"Visit site" option

Bug reports and enhancement requests
Post Reply
EdARoss
Posts: 3
Joined: Fri Mar 20, 2009 11:44 pm

"Visit site" option

Post by EdARoss » Fri Mar 20, 2009 11:50 pm

Quite often a site will use code coming from other domains. It would be useful to have a "Visit site" option next to the "Forbid"/"Allow" options on the NoScript menu, so that the user can more easily see if they want to block or allow that site.
Users now have to type in the domain they want to check out in the web browser address bar. It would be nice to be able to just click a button to test out the site.
Thanks for a great extenstion!
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

User avatar
Giorgio Maone
Site Admin
Posts: 8700
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "Visit site" option

Post by Giorgio Maone » Sat Mar 21, 2009 1:02 am

A similar feature is planned, but I'm still in doubt between 2 alternate implementations:
  1. An "Info about these sites" command in the menu, opening a page with useful information about all the listed sites (WHOIS data as the bare minimum)
  2. Opening the same info, but for single sites when you use middle-click on the menu entry
#1 is surely doable, but would add clutter to an already cluttered menu.
#2 can be technically challenging, due to menu limitations, and can be problematic for accessibility (not all users have a middle button, or even can use the mouse).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

EdARoss
Posts: 3
Joined: Fri Mar 20, 2009 11:44 pm

Re: "Visit site" option

Post by EdARoss » Sat Mar 21, 2009 1:34 am

Thanks for the reply. I was thinking just an option to open the site (in a new tab) could be good - after all, with scripting disabled on the site by default, it shouldn't be too much of an issue to visit it to see if it is ok (in most cases), right?
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

User avatar
Giorgio Maone
Site Admin
Posts: 8700
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "Visit site" option

Post by Giorgio Maone » Sat Mar 21, 2009 2:12 am

EdARoss wrote:Thanks for the reply. I was thinking just an option to open the site (in a new tab) could be good

OK, but my doubt stands still: where do I put the command to open the site in an accessible and non-cluttering way?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: "Visit site" option

Post by Alan Baxter » Sat Mar 21, 2009 4:25 am

EdARoss wrote:Thanks for the reply. I was thinking just an option to open the site (in a new tab) could be good - after all, with scripting disabled on the site by default, it shouldn't be too much of an issue to visit it to see if it is ok (in most cases), right?

Or simply copy the site to the clipboard. Then I can choose to check it out in WOT or Site Advisor, or simply do a web search on it, for example. I rarely want to actually open a questionable site's home page -- certainly not if it's potentially malicious, even if it's not whitelisted.

Sometimes I'm paranoid about the social engineering danger associated with NoScript Support. How do I know that someone's post of "Please check out this site. I can't get it to work with NoScript" isn't an attempt to get me to load a malicious web page with NoScript disabled. I hope I haven't hijacked your topic too badly, Ed. :)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

Nan M
Ambassador
Posts: 102
Joined: Thu Mar 19, 2009 12:44 pm

Re: "Visit site" option

Post by Nan M » Sat Mar 21, 2009 6:33 am

I'm not so sure that a visit to a site is going to be illuminating wrt what evil it may be doing with scripts on another page.
After all, that's what the web problems arise from mostly isn't it - - people believing what they see on a web page?
Alan Baxter's worry about social engineering is mine too; clicking is how the web sucks everybody in and if a feature linking out to a site is as easy as a click from the NS menu then I imagine a truckload of the curious will go visiting just because they can - and not for any trust reasons. Why make it easier for them - the social engineers and those who just seem to want to get hurt?

I'm inclined to the conservative side of NS usage, the way Giorgio began development with whitelisting as the driving idea. Like Alan Baxter, I find the web runs just fine with everything locked down and whitelisting only as necessary. The initial few days of slow browsing while a new user investigates their necessary scripting domains isn't going to be avoided by being able to link directy to scripting sites because a user has to then, once at the site, satisfy themselves about trust - surely a larger time-consumer than not having a direct link from NS.
With respect to incorporating tools for linking to whois and other research tools, if any pressure to expand the features of NS interfere with the efficient use of the genius menu (not exaggerating this, the menu is a marvel of usability) then it should be deprecated.
My logic for not seeing as integral to NS even a feature to link out to whois and other services for research into domains is that for most of the time a page will work fine with just the main guessed domain allowed - - and that's the page a user is already on anyway.
In the small number of cases where research is desired for usability it would of course be useful for the typingly and/or short-term memory challenged to be able to copy/paste into a search box or simply to the clipboard, but only if it doesn't detract from the efficiency of NS now. And who is to say that if a person is too busy to take that time, they don't really want to use NS in the first place?
Just some ideas.

