Where is "Untrusted Menu"?

[FoamHead]

I recently started using NoScript again and I'm unable to find any list of blocked/untrusted sites. According to FAQ Question 3.10:

Just reopen the Untrusted menu (on the same page as before) and you'll find the Allow good-site.com command there.

In the NoScript Options panel (the only panel AFAIK), I only see General, Whitelist, Plugins, Appearance, Notifications, and Advanced tabs. There is no "Blacklist" or "Untrusted list" and all of the tabs I see don't have anything close to a list of blocked sites. I seem to remember NoScript having such a list like the FAQ mentions, but I cannot find it. Am I missing it or is this a NoScript problem?

Using NoScript version 1.9.1.91 with FireFox 3.0.8.

Thanks,
-Foam

[therube]

That Untrusted menu is the context menu (right or left click) on the NoScript icon.
In order for the Untrusted menu to appear, the current web page (it's domain) must not be Allowed.
Only the current pages domain will show on the Untrusted menu.

So say ...
You are on google.com, & mark that as Untrusted
While still on google.com, if you revist the Untrusted (l/r-click context menu), you will be able to (re)Allow google.com

Now if ...
You load another page, say yahoo.com
At that point the Untrusted menu (& assuming yahoo.com is not allowed) would only show (give the option) to mark yahoo.com as untrusted. You would not see the previously marked google.com on the Untrusted menu until you revisited google.com

(Confusing if you ask me.)

Otherwise ...
You could go into about:config & examine the Preference item, noscript.untrusted
Or NoScript | Options -> Whitelist => Export
The exported file would contain a section Tag, [UNTRUSTED] with the untrusted domains listed there.

[FoamHead]

So the NoScript Options panel does not display nor allow you to manage your untrusted sites? Hrmph. That's a little disappointing and hopefully something they will improve in the future...

Thanks for the quick reply .
-Foam

[Tom T.]

So the NoScript Options panel does not display nor allow you to manage your untrusted sites? Hrmph. That's a little disappointing and hopefully something they will improve in the future...

Thanks for the quick reply .
-Foam

First, please note that NoScript denies the entire planet by default. "Everything" is blocked unless and until you specifically allow it.

There is also a configuration choice which will cause any site that you forbid to be added to "untrusted".
In Firefox address bar, type about:config
In the Filter bar, type forbidIm (that's a capital "i", not a little "L") You can type the entire variable that you're about to see, but that's enough letters to bring it up. This brings up noscript.forbidImpliesUntrust The default value is "false". Double-click it to toggle to "true", then close the about:config window.

You can get even fancier and edit your Firefox profile folder file, prefs.js, but why bother? (and risk breaking something) It is easy to add sites to Untrusted merely by opening the menu from the top toolbar arrow or from the lower (status bar) icon, then point to "Untrusted", and click those sites you wish to add to your list. You can later remove any site from the Untrusted list by going to the site where it was displayed (or any site that tries to run it, in the case of third-party scripts), opening the NS menu as above, pointing to Untrusted, then either "temporarily allow" (for this session only) or "permanently allow" (remove from Untrusted and add to Whitelist).

This seems like pretty thorough management to me, and even easier than having to open the NoScript Options user interface. If there is something else you would like to do to your list, let us know, but I think this covers about everything. Cheers.

[FoamHead]

My use case for NoScript has sites broken down into three basic groups: good, bad, and unknown. In the good and bad cases, I want NoScript to show/disable scripts but don't bother telling me since I *know* they are good/bad already. For unknown, it should tell me what was blocked so I can evaluate if I want to add it to good or bad.

My good category matches the trusted list and my unknown category matches what NoScript does with unknown scripts. While my bad category is supported by NoScript's untrusted list, support for the untrusted list is a little weak; viz-a-viz no clear user interface to view/manage them. So if I read about a tracker site in some forum post and I *know* I want to disable them, I don't have a clean way to add it to NoScript's untrusted list. If they didn't give an example URL I can go to, my only options are to either edit prefs or about:config. Even tho I'm comfortable editing those things (and we know others aren't), it's so easy to make a mistake or miss a variation (e.g. doing http://foo.com but forgetting https://foo.com).

Taking this to the nth degree, I can imagine a community site that keeps a list of "known tracker, advertising, and otherwise annoying" sites. It'd be nice if I could just visit that list, see what's changed, and easily update NoScript to silently block those sites.

Now I agree, this isn't a high traffic use case for NoScript. The only thing adding to the Untrusted list buys you is silencing the notification. But since all of the interface is already there for the Whitelist, it should be very simple to add a new "Blacklist" tab. And besides, don't you think people would get a small cool factor from seeing the list of sites they've blocked?

