Is NS Icon Correct Here???

[al_9x]

No, I do not have that checked.

If you have "No placeholder for objects coming from sites marked as untrusted" checked, then untrusted sites should not produce blocked objects. If they still do then I would think that's a bug and you should post the url so it can be reproduced.

[GµårÐïåñ]

Forgive me, maybe I am having a piss poor day or something but I am not quite getting what you are going for with those two quotes. But I will give it a shot but promise to not shoot me if I get it wrong.

Are you saying that it shows that because I have not checked this, so the fact that there are objects is the reason? So if I did have that checked it would show gray and not like this? The placeholders are the reason?

TESTED: You are correct, it shows gray instead of mixed.

However, I still have an issue with it because if you have placeholders, you might want to selectively still allow temp to view but not globally, the placeholder gives you a visual accounting of options, no need for the icon to be partial. The fact that the parent is listed as untrusted should still not produce the containers in either case, the placeholders ARE the visual elements for selectively temp allow, why need to have the partial icon to demonstrate that?

I wish we had an emoticon for banging your head against the wall. It is very relevant to how I am feeling right now. <insert imagination>

[Giorgio Maone]

No, I do not have that checked.

If you have "No placeholder for objects coming from sites marked as untrusted" checked, then untrusted sites should not produce blocked objects. If they still do then I would think that's a bug and you should post the url so it can be reproduced.

I think he means that if infosniper.com is marked as untrusted and still is shown in the "Blocked objects" menu (as i does), it should be considered as a bug.
I'm not sure about it, since you may want to temporarily allow a blocked iframe from an untrusted site, while keeping scripts disabled for it and sparing yourself the encumbrance of visual placeholders from untrusted sites.

[al_9x]

I'm not sure about it, since you may want to temporarily allow a blocked iframe from an untrusted site, while keeping scripts disabled for it and sparing yourself the encumbrance of visual placeholders from untrusted sites.

I like the way it currently works, untrusted + No placeholder = silent suppression with no ui cues, as if the site is not even there. If you decide to alter it, please make it configurable so current behavior can be retained.

[GµårÐïåñ]

I think he means that if infosniper.com is marked as untrusted and still is shown in the "Blocked objects" menu (as i does), it should be considered as a bug.

As you can see on the menu, I have marked it as untrusted, I was actually testing something, and that's when I noticed it still shows the objects, even though it is marked as untrusted and shows a partial. So that would be considered a bug right? No partial allowed, I marked the parent as untrusted.

I'm not sure about it, since you may want to temporarily allow a blocked iframe from an untrusted site, while keeping scripts disabled for it and sparing yourself the encumbrance of visual placeholders from untrusted sites.

I leave placeholders there because I want a visual cue that there are objects, in case I want to temporarily view one of them but I figured if it is marked as untrusted the rest of the time, it should be treated as such, no? So far it seems having the placeholder showing/not is the difference between the icons, not sure if that's just a small logic comparison being missing (a bug) or intended behavior. I am sorry if it has been made clear but I am not getting it but following the logic explained so far, I am still thinking it shouldn't behave this way.

If I am wrong, I would welcome the discussion and apologize in advance but its my nature to try and understand everything with certainty before just going with it, thanks for bearing with me.

[Tom T.]

I went to your site and did not allow it. (No offense, of course, just testing. )
*Everything* is checked on the Embeddings page, including "No placeholder for objects .... untrusted". This is my default NS configuration.

(btw, agree with al-9x - your reputation is far too well established here for anyone to accuse you of posting a question merely to spam your site. Please don't ever give that another thought.)

Since I have never had contact with vimeo or infosniper, they are in what will be known in the future as "Unknown". Hence there is a green marker in NS menu, and pointing to it offers me the option to allow these objects. Also, their placeholders show, for quick convenience in allowing them.

