Blacklist manager

[J.L.]

Just like the whitelist manager in NoScript options, I think there should be one for our blacklisted (untrusted) items. I'd much prefer it if I can add/remove items without visiting the potentially malicious domain.

Please consider this feature in future releases, or provide me an easy way to do such things (i.e. not via about:config or prefs.js).

[Tom T.]

Without directly addressing the request, I'd just like to note that my own Untrusted list built itself naturally over the years, mostly as third-party scripts tried to run at legit and trusted sites I was visiting. They'd show in the NS menu, typically ad agencies, data-miners, trackers, etc.

I think this has come up before, and the general feeling was that because NS, by default, blocks *all* scripting, unless you specifically whitelist it or Temp-Allow it, there's not that much need to "manage" the blacklist. It's only there so that those same undesired parties don't keep showing up in the Menu. If they do, "mark as Untrusted".

I'm having a hard time picturing a scenario in which you want to blacklist badsite.com without actually visiting it. If it tries to run script at the sites you visit, a couple of clicks get rid of it forever. If it doesn't, then it's not an issue. Can you provide a specific such scenario?

Not arguing against (or for) this feature; just not really perceiving the need. Specifics might help.

[J.L.]

I'm actually running in blacklist mode for conveniences sake. Otherwise, I would've stayed off NoScript, being too annoying to use.

Therefore, a blacklist manager would be great. Also removing blacklists and editing them will be much easier as well.

Then, there's the safety issue. I'm running a security fortress (virtualization, whitelists, restrictions, behaviour analyzing, network filtering, blacklists, imaging, etc.), so that's not an issue for me. As for other users who visits the site with a malicious script running, that's problematic.

I like looking at online resources for which javascript websites to block as well.

[Tom T.]

I'm actually running in blacklist mode for conveniences sake.

Do you mean, with scripting allowed globally, except for your blacklist?

Then, there's the safety issue. I'm running a security fortress (virtualization, whitelists, restrictions, behaviour analyzing, network filtering, blacklists, imaging, etc.),

All of that, and yet,

Otherwise, I would've stayed off NoScript, being too annoying to use.

Huh?

If you are doing all that, the minimal configuration of whitelisting your most-visited and trusted sites, one-time blacklisting of others as they show, and allowing NS to default-deny others, temp-allowing if needed once in a while, seems a rather minor inconvenience compared to the other laudable efforts.

I too have additional safety measures beyond NS. For someone to be tech-savvy enough to do all that you said, running NS should be almost automatic and effortless.

I still don't see a reason to support this. Of course, opinions from other users are welcome.

Edit: Corrected unintended "whitelist" to "blacklist"".

[J.L.]

Yes, and the "whitelist" have embedding restrictions.

I visit far more websites than install programs. My security in place is more static, with all-encompassing whitelists. With NoScript, allowing every website and their necessary third-party elements is a nuisance. It's basically like 10 seconds vs 5 minutes a day.

I see more than enough reason, adding/removing/editing untrusted items should not be harder than trusting them. Merging it with the whitelist tab is fine as well..

[Boot]

In regard to blacklisting , it is what got me here as i was actually searching for a way to block specific scripts / messages i am getting ( they are reoccurring and i don't know the origin for certain ) other than i am using Facebook and playing one of the online games when they occur ( i do use some bookmarks to help run the game , from outside sources ) , windows xp gives the option to manually stop the script when it appears and they appear when the cpu is bogged down by them and stops responding, so it would seem highly beneficial to copy & paste these scripts to a block list because not knowing the exact origin for certain, but if they are generated from Facebook or the game owners website then blocking that site or sites will cause the game not to run and it may be that it is not a malicious script but a problematic few scripts that once stopped the game will run normal, also similarly if it has to do with the independent bookmarks i am using then that can be determined by stopping them individually , now that web site offers over 30 bookmarks, 6 of which i use , but by blocking the site i will block access to all bookmarks by the sounds of it. Hope this explains it and hope you have some insight on this . As we speak i installed "No Script" but now the game won't run , i allowed Facebook & Zynga ( Game owner ) as far as i can tell unless they go by multiple names not matching their main names and not clearly indicated as associated with Facebook or Zynga, but the game won't work so i may have to uninstall if i can't manage the settings , but if i could enter only the specific scripts based on the messages it seems to be exactly what i needed to stop specific scripts interfering with the game and cpu, thanks for offering feedback

[Tom T.]

