NS protection modules not surfaced in the GUI

Bug reports and enhancement requests
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

NS protection modules not surfaced in the GUI

Post by al_9x »

  1. noscript.STS.enabled - strict transport security
  2. noscript.doNotTrack.enabled - do not track header
  3. noscript.frameOptions.enabled - X-Frame-Options
  4. noscript.liveConnectInterception - java liveconnect blocking
  5. noscript.inclusionTypeChecking - cross site script mime type enforcing
  6. noscript.nosniff - more mime enforcement
  7. noscript.injectionCheck - xss checking from whitelisted origins
  8. noscript.forbidBGRefresh - blocking background tab refresh (tabnapping protection)
  9. noscript.surrogate.enabled - injection of scripts into content: 1, 2, 3, 4
  10. noscript.toStaticHTML - surrogate based window.toStaticHTML implementation
  11. noscript.clearClick.rapidFireCheck - double-clickjacking protection
  12. noscript.xss.checkInclusions - blocking of cross site scripts whose URLs are passed to the including page as URL parameters
  13. noscript.removeSMILKeySniffer - Protection against scriptless keylogging using SMIL animation elements that are triggered by keystrokes. [Removed in NoScript 2.9.5rc21 - viewtopic.php?f=8&t=25577]
  14. noscript.dropXssProtection - blocking the drag and drop of javascript: and data: URLs
  15. noscript.sanitizePaste - Additional HTML cleanup when pasting formatted text into content-editable elements.
Anything else?

Ideally they would all be in the UI, listed side by side, with their enabled state visible, and their additional options available upon selection.
Last edited by al_9x on Mon Nov 28, 2011 9:19 am, edited 8 times in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: NS protection modules not surfaced in the GUI

Post by tlu »

I agree. Another candidate would be noscript.injectionCheck, although explained on http://noscript.net/features#xss
Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110301 Firefox/4.0b13pre
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: NS protection modules not surfaced in the GUI

Post by dhouwn »

noscript.forbidBGRefresh
http://noscript.net/changelog#1.9.9.81 wrote: Experimental blocking of page refreshes happening inside untrusted
unfocused tabs, should provide protection against Aviv Raff's scriptless
"tabnapping" variant. Enabled by default, can be controlled through the
noscript.forbidBGRefresh about:config integer preference:
0 - no blocking
1 - block refreshes on untrusted unfocused tabs
2 - block refreshes on trusted unfocused tabs
3 - block refreshes on both trusted and untrusted unfocused tab
Address patterns matching pages which shouldn't be affected can be
listed in the noscript.forbidBGRefresh.exceptions preference
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b12) Gecko/20100101 Firefox/4.0b12
tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: NS protection modules not surfaced in the GUI

Post by tlu »

There are many others, like the ones mentioned on http://noscript.net/features#options

After rethinking the issue I came to the conclusion that it doesn't really make sense to include all those settings in the GUI as it would become completely cluttered. I trust that Giorgio has set the most appropriate values as the defaults in about:config. Anything else is for advanced users - they will occupy themselves with http://noscript.net/features and http://noscript.net/faq anyhow. But I agree that 1-6 in the first posting should definitely be added to the documentation and not only be discussed on hackademix.net and in the forum. Probably a good idea would be a structured summary of all those "hidden" settings.
Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110301 Firefox/4.0b13pre
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: NS protection modules not surfaced in the GUI

Post by al_9x »

The purpose is not to enumerate every hidden option, but to identify the hidden modules of NS functionality addressing specific threats/vulnerabilities beyond the well known ones already covered by the gui.

So not every hidden option needs to be exposed, but when a new protection is added for a new threat, an option that toggles it, should be surfaced, I think. An advanced user would likely want to know what NS does in general and also be able to tell at a glance which of the full repertoire of protections are currently active. This is useful for troubleshooting, discovery.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NS protection modules not surfaced in the GUI

Post by Tom T. »

tlu wrote:There are many others, like the ones mentioned on http://noscript.net/features#options
Which is a good place for both novice and advanced users to learn more about NS, at their own pace.
tlu wrote:After rethinking the issue I came to the conclusion that it doesn't really make sense to include all those settings in the GUI as it would become completely cluttered.
And that novice or average home users, with whom most power-users can't empathize, are already confused and intimidated enough. Search for the hundreds or thousands of posts: "I use NS, but my spouse/parent/child/grandma/significant other doesn't want anything to do with it".