Focus in UIs is a problem that the grahical windowsstyle UI has always been saddled with, so it's not going to be simple I'm guessing.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) Gecko/2009030422 Ubuntu/8.10 (intrepid) Firefox/3.0.7

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: "Visit site" option

Post by Tom T. » Sat Mar 21, 2009 6:37 am

Giorgio Maone wrote: (not all users have a middle button, or even can use the mouse).

Laptops often don't have a middle button on the touchpad.
Giorgio Maone wrote: Opening the same info, but for single sites when you use middle-click on the menu entry.

At the moment, right-clicking on a blocked item or forbidden script ("Allow scriptsite.com") in the menu doesn't do anything for me. Is it supposed to? If not, this could be the no-clutter way to achieve the goal, if the goal is desired.
Alan Baxter wrote:Or simply copy the site to the clipboard. Then I can choose to check it out in WOT or Site Advisor, or simply do a web search on it, for example. I rarely want to actually open a questionable site's home page -- certainly not if it's potentially malicious, even if it's not whitelisted.

Sometimes I'm paranoid about the social engineering danger associated with NoScript Support. How do I know that someone's post of "Please check out this site. I can't get it to work with NoScript" isn't an attempt to get me to load a malicious web page with NoScript disabled. I hope I haven't hijacked your topic too badly, Ed.
.
At the risk of sounding like a broken record, I've visited such sites in a sandboxed browser, separate from the one running the main site. Shouldn't be able to do too much damage. Also, if you use the Hosts file from http://www.mvps.org/winhelp2002/hosts.htm, you'll be automatically blocked from visiting badscriptingsite.com, which is a pretty good clue not to allow it.

@ Nan M.: I see new scripts on NoScript.Net and I get curious who they are :) And I just type, as you said - don't really think the right- or middle-click is necessary.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: "Visit site" option

Post by Alan Baxter » Sat Mar 21, 2009 7:01 am

Tom T. wrote:Also, if you use the Hosts file from http://www.mvps.org/winhelp2002/hosts.htm, you'll be automatically blocked from visiting badscriptingsite.com, which is a pretty good clue not to allow it.

But not being in that hosts file is no evidence that the site is safe. Enumerating Badness is "Dumb Idea" #2). Or maybe I don't know what you're getting at. Surely most users aren't using sandboxie while deciding what scripts to allow.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: "Visit site" option

Post by Tom T. » Sat Mar 21, 2009 7:48 am

Alan Baxter wrote:
Tom T. wrote:Also, if you use the Hosts file from http://www.mvps.org/winhelp2002/hosts.htm, you'll be automatically blocked from visiting badscriptingsite.com, which is a pretty good clue not to allow it.

But not being in that hosts file is no evidence that the site is safe. Enumerating Badness is "Dumb Idea" #2). Or maybe I don't know what you're getting at. Surely most users aren't using sandboxie while deciding what scripts to allow.


Sorry, it's getting late and my reply was rushed.

1) Defense in depth. Not being in Hosts is no proof of benignity (now there's a cool word!) 8-), but if it *is* there, end of story.

2) Defense in depth. I guess I'm not most users. Actually, I'm not most people. (I might not be people at all.) But I recently raised my percentage of browsing sandboxed from 80-90% to 100%, when I ran out of reasons not to. (Just finished tweaking Sandboxie.ini to allow NS allow/deny permission changes to penetrate through to prefs.js. The actual site scripts still stay in the sandbox, of course.)

3) Defense in depth. Recently I saw that a certain sw developer had added several new scripts to his site, and while I'm familiar with most of the Net ad agencies, this one was new to me. I wanted to visit and see what their model was, what their sales pitch to site owners was, etc. So I opened a new sandboxed browser and visited, not that I was going to allow it anyway.