In regard to blacklisting , it is what got me here as i was actually searching for a way to block specific scripts / messages

"Messages" are different from "scripts". What messages?
Can you provide a list of messages, and from where?
Screenshots of the screen with these messages, and with NoScript menu open (showing scripts allowed and blocked)?

( they are reoccurring and i don't know the origin for certain )

If they are scripts or other types of code and objects default-blocked by NoScript, opening the NoScript menu (click the top down-arrow, or the bottom logo, or merely hover the mouse pointer over either logo, if you have that option enabled) will show the origins of all such things. You may have to point to "Recently blocked sites/objects" or to "Untrusted". This should give you the information you're seeking.

windows xp gives the option to manually stop the script when it appears and they appear when the cpu is bogged down by them and stops responding, so it would seem highly beneficial to copy & paste these scripts to a block list because not knowing the exact origin for certain,

See above. Find the origin of the items. If you don't want them, you can ignore them, and they'll be default-blocked. To add to permanent Untrusted list, point to "Untrusted", and click on "Mark badsite.com as Untrusted". No need to copy/paste anything.

but if they are generated from Facebook or the game owners website then blocking that site or sites will cause the game not to run and it may be that it is not a malicious script but a problematic few scripts that once stopped the game will run normal,

Not knowing the game, I can't say. If you want to see the individual script code, get the JSView add-on.
If your CPU is maxing out, then perhaps you don't have a machine powerful enough for online gaming, which is very resource-intensive? CPU speed? RAM?
Else, tons of junk script and objects could do that, or a poorly-written script. This is trial-and-error to a degree, but once you find which ones are required and which are not, you're set for life -- until they change it, of course.

If it's possible for one of us to visit the site and see it in action without an account, or by using bugmenot.com, that would help, too. Site address (URL)?

[Guest]

Apologies, to be clear there are "messages" from Firefox or windows that indicate specific "scripts" have stopped responding. The game runs normal till these events, so they appear directly related, and the cpu slows noticeably, you can even hear it struggling to process and page loading slows to minutes or won't load at all. I will copy some of the scripts that are indicated in the messages and post in the next post.
Here may be an additional issue within this situation. Facebook has many advertisers when signed in, and they can't be turned off, and additionally they are always changing / refreshing or in random rotation,,, and it appears that the no script program is constantly finding them or scripts running within them as each new ad appears ( site ),so they become incredibly numerous in the blocked site lists. Thing is even if you are on the game page the facebook side bars are always there, thus the ads are always there and always changing, so the "No Script" program doing it's job finds every script on the "page" and probly does not distinguish game page from facebook page ( i am guessing ). So the scripts become numerous and can't distinguish the ones that are running the game as even visiting the blocked site usually does not indicate the sites service or purpose. In the end i spent over an hour blocking or unblocking individual sites but could not get the game to run properly.
You could easily check this out for yourself by making a facebook account and joining an online game , i use "Mafia Wars" , but Zynga has probly over 100 online games , it's big business and millions of players so if you can solve this problem you may tap into a whole nother resource of people that would benefit from the "No Script" add on and potential donations from happy users .
It would seem that a "Blacklist" ( especially if the aforementioned scenarios are occurring ) would be a useful option as Firefox or windows is identifying the malicious/ poorly written or otherwise unresponsive scripts after the fact that they have caused an undesirable result , and in these instances could be a user friendly option without any draw backs, Thanks for your input and i will start a list of the non responsive scripts i encountered.

[Tom T.]

Apologies that I have time for only a brief response now.

Non-responding scripts may not be malicious or poorly written. As you said, CPU might max out, Windows or Firefox may become busy, etc.
Weeding out the unneeded third-party scripts and marking them as "Untrusted" should reduce the load considerably.

so the "No Script" program doing it's job finds every script on the "page" and probly does not distinguish game page from facebook page ( i am guessing ).

