, and noticed a permissions change for NoScript came up:
Permissions
Access the page debugger backend
Read and change all your data on all websites ←
Why this change?
Thanks!
Using Brave, and noticed a permissions change for NoScript came up:
Permissions
Access the page debugger backend
Read and change all your data on all websites ←
Why this change?
Thanks!
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
- Giorgio Maone
- Site Admin
- Posts: 9476
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Permissions Change
Quoting the mandatory permission justification note I provided to the Chrome Store editors on submission:
Using the debugger API is the only way to reliably inject scripts into workers, especially service workers, on Chrome: https://github.com/hackademix/nscl/blob ... Workers.js
On Firefox browser.webRequest.filterResponseData() is used instead, but it's not available elsewhere.
A specific API proposal for MV3 has been made 7 months ago (https://github.com/w3c/webextensions/issues/538) but atm position is neutral for Safari and Firefox, none for Google.
Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
Re: Permissions Change
11.4.38rc2 from the Get it! link for Chromium based browsers unzips to a manifest with "version": "11.4.37.9002" A rose by any other name?
But it looks like debugging won't be possible because I'm guessing that the sequence of error messages when loading this in Dev Mode
relates to the problem in this thread.
But it looks like debugging won't be possible because I'm guessing that the sequence of error messages when loading this in Dev Mode
Code: Select all
Uncaught (in promise) Error: Cannot access contents of url "". Extension manifest must request permission to access this host.
[NoScript] Cannot collect noscript activity data Error: Could not establish connection. Receiving end does not exist. Could not establish connection. Receiving end does not exist. Error: Could not establish connection. Receiving end does not exist.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Re: Permissions Change
Apologies for missing info: this NS is running in Vivaldi latest stable.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Re: Permissions Change
@NSChromium: Could you please clarify how this relates to NoScript changing required permissions and what is your question?
Yes. Chromium doesn't support non-numeric versions, so this .900X internal version is how NoScript dev builds have their version compare "newer" than current stable release and "older" than the upcoming stable release version.NSChromium wrote: ↑Mon Sep 16, 2024 8:49 pm 11.4.38rc2 from the Get it! link for Chromium based browsers unzips to a manifest with "version": "11.4.37.9002" A rose by any other name?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
Re: Permissions Change
Thanks for the numbering advice.
I'm clearly out of my depth trying to be a tester so I shall return to running the stable version.
Feel free to delete my post above.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Re: Permissions Change
The most worrisome part for me - since I already consider NoScript to be trustworthy and I'm not worried about the additional permissions - is that Vivaldi DISABLED NoScript WITHOUT NOTICE after the new version requested new permissions.
Is this what happens on other Chromium-based browsers when new permissions are requested?
Is this what happens on other Chromium-based browsers when new permissions are requested?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
-
- Posts: 2
- Joined: Sun Sep 29, 2024 8:26 am
Re: Permissions Change
HiGiorgio Maone wrote: ↑Fri Sep 13, 2024 2:29 pm Quoting the mandatory permission justification note I provided to the Chrome Store editors on submission:Using the debugger API is the only way to reliably inject scripts into workers, especially service workers, on Chrome: https://github.com/hackademix/nscl/blob ... Workers.js
On Firefox browser.webRequest.filterResponseData() is used instead, but it's not available elsewhere.
A specific API proposal for MV3 has been made 7 months ago (https://github.com/w3c/webextensions/issues/538) but atm position is neutral for Safari and Firefox, none for Google.
Unfortunately, I didn't understand a word of this. Could you please tell us in NORMAL words why the extensions needs access to EVERYTHING we do on a website? I want to know. I have been using the extension for years, but reading something like "Read and change all your data on all websites" really scares me.
How do I know you will not collect everything I do on a website including my password? I wish there would be information about this so I can trust this extension in the future.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Re: Permissions Change
If NoScript does not know about everything your browser tries to load for a website, it can't know about and block the stuff you want it to block.herdsfgdgf wrote: ↑Sun Sep 29, 2024 8:32 am Could you please tell us in NORMAL words why the extensions needs access to EVERYTHING we do on a website?
See also viewtopic.php?p=91670#p91670
1) See NoScript's privacy policy: https://addons.mozilla.org/firefox/addo ... t/privacy/herdsfgdgf wrote: ↑Sun Sep 29, 2024 8:32 am How do I know you will not collect everything I do on a website including my password?
2) Quoting from Giorgio's blog -
https://hackademix.net/2017/12/11/noscript-and-the-downloads-permission/ wrote:NoScript, a component of the Tor Browser (one of the most scrutinized software pieces on the planet by security experts all over the world),
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
- Giorgio Maone
- Site Admin
- Posts: 9476
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Permissions Change
NoScript does not "access" ANYTHING you do on a website, but in order to patch the execution environment and prevent the webpage (which most of the time WANTS DESPERATELY to spy on EVERYTHING you do on the site and beyond) from abusing the various powers accessible from JavaScript it needs to execute its own code on each and every webpage you load, and therefore could potentially abuse this power as well.herdsfgdgf wrote: ↑Sun Sep 29, 2024 8:32 am Could you please tell us in NORMAL words why the extensions needs access to EVERYTHING we do on a website?
It's always been this way for almost 20 years since NoScript 1.0, and the same for any privacy/security extension, but you've noticed it right now because Chrome's limitations (not having a powerful enough webRequest API) require NoScript to leverage the debug API in order to patch web workers, which are invisible scripts detached from the webpage which run in their own process and could be used to work around NoScript-provided protection.herdsfgdgf wrote: ↑Sun Sep 29, 2024 8:32 am I want to know. I have been using the extension for years, but reading something like "Read and change all your data on all websites" really scares me.
By the way,NoScript is currently the only security extension capable of protecting users against web workers abuse.
How? You canherdsfgdgf wrote: ↑Sun Sep 29, 2024 8:32 am How do I know you will not collect everything I do on a website including my password? I wish there would be information about this so I can trust this extension in the future.
- check the source code, or if you can't
- ask a friend you trust who can do it
- trust Mozilla and Google editors who read the code and approved the extension, whose privacy policy states "zero data collection"
- trust the Tor Project which has been shipping NoScript inside the Tor Browser for more than a decade now
Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
-
- Posts: 2
- Joined: Sun Sep 29, 2024 8:26 am
Re: Permissions Change
@Giorgio Maone
Thank you for clarifying! I'm glad you answered my questions.
Thank you for clarifying! I'm glad you answered my questions.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36