Next, I mark vimeo and infosniper as "Untrusted", and reload the page. Their placeholders disappear, and they disappear from the "Blocked Objects" sub-menu.
I concur that this is a good system. If I think something is missing, I can always point to "Untrusted" and examine the untrusted/blocked objects.

Next, I uncheck "No placeholder for objects coming from sites marked as untrusted", and reload the page. The vimeo and infosniper placeholders reappear, and the objects reappear in the "Blocked Objects" sub-menu. This is exactly the behavior I would expect.

Next, I go back to 100%-lockdown, reload, then uncheck "Block every object coming from a site marked as untrusted", and reload the page.
I've never toyed with this checkbox before. No placeholders appear, as that is still checked. *Nothing appears to change at all.* No Blocked Objects in the Blocked Objects sub-menu, only the original cholce in "Untrusted" menu to allow vimeo or infosniper.

Additionally unchecking " No placeholder for objects coming from sites marked as untrusted" and reloading brings back the placeholders, but still no untrusted objects listed in "Blocked Objects" sub-menu. This checkbox seems somewhat redundant to me so far if all "Block Plugin" boxes are checked. If I uncheck "Forbid IFrame", then the infosniper IFrame appears even with "No placeholder" AND "Block every object from sites marked Untrusted".

I think "this* might be an issue. The "Block every object coming from a site marked as untrusted" seems to serve no purpose. Infosniper is Untrusted, yet allowing IFrames allows Iframe from infosniper, despite the "Block every...".

The other suggestion: Note the frequent mention of "Reload the page..." . I would think that changing permissions for objects is a page permission change significant enough to warrant an automatic reload. (Yes, I have always had "Automatically reload affected pages when permissions change" checked.) I would suggest that this convenience feature be added.

Finally: I think the logo color and shading changes have gotten far beyond the average user's comprehension. There is no FAQ, only the Features page explanation, a page probably less read (you would have the hit stats, Giorgio), and less intuitively checked by a user with a question. FAQ is the natural choice.

But in any event, it seems three are simple enough:

Solid blue: Everything on this page is allowed (or the page does not use executable content, although there aren't many of those left anymore.)
Part red: Some things are allowed and one or more are blocked. Open the menu to see.
Solid red: Everything on this page is blocked. Open the menu if you wish to allow some.

You have to open the menu anyway, so the additional, non-intuitive markings and shadings add little value, IMHO.

The fourth, the red exclamation point for "Global Allow" is valid as an alert, but perhaps should be accompanied by a more emphatic message than just another menu choice "Forbid scripts globally (advised). Perhaps when the ! is clicked, a pop-up, "You have allowed all scripts in the universe to run. This is dangerous and contrary to the purpose of NoScript. Please see FAQ X.x for further information about why this is dangerous." Of course, users may still choose to ignore the exclamation point, as several posters to this forum have indicated is their practice.

This simplification would eliminate what Guardian perceives as a bug and what I perceive as trying to be too fine-grained in a 16x16 logo. Let the fine-graining improve in the controls, and let the logo be analogous to the green/yellow/red stop-light or WOT scheme with which people are familiar: Three choices.

I'm not recommending actually *changing* to green/yellow/red, because people would misinterpret it as "approval/caution/danger", which isn't the case. Just saying that three logos (blue; blue/red; red) plus the exclamation are enough visual cue to advise when further investigation is needed.

My two cents worth. IMHO. YMMV.

[al_9x]

I think "this* might be an issue. The "Block every object coming from a site marked as untrusted" seems to serve no purpose. Infosniper is Untrusted, yet allowing IFrames allows Iframe from infosniper, despite the "Block every...".

Confirming, this is a major bug. Probably deserves its own thread.

[GµårÐïåñ]

I went to your site and did not allow it. (No offense, of course, just testing. )
*Everything* is checked on the Embeddings page, including "No placeholder for objects .... untrusted". This is my default NS configuration.

