Permissions Change

Ask for help about NoScript, no registration needed to post
TimeForChange
Posts: 1
Joined: Fri Sep 13, 2024 1:23 pm

Permissions Change

Post by TimeForChange »

Hi,

Using Brave, and noticed a permissions change for NoScript came up:

Permissions
Access the page debugger backend
Read and change all your data on all websites ←

Why this change?

Thanks!
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
User avatar
Giorgio Maone
Site Admin
Posts: 9476
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Permissions Change

Post by Giorgio Maone »

Quoting the mandatory permission justification note I provided to the Chrome Store editors on submission:
Using the debugger API is the only way to reliably inject scripts into workers, especially service workers, on Chrome: https://github.com/hackademix/nscl/blob ... Workers.js

On Firefox browser.webRequest.filterResponseData() is used instead, but it's not available elsewhere.

A specific API proposal for MV3 has been made 7 months ago (https://github.com/w3c/webextensions/issues/538) but atm position is neutral for Safari and Firefox, none for Google.
Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
NSChromium

Re: Permissions Change

Post by NSChromium »

11.4.38rc2 from the Get it! link for Chromium based browsers unzips to a manifest with "version": "11.4.37.9002" A rose by any other name?

But it looks like debugging won't be possible because I'm guessing that the sequence of error messages when loading this in Dev Mode

Code: Select all

Uncaught (in promise) Error: Cannot access contents of url "". Extension manifest must request permission to access this host.
[NoScript] Cannot collect noscript activity data Error: Could not establish connection. Receiving end does not exist. Could not establish connection. Receiving end does not exist. Error: Could not establish connection. Receiving end does not exist.
relates to the problem in this thread.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
NSChromium

Re: Permissions Change

Post by NSChromium »

Apologies for missing info: this NS is running in Vivaldi latest stable.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
barbaz
Senior Member
Posts: 10921
Joined: Sat Aug 03, 2013 5:45 pm

Re: Permissions Change

Post by barbaz »

@NSChromium: Could you please clarify how this relates to NoScript changing required permissions and what is your question?
NSChromium wrote: Mon Sep 16, 2024 8:49 pm 11.4.38rc2 from the Get it! link for Chromium based browsers unzips to a manifest with "version": "11.4.37.9002" A rose by any other name?
Yes. Chromium doesn't support non-numeric versions, so this .900X internal version is how NoScript dev builds have their version compare "newer" than current stable release and "older" than the upcoming stable release version.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
NSChromium

Re: Permissions Change

Post by NSChromium »

barbaz wrote: Mon Sep 16, 2024 10:39 pm clarify how this relates to NoScript changing required permissions and what is your question?
Thanks for the numbering advice.
I'm clearly out of my depth trying to be a tester so I shall return to running the stable version.
Feel free to delete my post above.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
pjk
Junior Member
Posts: 20
Joined: Mon Jul 20, 2020 10:13 pm

Re: Permissions Change

Post by pjk »

The most worrisome part for me - since I already consider NoScript to be trustworthy and I'm not worried about the additional permissions - is that Vivaldi DISABLED NoScript WITHOUT NOTICE after the new version requested new permissions.

Is this what happens on other Chromium-based browsers when new permissions are requested?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
herdsfgdgf
Posts: 2
Joined: Sun Sep 29, 2024 8:26 am

Re: Permissions Change

Post by herdsfgdgf »

Giorgio Maone wrote: Fri Sep 13, 2024 2:29 pm Quoting the mandatory permission justification note I provided to the Chrome Store editors on submission:
Using the debugger API is the only way to reliably inject scripts into workers, especially service workers, on Chrome: https://github.com/hackademix/nscl/blob ... Workers.js

On Firefox browser.webRequest.filterResponseData() is used instead, but it's not available elsewhere.

A specific API proposal for MV3 has been made 7 months ago (https://github.com/w3c/webextensions/issues/538) but atm position is neutral for Safari and Firefox, none for Google.
Hi
Unfortunately, I didn't understand a word of this. Could you please tell us in NORMAL words why the extensions needs access to EVERYTHING we do on a website? I want to know. I have been using the extension for years, but reading something like "Read and change all your data on all websites" really scares me.
How do I know you will not collect everything I do on a website including my password? I wish there would be information about this so I can trust this extension in the future.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
barbaz
Senior Member
Posts: 10921
Joined: Sat Aug 03, 2013 5:45 pm

Re: Permissions Change

Post by barbaz »

herdsfgdgf wrote: Sun Sep 29, 2024 8:32 am Could you please tell us in NORMAL words why the extensions needs access to EVERYTHING we do on a website?
If NoScript does not know about everything your browser tries to load for a website, it can't know about and block the stuff you want it to block.

See also viewtopic.php?p=91670#p91670
herdsfgdgf wrote: Sun Sep 29, 2024 8:32 am How do I know you will not collect everything I do on a website including my password?
1) See NoScript's privacy policy: https://addons.mozilla.org/firefox/addo ... t/privacy/

2) Quoting from Giorgio's blog -
https://hackademix.net/2017/12/11/noscript-and-the-downloads-permission/ wrote:NoScript, a component of the Tor Browser (one of the most scrutinized software pieces on the planet by security experts all over the world),
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
User avatar
Giorgio Maone
Site Admin
Posts: 9476
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Permissions Change

Post by Giorgio Maone »

herdsfgdgf wrote: Sun Sep 29, 2024 8:32 am Could you please tell us in NORMAL words why the extensions needs access to EVERYTHING we do on a website?
NoScript does not "access" ANYTHING you do on a website, but in order to patch the execution environment and prevent the webpage (which most of the time WANTS DESPERATELY to spy on EVERYTHING you do on the site and beyond) from abusing the various powers accessible from JavaScript it needs to execute its own code on each and every webpage you load, and therefore could potentially abuse this power as well.
herdsfgdgf wrote: Sun Sep 29, 2024 8:32 am I want to know. I have been using the extension for years, but reading something like "Read and change all your data on all websites" really scares me.
It's always been this way for almost 20 years since NoScript 1.0, and the same for any privacy/security extension, but you've noticed it right now because Chrome's limitations (not having a powerful enough webRequest API) require NoScript to leverage the debug API in order to patch web workers, which are invisible scripts detached from the webpage which run in their own process and could be used to work around NoScript-provided protection.

By the way,NoScript is currently the only security extension capable of protecting users against web workers abuse.
herdsfgdgf wrote: Sun Sep 29, 2024 8:32 am How do I know you will not collect everything I do on a website including my password? I wish there would be information about this so I can trust this extension in the future.
How? You can
  • check the source code, or if you can't
  • ask a friend you trust who can do it
  • trust Mozilla and Google editors who read the code and approved the extension, whose privacy policy states "zero data collection"
  • trust the Tor Project which has been shipping NoScript inside the Tor Browser for more than a decade now
... or just uninstall it and trust all the random web pages you'll surf naked.
Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
herdsfgdgf
Posts: 2
Joined: Sun Sep 29, 2024 8:26 am

Re: Permissions Change

Post by herdsfgdgf »

@Giorgio Maone
Thank you for clarifying! I'm glad you answered my questions.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Post Reply