The one side note of this is you can clean up the fact that the Whitelist tab's Import/Export also includes the untrusted list. Instead of adding a Blacklist tab (which would further confuse the Import/Export), you could change Whitelist to "Manage Sites" or "Manage Lists" or something. Then you'd have one sub-tab for Whitelist and one for Blacklist. By putting the Import/Export under "Manage Sites", it'd be clearer that it imported/exported both trusted and untrusted sites.

Another nice reply from the NoScript community. Thanks, guys .
-Foam

[Alan Baxter]

Taking this to the nth degree, I can imagine a community site that keeps a list of "known tracker, advertising, and otherwise annoying" sites. It'd be nice if I could just visit that list, see what's changed, and easily update NoScript to silently block those sites.

I don't bother to use the Untrusted menu much. I rarely allow more than the top-level site, and then only when necessary. Necessary third-party sites I frequently use are added to my whitelist, e.g. ytimg.com. But, when I get tired of seeing the same unnecessary third-party site appearing in my NoScript menu over and over, I sometimes mark it untrusted. I use the EasyList and EasyPrivacy lists for ideas on what sites might be moved to the Untrusted category safely. http://adblockplus.org/en/subscriptions. Your mileage may vary.

Also, 1300 sites are listed here that drop tracking cookies. http://www.ca.com/us/securityadvisor/pe ... ing+cookie

[FoamHead]

Also, 1300 sites are listed here that drop tracking cookies. http://www.ca.com/us/securityadvisor/pe ... ing+cookie

Wow. That's more than I expected. Following the road I started on, the best case would be for NoScript to have some configurable options that would allow for automatically adding all tracking script sites to the untrusted list. This would require a NoScript to have lots of "update me" functionality and configuration in addition to a ton of space to hold this large of a list. That's quite a lot of work just to suppress the notification of the "noise"...

I think I need to look at using NoScript a little differently. Either:

1) I just ignore the noise of uncategorized stuff. The only down side to this is I'll quickly stop noticing the blocked scripts (because they'll be practically everywhere) and I'll get to a web page that doesn't work right and wonder why. Stupid, yes, but months from now when my nephew comes to visit, I'll spend 10 minutes wondering why disney.com doesn't work right.

2) Keep using the "scripts blocked" notification as something I need to look at, but find a better way to evaluate which are trusted/untrusted. Since I won't be visiting sites that have all 1,300 tracking scripts, all I need is a quick and reliable way to determine which sites are worth marking untrusted when I encounter them. I'll try the links you provided, but perhaps a list of these would be worthwhile in the FAQ or as a forum sticky? Regardless, the dream case for this would be a way to ask NoScript to look up the info when requested so I can eliminate the known bad ones with two clicks.

I'd still like to do #2, but I get the feeling most NoScript users do #1 and ignore all notifications while leaving the untrusted list empty. However, the fact that "Temporarily allow all on page" does not allow untrusted scripts to run tells me that NoScript is, at some level, meant to operate per option #2. Perhaps the question this thread should be asking is should NoScript do more to support option #2?

Thanks again for the continued info .
-Foam

[Tom T.]

Also, 1300 sites are listed here that drop tracking cookies. http://www.ca.com/us/securityadvisor/pe ... ing+cookie

Forgive me, Alan, but NS is not a cookie manager. There are plenty of tools to do that, although I find Fx's built-in cookie management quite adequate.

Since I won't be visiting sites that have all 1,300 tracking scripts,

A tracking script is not the same as a tracking cookie. NS is intended to block scripts and other executables, which a cookie isn't, although undoubtedly a lot of cookies get blocked along with the scripting. I'm with you in using Mode #2.

all I need is a quick and reliable way to determine which sites are worth marking untrusted

There isn't one. If there were, it would be obsolete the minute it was published. Also, one person's trusted meat is another's poison.
IMHPO (personal, not necessarily representing the forum or developer), I use the "Occam's Razor" test: Only those scripts, cookies, plug-ins, etc. that are absolutely required for the function I want are possibly allowed, even if the rest of the page is broken, regardless of how trustworthy the other scripts might be. Cuts the decision universe enormously. Those that survive that first cut are then triaged by trustworthiness. As for the others, unless I can foresee needing them some day, they go immediately to "untrusted" as soon as I forbid them, using the Fx config described a few posts above. Of course, they can always be retrieved, if needed, by pointing to "Untrusted" and temp-allowng.