None taken, that's why I have 3, two of which are on less than "trusted" sites so I can gauge the gui effect on the user. I do the same myself

(btw, agree with al-9x - your reputation is far too well established here for anyone to accuse you of posting a question merely to spam your site. Please don't ever give that another thought.)

I would think that too and if I wanted to spam something, I certainly wouldn't be using that site. But we are mods, expected to lead by example and didn't want it to appear like we were showing double standards. I know my motives, but others don't and the honorable thing was to leave it off. But thank you for everyone's show of support and respect, thank you.

Since I have never had contact with vimeo or infosniper, they are in what will be known in the future as "Unknown". Hence there is a green marker in NS menu, and pointing to it offers me the option to allow these objects. Also, their placeholders show, for quick convenience in allowing them.

Infosniper is on that ONE only, again to gauge the interaction with gmodules and such. Not a bad service, but not something I normally use but this was simple enough for testing purposes. Now vimeo was something that happened to be a service used by another to whom I was linking, so not a choice but rather a compromise yes they are considered the unknown, by my current definition too

Next, I mark vimeo and infosniper as "Untrusted", and reload the page. Their placeholders disappear, and they disappear from the "Blocked Objects" sub-menu.
I concur that this is a good system. If I think something is missing, I can always point to "Untrusted" and examine the untrusted/blocked objects.

Ok, so far. If no placeholder, then yeah, but with placeholder the partial suggests something got missed when a decision was actually made. I have come across other sites with untrusted status who have media in them and they do not come up partial like that, they just show untrusted. I guess that was my expectation to all, even with the place holder active.

Next, I uncheck "No placeholder for objects coming from sites marked as untrusted", and reload the page. The vimeo and infosniper placeholders reappear, and the objects reappear in the "Blocked Objects" sub-menu. This is exactly the behavior I would expect.

So far yeah, same here, my concern is mostly with the display icon as a guide.

Next, I go back to 100%-lockdown, reload, then uncheck "Block every object coming from a site marked as untrusted", and reload the page.
I've never toyed with this checkbox before. No placeholders appear, as that is still checked. *Nothing appears to change at all.* No Blocked Objects in the Blocked Objects sub-menu, only the original cholce in "Untrusted" menu to allow vimeo or infosniper.

Well I guess my confusion is that regardless of the block every or show placeholders or not, if they are marked untrusted, they are untrusted right? Until otherwise, what is the whole pending so we show partial that is driving me crazy here.

Additionally unchecking " No placeholder for objects coming from sites marked as untrusted" and reloading brings back the placeholders, but still no untrusted objects listed in "Blocked Objects" sub-menu. This checkbox seems somewhat redundant to me so far if all "Block Plugin" boxes are checked. If I uncheck "Forbid IFrame", then the infosniper IFrame appears even with "No placeholder" AND "Block every object from sites marked Untrusted".

Exactly, if I say untrusted, and have checked with objects should be untrusted, then it is a done deal no? Why consider them different and give different weight to it based on whether or not I have the redundant block every object checked or the placeholder? As a security conscious person, I want the placeholders to know where and what WITHOUT allowing it to find out, but that doesn't mean they are anything more than untrusted to me when I come across them. I feel my ability to use language to explain is failing me

I think "this* might be an issue. The "Block every object coming from a site marked as untrusted" seems to serve no purpose. Infosniper is Untrusted, yet allowing IFrames allows Iframe from infosniper, despite the "Block every...".

Whole other can of worms which I do not mind continuing as part of my original concern and will leave to Giorgio to address that for us. I am CERTAIN there is some logic for it, Giorgio is very good at not cluttering GUI unless absolutely necessary.

The other suggestion: Note the frequent mention of "Reload the page..." . I would think that changing permissions for objects is a page permission change significant enough to warrant an automatic reload. (Yes, I have always had "Automatically reload affected pages when permissions change" checked.) I would suggest that this convenience feature be added.

