Clarifications about noscript configuration

[arroy_0208]

In view of the fact that many sites use javascript for full functionality, which poses a security threat, I would like to get some clarifications regarding how to configure noscript optimally.

I often visit one blogsite where at the end of each discussion there is a link for comments which I notice appears only if I allow js-kit.com in noscript temporarily. The purpose of the website is to let the reader write his/her comments in the window which opens if the "comments" link is clicked. In case I do not allow it in noscript, the link for "comments" don't even appear on the website (there is a blank there in that case). If I move mouse on the "comments", I see the remark: "javascript:void(0)" at the bottom of firefox. I have allowed js-kit.com getting hint from reliable sites like mcafee which says they have not found any malicious object in that website. Please tell me if I have taken the right decision by allowing js-kit.com temporarily. If not, please suggest what I should do instead.

Second, when I open that page, at the bottom of firefox, I get this information: scripts partially allowed, 7/26 (gstatic.com, google-analytics.com, google.com, youtube.com, ytimg.com, js-lit.com, motls.blogspot.com):SCRIPT<326>:OBJECT<2>. Can anybody please explain what is implied here? It appears noscript is allowing 7 out of 26 scripts but then what does script<326> mean? What about the object? How can I use this information?

[therube]

Based on what you said, If you want to reply, then you need to allow js-kit.com.
If you have concerns, then you do not allow js-kit.com, & don't reply.
You really have no other choices.

URL where this happens?

[arroy_0208]

Thanks for your reply. The concerned website is: http://motls.blogspot.com/ Notice that, at the end of each discussion there, there are links like : Posted by Motl at ... PM | slow feedback (0) | Comments (12) | Links to this post |. Now the "Comments" link works only if js-kit.com is allowed by noscript.

[Tom T.]

|snip> Second, when I open that page, at the bottom of firefox, I get this information: scripts partially allowed, 7/26 (gstatic.com, google-analytics.com, google.com, youtube.com, ytimg.com, js-lit.com, motls.blogspot.com):SCRIPT<326>:OBJECT<2>. Can anybody please explain what is implied here?

The Google and YouTube scripts (including ytimg.com) were added to the default whitelist because many low-tech users found that their favorite sites didn't work after they installed NoScript, didn't want to be bothered with configuration, and uninstalled it, or else posted here for help (it's in the FAQ). Anyone can delete these from the whitelist, and enable them on a temporary basis if needed. By default, NoScript will send surrogate scripts to google-analytics and many other data-miners, which contain no personal information but make the page happy that you ran it, if required. I prefer to keep the data-miners and ad scripts untrusted unless needed, though I do visit YouTube and hence leave the two required scripts in the whitelist. You still have to allow an individual video per session, if you keep Flash default-denied, as it should be for highest safety. (Options > Embeddings).

If you would like to see the list of surrogate scripts provided by NoScript as "safe" replacements for various data-mining companies, type about:config in the address bar, then type
surrogate
in the Filter Bar.

It appears noscript is allowing 7 out of 26 scripts but then what does script<326> mean? What about the object? How can I use this information?

It's allowing 7 out of 26 domains, but one domain - especially the site you are on - may run many, many scripts.

That is one ugly website. I saw only 153 scripts running (mostly from that site) but often, when you allow some, others are called, in "cascading" fashion. That definitely breaks my personal experience record of seeing 122 scripts running while using Yahoo! Mail, even though all 3rd-party scripts are blocked. Sites just get more and more complex.

If you want to see the complete list of individual scripts running, or even read the text of the scripts, the JSView add-on is great.

If you are concerned about having to allow scripting from sites you don't really know - which we all should be, really -- you may wish to consider using a "virtualizing" or "sandboxing" tool so that nothing from the web site can write to your hard drive, or otherwise affect things outside the browser's sandbox. It isn't perfect, but it's a great addition to your "defense in depth", and a couple of Mods here do this. We get asked to go to some pretty hinky places.

I *personally* have been happy with Sandboxie, but please keep in mind that that is a personal opinion only; this form and its developer cannot be responsible for third-party products. If you search the forum for "Sandboxie", I've written about it in a few different places. There are many similar products out there- review each carefully before deciding.

I hope this helps.

Edit: Not sure why this was marked "Resolved", when the OP's questions had not all been answered. Unresolving it for now. (removing the Resolved tag).