I rather like the idea of renaming the "Whitelist" tab the "Whitelist/Blacklist" tab, including both -- might be less work for Giorgio than adding a second tab for "Blacklist", but if he'd rather add the tab, cool. But the combo tab would consist of nothing more than the W/L from prefs.js and the B/L from the same file, with some *********************** type lines in between to separate them. Then, as you say, you could manually make or remove entries to either without either going to the site or digging into about:config or prefs.js.

Thanks for stimulating the thinking process. Anyone else have any thoughts on this possible feature request?

[Alan Baxter]

Also, 1300 sites are listed here that drop tracking cookies. http://www.ca.com/us/securityadvisor/pe ... ing+cookie

Forgive me, Alan, but NS is not a cookie manager. There are plenty of tools to do that, although I find Fx's built-in cookie management quite adequate.

You're forgiven. You can't seriously think I was recommending NS as a cookie manager. The OP asked for a list of sites which shouldn't be allowed to run scripts. I gave him three good ones. IMO, sites that drop tracking cookies, no matter what the mechanism, probably shouldn't be allowed to run scripts either. Implicit in my recommendations is the futility of a community blacklist, which is utterly opposed to the NoScript security mechanism.

[GµårÐïåñ]

My two cents, I think having a visual dedicated tab for untrusted (or blacklist) would be nice to have along side the whitelist. If for nothing else than batch management like we do with the whitelist. For me its not a huge deal but I can see how it would be a feature that is nice to have and I don't think from a developer's perspective a difficult thing to do. Most of the features would be a reverse-duplicate of the whitelist (Allow -> Block, Remove the Revoke Temporary Permissions button) and the rest is exactly the same.

[Tom T.]

IMO, sites that drop tracking cookies, no matter what the mechanism, probably shouldn't be allowed to run scripts either.

You mean like Google?

I agree with Guardian on the usefulness of the proposed feature. I have no idea what work that entails, but if Giorgio can do it, the more I think about it, the more I like it.

[Nan M]

+1 with Alan Baxter.
At least while there is a single NS version for all classes of user; the interface has enough pressure from necessary security options already.

[GµårÐïåñ]

+1 with Alan Baxter.
At least while there is a single NS version for all classes of user; the interface has enough pressure from necessary security options already.

The interface brings no more stress than already exists by the function of NS managing untrusted items. Parsing and maintaining the permission will cost overhead and already it does, the interface is a simple display of what is already going on, nothing more and bears no more stress at all.

[Nan M]

+1 with Alan Baxter.
At least while there is a single NS version for all classes of user; the interface has enough pressure from necessary security options already.

The interface brings no more stress than already exists by the function of NS managing untrusted items. Parsing and maintaining the permission will cost overhead and already it does, the interface is a simple display of what is already going on, nothing more and bears no more stress at all.

Howdy Guardian,

I repeat, from the plain users' point of view, the interface itself has enough pressure - I didn't mention stress anywhere; it's getting full of detail that needs to be read, comprehended and filtered by the user.
To support my assertion, look at the numbers of times users have asked in this forum where they may configure basic things.
My point has nothing to do with anything going on under the hood, which I have every trust in the developer to manage, and besides which, most users understand that functions may be selectively toggled to reduce stress on the workings of most apps.
Although, now that you've introduced this angle, I wonder how long it would take before those with large imported blacklists, once the UI made the configuration a mouse click handy, would come to complain that "NS is teh slowdown"?
Your needs, as a security professional are of course a lot different to our plain users' ones, and I fancy your desire for finest possible control doesn't reflect our plain users' needs at times
Which is why I wondered in my first post about a development of separate interfaces for different kinds of users.

I mean, that's all this thread is about isn't it? Adding another tab to the UI and another paragraph to the FAQs and another paragraph to the Features? For what? Convenience for power users.

[GµårÐïåñ]

I agree with you in spirit but the fact is that the people who have brought up this request past and present have always been dominated by the non-power users. In fact I stated that for me it makes no differences as I know where they are and how to tweak them, for me its a nice to have, not a need to have. I am sorry that I confused your statement about overhead as an under the hood issue but since you translated it over to the large list GUI slowdown, it is no different than having a large whitelist and the timing should be no worse for the wear. As for the "clutter" factor and the users' inability to understand where everything is, you can't expect a solution to dumb itself down because users who use a solution get confused, they need to understand how to use it or settle for the default options provided by the author of the addon. Either way, I am neither pushing for it, nor am I not pushing for it, for me its a nice to have that if implemented I would be pleased to have it and if not, I will lose no sleep.