I have that set as well and I think that would certainly warrant it too. however, I have noticed that reloads executed by NS do not always end well, I have to often click in the URL box and hit enter to force another to make it work right.

Finally: I think the logo color and shading changes have gotten far beyond the average user's comprehension. There is no FAQ, only the Features page explanation, a page probably less read (you would have the hit stats, Giorgio), and less intuitively checked by a user with a question. FAQ is the natural choice.

Well I check it and sure you do as many else, but you are right, it is not as IN FACE your face as most of the FAQs and I resigned myself to the fact that Giorgio is busy, it is not pressingly urgent and that in the end those who care enough to notice it, will also know where to look for the information. Just thinking out loud, Giorgio did say that the documentation needs to be reworked, so I am thinking when it comes to fruition, it will be dealt with accordingly. I have offered my assistance to Giorgio but respect his methodology to go it alone. I want to renew that offer in case it was forgotten.

But in any event, it seems three are simple enough:

Solid blue: Everything on this page is allowed (or the page does not use executable content, although there aren't many of those left anymore.)
Part red: Some things are allowed and one or more are blocked. Open the menu to see.
Solid red: Everything on this page is blocked. Open the menu if you wish to allow some.

For me to this date, it has been very straightforward and a none issue. White with blue all allowed. White with gray, no script. Big red one, script but all blocked. half shaded, some allowed, some not. White with blue and little red circle (our current condition) I took as being a site with partial allowed with something pending a decision but never thought it would be a situation like this where all decisions made still give the same icon. ???

You have to open the menu anyway, so the additional, non-intuitive markings and shadings add little value, IMHO.

Correct for someone as anal as myself, the icon is NOT my only indicator but it helps for quick cursory evaluation, plus its pretty cleverly done.

The fourth, the red exclamation point for "Global Allow" is valid as an alert, but perhaps should be accompanied by a more emphatic message than just another menu choice "Forbid scripts globally (advised). Perhaps when the ! is clicked, a pop-up, "You have allowed all scripts in the universe to run. This is dangerous and contrary to the purpose of NoScript. Please see FAQ X.x for further information about why this is dangerous." Of course, users may still choose to ignore the exclamation point, as several posters to this forum have indicated is their practice.

Well thank god its not up to me, as I would have icons that are FAR more gradient (meaning different for different reasons with the smallest variations) but that's the anal part I was referring to. I think Giorgio has masterfully kept it manageable, I just wanted it to work as expected, or learn why my expectations may be wrong.

This simplification would eliminate what Guardian perceives as a bug and what I perceive as trying to be too fine-grained in a 16x16 logo. Let the fine-graining improve in the controls, and let the logo be analogous to the green/yellow/red stop-light or WOT scheme with which people are familiar: Three choices.

I must clear that unless Giorgio states otherwise, this is YES my perception of a bug, it may not be. If it is, then I am glad I was able to help detect it but if not then I am fully willing to apologize, learn and move on

I'm not recommending actually *changing* to green/yellow/red, because people would misinterpret it as "approval/caution/danger", which isn't the case. Just saying that three logos (blue; blue/red; red) plus the exclamation are enough visual cue to advise when further investigation is needed.

My two cents worth. IMHO. YMMV.

The WOT system is ok but it matches their purpose, not ours here so much. Although I see what you are saying about the universal symbolic representation of color designations.

[Tom T.]

I think "this* might be an issue. The "Block every object coming from a site marked as untrusted" seems to serve no purpose. Infosniper is Untrusted, yet allowing IFrames allows Iframe from infosniper, despite the "Block every...".

Confirming, this is a major bug. Probably deserves its own thread.

Agree. Will open a bug report in NS Development shortly. Thanks for reproducing.

I have that set as well and I think that would certainly warrant it too. however, I have noticed that reloads executed by NS do not always end well, I have to often click in the URL box and hit enter to force another to make it work right.