Like this one. (note the P.S.)
tlu wrote:I trust that Giorgio has set the most appropriate values as the defaults in about:config. Anything else is for advanced users - they will occupy themselves with http://noscript.net/features and http://noscript.net/faq anyhow.
Agree 100%.
tlu wrote:But I agree that 1-6 in the first posting should definitely be added to the documentation and not only be discussed on hackademix.net and in the forum. Probably a good idea would be a structured summary of all those "hidden" settings.
Ideally, I'd like to see each feature and setting have its own FAQ. I long ago discussed with Giorgio the idea of a compiled html help file, and a NS menu entry for it. (Even now, adding a "Help" item to NS Menu that merely links to NoScript FAQ would encourage more users to read the FAQ). But with releasing NS 3 for Mobile, trying to get the NS 3 Desktop version out...

Perhaps you'd care to draft such a structured summary, and perhaps Giorgio would add it to the features and/or FAQ?
al_9x wrote:So not every hidden option needs to be exposed, but when a new protection is added for a new threat, an option that toggles it, should be surfaced, I think.
As has been said, the power-users who are most likely to want to learn about the new protection, or configure the new setting, are most likely to accept the automatic redirect to the changelog, or at least, to visit it at their convenience.
al_9x wrote:An advanced user would likely want to know what NS does in general ...
Agree. Ideally, all capabilities would be listed in the NoScript "Features" Page, even if that were to require expandable titles for the sake of not cluttering the page, or lists of features/settings which link to another page within the site. The idea being to make the features page all-inclusive, but neither cluttered nor intimidating to new users. Along those lines, I'd suggest listing them, not alphabetically, but grouped by user-level: Basic (script and object permissions, etc.), Intermediate (ABE? XSS exceptions?) and Advanced (the kind of stuff listed in the OP, that only real techies are going to look at -- or understand.)
al_9x wrote:... and also be able to tell at a glance which of the full repertoire of protections are currently active. This is useful for troubleshooting, discovery.
Also a nice feature, but to avoid GUI clutter, perhaps a single button or tab in the Advanced page, something like "Show status of advanced configuration settings", which would merely call to about:config and reprint the pertinent items in a simple text box -- but listed one line each, with a scroller if necessary, rather than the line-wrap format of, say, the HTTPS listings?

Very thoughtful thread here.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: NS protection modules not surfaced in the GUI

Post by Identities Infinite »

I think this is a good start. I am in favour of the compiled HTML file. If ever it happens I think it should be laid out as name, type [boolean, integer, string], value as default, verbose description, caveats if any. This would help me as an advanced user because there are a plethora of unexplained options that I could possibly modify to enhance security. For now I am stuck with the change log, options and features pages.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120227 Firefox/12.0a2 Firefox/12.0a2
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: NS protection modules not surfaced in the GUI

Post by Identities Infinite »

junyiguoji, your post confused me. I had to infer from memory and if correct you are listing the values of the BG preference [can not recall the whole name at the moment]. If you are trying to explain what it does it would be helpful to everybody if you put the name before the values. If not I have no idea what your point is.

What really confuses me is the link that has something to do with the acquisition of gold. If that is a signature of some kind this forum does not insert a separator between peoples' posts and signatures which gives me the impression it is all included in the post.

Edit: The post is now gone. Not sure if I was seeing things haha.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120227 Firefox/12.0a2 Firefox/12.0a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NS protection modules not surfaced in the GUI

Post by Tom T. »

Identities Infinite wrote:... I am in favour of the compiled HTML file. If ever it happens I think it should be laid out as name, type [boolean, integer, string], value as default, verbose description, caveats if any.
But it shouldn't consist *only* of about:config settings. The GUI itself, each tab, each choice on that tab, should be in such a Help file. Low-tech users will look at the GUI first, and want explanations for those. They may not be comfortable with about:config, especially after MZ (Mozilla, standard abbreviation; is that OK, or am I exceeding your abbreviation capacity? -- and is there any way to edit JAWS to enter new abbreviations and their expansions?) added the dire warning the first time a user opens about:config, something like, "This may void your warranty!" (Like Firefox, or any other freeware, has a warranty, ha ha) Then you have to check a box, "I'll be careful, I promise". And check "Don't show this warning again", if I remember correctly. That will scare off low-tech users from about:config, which is probably just as well. Just as Windows hides system folders by default, to prevent accidental foobars by those who shouldn't be messing with them.