NoScript will always tell you the origin of any script when you open the NoScript menu as indicated.
For example, right now I see

Code: Select all

"Forbid http://forums.informaction.com"

This tells me the source of the script: forums.informaction.com (You could go to informaction.com and see that it's the website of the company of the developer of NoScript.) The fact that it offers me the choice to Forbid it means that I have allowed it. Forbid = add to Untrusted list.

Yes, the list of scripts at some sites can become quite numerous, sometimes requiring scrolling of the menu. Eliminating as above helps here, too.

One picture is worth a thousand words. Can you take some screenshots of, say, the NoScript open menu with its listings? Many sites will host pics for you, and if you need help on making screenshots, I'm sure many here will be happy to help if they get here before me.

I'm sorry that I'm not a member of the sites you mention, and prefer not to be. Perhaps another Moderator who is can help here. We also have many members of this forum who are quite knowledgeable and who may be members there, so they can see for themselves what you're describing.

One last thought: Have you considered installing some ad-blocking software?

[J.L.]

So, any updates?

I've decided to use default whitelist mode for my weak netbook.

[Tom T.]

So, any updates?

I've decided to use default whitelist mode for my weak netbook.

Sorry, I guess it got side-tracked by the discussion with Boot (= Guest also, apparently).

There has been an extensive thread on this in the meantime, but the bottom line is that NoScript for Mobile was released a week ago, and developer Giorgio Maone is working hard to port its many new features into NoScript 3.x for the desktop, hoping to do so before the end of the year. It's worth reading that linked article at his blog. One feature is running in Blacklist mode, exactly as you describe. So your wish will come, but please be patient.

In the meantime, there are easy work-arounds, though admittedly not quite as fast as GUI editing.

1) Open about:config, and in the Filter bar, type
noscript.un
(that's enough to bring up noscript.untrusted.) Double-click it. Add or remove as many entries as you like, being sure to leave exactly one white space between each entry.

2) Open prefs.js file in a text editor, locate:
user_pref("noscript.untrusted",
and edit as above. Here, be sure to observe the syntax, including the quote marks and the ending semi-colon.

Unlike about:config, prefs.js can be edited only when there are no instances of Firefox running, as per the warning at the top of the file:

* If you make changes to this file while the application is running,
* the changes will be overwritten when the application exits.

Hopefully, this is good enough until 3.x arrives?

[J.L.]

I'll wait. Already tried those methods, but it's tedious work.

[Tom T.]

I'll wait. Already tried those methods, but it's tedious work.

I understand. One last try, which took me 48 seconds, then shortened to 30 seconds, and I'm not the world's fastest typist.

Click your bookmark for about:config. (Any tech user should have one!)
Type noscript.u.
Double-click.
r-click on the blue text, "copy"
Paste to the text doc you already have open (Wordpad is my choice.)
(make changes; the time here will be about the same as the time it would take to make the same changes in a GUI)
Copy the whole string from your text doc.
r-click again on the blue, "paste" > OK.
48 seconds.

I cut a few seconds by creating a hotstring to auto-type "noscript.untrusted" (no quotes, of course) in a freeware tool called "Texter". Not endorsing it, of course, as there are many other similar products out there, and we can't endorse or support them. Choose the tool you like best.

I used "bk" for my hotstring -- easy mnemonic for "blacklist", and a key combo not likely to be typed in normal writing.

Along with the practice from the first try, the time from clicking about:config to clicking OK was now 30 seconds.
OK, that's 25 seconds or so more than Options > Whitelist, but they're still neatly alphabetized, although http and https are in with the "h"'s instead of being in a separate group below all the "abouts".

The editing itself shouldn't be hard. Even if the list is large, you have the search function and the find/replace function.

Actually, it's faster than GUI whitelist additions, with a single entry > Allow > next entry > Allow, etc., or
find > highlight > remove, find next > highlight > remove.
Or find > highlight > find > Ctrl+click > find > Ctrl+click, etc. > remove.

I don't see this as so tedious even if you have hundreds of entries to search or to add. Otherwise, we'll look forward to NS 3.

Cheers,
Tom