If NS reloads don't reload properly under any given circumstance, then that is a bug. Please post the URL and steps necessary to reproduce the failed reload, so that Giorgio can fix it.

With regard to the icon, everyone's taste will differ. The important thing is to get the functions right first; maybe that will fix the icon.

Well thank god its not up to me, as I would have icons that are FAR more gradient

I understood "gradient". Brother, please remember that you are a thousand times more knowledgeable than the average user, which is a market that desperately needs NS. We get complaints of "It's too complicated". We need to KISS (I'm sure you know that one), and then the power-users can always dig inside the UI, inside about:config, etc.

The WOT system is ok but it matches their purpose, not ours here so much. Although I see what you are saying about the universal symbolic representation of color designations.

I'm afraid I wasn't clear. What is universal is the NUMBER, 3, having three choices. "Yes, No, Maybe" "Agree, Disagree, Don't Know". Stop, Caution, Go. etc. I DON"T recommend using the stop-light colors; I was only recommending simplifying the icon down to three stages: All allowed; some allowed; all blocked. But that's Giorgio's decision.

[Tom T.]

@ al_9x Now, I'm having trouble reproducing it (the "Block all objects from Untrusted" bug). When you get a chance, could you please post the exact steps you took to reproduce the issue? Thanks.

[al_9x]

@ al_9x Now, I'm having trouble reproducing it (the "Block all objects from Untrusted" bug). When you get a chance, could you please post the exact steps you took to reproduce the issue? Thanks.

Starting with a new profile and default NS settings, Fx 3.5.5, NS 1.9.9.18

1) go to http://michaelx1974.blogspot.com/, the infosniper.net iframe will load
2) mark infosniper.net untrusted, reload, the infosniper.net iframe still loads, block every object from untrusted is on (default), block iframes is off (default)

For a moment I thought iframes are deliberately not covered by that setting, but Giorgio did state that they are.

I think that setting should be expanded to include all resources. Is there any reason to load anything from an untrusted site?

[Tom T.]

@ al_9x Now, I'm having trouble reproducing it (the "Block all objects from Untrusted" bug). When you get a chance, could you please post the exact steps you took to reproduce the issue? Thanks.

Starting with a new profile and default NS settings, Fx 3.5.5, NS 1.9.9.18

1) go to http://michaelx1974.blogspot.com/, the infosniper.net iframe will load
2) mark infosniper.net untrusted, reload, the infosniper.net iframe still loads, block every object from untrusted is on (default), block iframes is off (default)

ATM, it's not loading even in step 1)
This is with infosniper.net allowed. (Image-width restrictions here might be cutting off the main NS menu).


Even though IFrames are allowed and infosniper is allowed, there is still only a placeholder for the infosniper object. I must click the placeholder or allow in Blocked Objects for it to load.

I wonder what I could have changed since the time I first produced the issue and you reproduced it? Whitelisted the whole site in Adblock. Any suggestions where else to look? ... I see you're using F2.20, so I did also, although I think the results were the same in Fx 3.5.5. (will double-check after logging off here.)

With infosniper forbidden, the placeholder properly disappears.


I don't know why I can't reproduce this now, but will explore. Any suggestions are welcome. Thanks.

[Tom T.]

Disregard the above regarding Fx 2.20. I don't know why I couldn't reproduce, but it's an obsolete version anyway.

Successfully reproduced on Fx 3.5.5, NS 1.9.9.18, had to tell RequestPolicy to allow requests to infosniper.

As I found before and al_9x confirmed, with infosniper allowed, IFrames allowed but all other Embeddings checked, the infosniper object loads and displays.

With infosniper forbidden and the page reloaded, the infosniper object remains displayed. I agree that "Block all from untrusted site" should remove this object on reload, as Giorgio says it should. Will post as a new bug report. Sorry for the delay.

Edit: Bug report: http://forums.informaction.com/viewtopi ... 303#p13830.