4) Finally: defense in depth. Why count on one wall when you can have two, in case there's a crack in one? Several times at the old forum I suggested Sandboxie (pretty much got ignored; hey, I don't get anything if you use it, so no sweat here). Have suggested to MA1 that he look into SB and verify or refute the developer's claims; if true, it seems the NS/SB combination is a virtually bulletproof way to browse. No offense intended to Maone 1.0, or that NS isn't the greatest browse tool in the world. It is, and I would never be without it. But to my surprise, once or twice a year there's a Flash video at YouTube that I actually want to watch, and I don't trust either Flash or YouTube farther than I could throw Hillary Clinton sitting on Rush Limbaugh's shoulders. So after allowing YouTube and ytimg, just click the NS block logo *for only the video I want to watch*, keeping all others disallowed. But in case that one video happens to be evil or have been injected, I still have it in the sandbox.

And *one* of these days, maybe RSnake or Sirdarckat is going to succeed in XSSing one of Giorgio's sites. :o Sirdarckat tells us that he's hacked NS several times over the years, but always reported privately to Giorgio, and praised Giorgio's prompt response, to wit: ""hours", (or minutes in some cases)". I'd just like a backup for those few minutes, amazing though Giorgio be (I mean that truly, and he knows it).

Yes, I wear two condoms when I have sex, even with myself. I don't know where that hand's been. :lol: :lol: G'night!

Edit: (AB:) "Sometimes I'm paranoid about the social engineering danger associated with NoScript Support. How do I know that someone's post of "Please check out this site. I can't get it to work with NoScript" isn't an attempt to get me to load a malicious web page with NoScript disabled."
Perfect time to use Sandboxie.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
Lundholm
Junior Member
Posts: 28
Joined: Fri Mar 20, 2009 8:58 am
Location: Denmark

Re: "Visit site" option

Post by Lundholm » Sat Mar 21, 2009 8:08 am

Giorgio Maone wrote:OK, but my doubt stands still: where do I put the command to open the site in an accessible and non-cluttering way?


Similar discussions have come up previously, and I think the real issue here is having too many features in a single menu. This scares away new users, and even confuses experienced users.

I still think that you need to create a new "site manager" window, which could contain "trusted", "untrusted" and "unclassified" tabs. Right-clicking an unclassified site could either "allow", "forbid" or "visit" the site (personally, I would prefer a Siteadvisor report).

The site manager could be combined with the existing menu functions by just replacing the "untrusted" sub-menu by a "site manager" item. You may want to add a toolbar launch-button, as well. :)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090320 Shiretoko/3.5b4pre

EdARoss
Posts: 3
Joined: Fri Mar 20, 2009 11:44 pm

Re: "Visit site" option

Post by EdARoss » Sat Mar 21, 2009 10:41 am

I'm glad to have stimulated such well reasoned discussion. I have to say, I think the arguments against my original suggestion are influencing me.
Perhaps adding a NoScript menu under the Tools menu, which would have options to run a whois for the sites with scripts running on the viewed page could be a better idea?
That way the main bar would remain uncluttered, but users that wanted to run a whois could still do so.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: "Visit site" option

Post by Tom T. » Sat Mar 21, 2009 11:44 pm

Can't you run a whois by opening a new tab (one click on the + icon), going to your whois bookmark (couple more clicks), and typing in the info (OMG!)?
IMHO, NS is a safety tool, not a convenience tool to do that for you which you can easily do yourself *without any special knowledge*, but yes, you certainly stimulated interesting discussion, so good post.

IMHO, if you *don't* know who it is, don't allow it. Only exception was as a NS n00b, when I didn't know who these "Akamai" people were, and that's in the FAQ, as per the link. My other personal rule is: if you don't need it, don't allow it. In other words, if the site is doing for you what you want it to do, why allow any more? Sometimes the page is littered with NS (worm) block-logos, but who cares, if I get what I want from it? BTW, I just discovered while playing around that one of my banks seems to work while disallowing their script. So it's in the "forbid" list until I find a function that doesn't work (like, "Transfer money to EdARoss"), whereupon it will be temp. allowed for that session only.

Aside from any safety issues, it speeds up browsing, saves bandwidth and resources, including my laptop battery, etc. Just a personal opinion. YMMV. Cheers!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Post Reply