As for the jumbled username and acquisition of gold, that is just one of thousands of spams that are removed by your diligent Moderators. Profiles with spam-link signatures are banned, as is any user who posts a spam link, whether in the message body or the signature. Pay no attention to such things.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: NS protection modules not surfaced in the GUI

Post by Identities Infinite »

I always thought the GUI is so straightforward. In that case the entire add-on should be documented which would make it a full-fledged no-holds-barred help system. I think it would be fascinating if F1 activated compiled HTML documents in add-ons like it does Password Safe for example. I never heard of MZ as an abbreviation for Mozilla but you can use it because I now know what it is. Since those are not official I would have to enter those in JAWS's pronounciation dictionary and after that I would not know the difference between one spelling it in full and one abbreviating it. When I noticed that message it said something about dragons. I did not know at that time it was not to be taken seriously thereby causing confusion. I unchecked the box, pressed the button and never encountered it since. Does the about:robots follow in the same vein? I never understood that page either alongside about:mozilla.
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120227 Firefox/12.0a2 Firefox/12.0a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NS protection modules not surfaced in the GUI

Post by Tom T. »

Identities Infinite wrote:I always thought the GUI is so straightforward.
Well, you yourself asked about the meaning of collapsing a blocked object....
Many readers might be unfamiliar with META redirections, <a ping>, and other elements of the GUI. They can research them on the Web, but sometimes such articles are very technical. A brief explanation might help in knowing the consequences of allowing or denying them, thus helping the decision.
In that case the entire add-on should be documented which would make it a full-fledged no-holds-barred help system.
That would be ideal. If someone would donate enough money, we could hire someone to work full-time on that. (Maybe me -- KIDDING!)
I think it would be fascinating if F1 activated compiled HTML documents in add-ons like it does Password Safe for example.
When I suggested the CHM to Giorgio, of course I also suggested such a hook, but it would have to be inside the GUI. Right now, F1 opens Firefox Help.
Other add-ons would have to add such special hooks also, to avoid the conflict with Firefox Help.
When I noticed that message it said something about dragons. I did not know at that time it was not to be taken seriously thereby causing confusion. I unchecked the box, pressed the button and never encountered it since.
I don't know what box you unchecked and what button you pressed.
Does the about:robots follow in the same vein? I never understood that page either alongside about:mozilla.
I had never heard of either. They appear to be jokes created by bored programmers. Such hidden jokes are colloquially called "Easter Eggs", in the sense of hunting for them. In one version of Windows, a certain key combination produced a picture of the Microsoft campus (building and grounds).

Whilst messing about with Open Office, I discovered a video game hidden inside. I complained at their forum. They shrugged it off as taking up very little space, relatively, and that "everybody does it". Exactly. If every programmer on every project adds her/his pet code or comment, the total space wasted accumulates. This is why my Windows folder is only 178 MB, and my entire hard drive usage is about 900 MB. I got rid of the unnecessary.

Also, the Open Office, which seems to have a number of German programmers, included a comment or remark, hidden in the code of a single code file, that was insulting to Americans. ... and to think that we saved their butts in World War 2, laugh out loud.

By the way, since about:config is difficult to navigate, you can use Firefox Help Menu, Troubleshooting Information, and the third table that displays lists "Modified Preferences", with only name and value. This is much smaller and easier to navigate than about-config, but of course you want to know about the unmodified ones, too. Just passing along a tip, for all reading this.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NS protection modules not surfaced in the GUI

Post by therube »

Hey if it's good enough for Boris Zbarsky (though I would digress) ;-).

The cost of adding preferences exposed in the UI
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a2) Gecko/20120227 Firefox/12.0a2 SeaMonkey/2.9a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NS protection modules not surfaced in the GUI

Post by Tom T. »

Very interesting and informative link, thanks.
Will save for explaining in some RFEs why every GUI RFE can't be implemented.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NS protection modules not surfaced in the GUI

Post by Tom T. »

(There was a conversation between Identities Infinite and me that became quite O/T, regarding removing unneeded components from OS. Split to new topic here.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Identities Infinite
Senior Member
Posts: 124
Joined: Sun Feb 19, 2012 10:27 pm
Location: Behind A Script

Re: NS protection modules not surfaced in the GUI

Post by Identities Infinite »

For what is RFE an abbreviation? I read it countless times in the change log and still do not understand.f
Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120228 Firefox/12.0a2 Firefox/12.0a2
Locked