[RESOLVED] "blacklist mode" stopped working?

[Ken]

Suddenly the javascript redirect from https://news.google.com to http://news.google.com is executing even though the former is present in my noscript.untrusted . It didn't before, though it may have been a while since I tried it with Scripts Globally Allowed, a.k.a. "blacklist mode". So did "blacklist mode" stop working, or did I exceed a limit for the length of the noscript.untrusted value string, or something else? Mine has 1250 characters.

[Tom T.]

Suddenly the javascript redirect from https://news.google.com to http://news.google.com is executing even though the former is present in my noscript.untrusted . It didn't before, though it may have been a while since I tried it with Scripts Globally Allowed, a.k.a. "blacklist mode". So did "blacklist mode" stop working, or did I exceed a limit for the length of the noscript.untrusted value string, or something else? Mine has 1250 characters.

Mine is 1916 characters. ... so we're OK there.

Here is a related thread.
I would have expected that blacklisting the http site as well, and unchecking NoScript Options > Advanced > Untrusted > "Attempt to fix Javascript links", would have fixed this, but it didn't.

However, to save time, here's a cool workaround:
NS Options > Advanced > HTTPS > Behavior tab, and enter in the box
news.google.com

Even when I was at the insecure, HTTP site, adding this entry > OK > Reloading the page caused it to return to the HTTPS page, and to stay there.

(You may see a message that "NoScript blocked a META redirection inside a <NOSCRIPT> element: http:/news.google.com etc." This should have prevented the original redirection also, but my guess is that the page *really* lives at http: etc., so that's what is called when you enter the https address. Therefore, perhaps NS doesn't block it because it's to the original page, not a true redirect from one page to another. I could well be mistaken, but since the workaround works... ... but I'll ask Giorgio to give us the full story.)

OR:
You could get your news from a better-behaved site.

You could get out of globally-allowed mode (blacklist mode), and use NS as intended. It's not as painful as one might think.
Learning to drive a car took a little while at first, but now it's automatic, right?

Cheers.


ETA @ Giorgio: If it helps any, I *think* this is the relevant code:

Code: Select all

<noscript><style type="text/css">.yesscript {display: none;}</style></noscript><script type="text/javascript">
        window.location.href = "http://news.google.com/news?pz\x3d1\x26cf\x3dall\x26ned\x3dus\x26hl\x3den\x26q"
      </script>

[Giorgio Maone]

The relevant code on https://news.google.com/ is

Code: Select all

<noscript><meta http-equiv="refresh" content="0;url=http://news.google.com/news?pz=1&cf=all&ned=it&hl=it&q&js=0"></noscript>

and as you can see it's not JavaScript-based (the blacklist is working as expected).

If you don't want this kind of meta-refresh inside <noscript> element redirection to work, just tick
NoScript Options|Advanced|Untrusted|Forbid META redirections inside <NOSCRIPT> elements.

[Ken]

Oho, my mistake! When I looked at the source my eyes glazed over before identifying the offending bit, so I thought it safe to assume since turning off javascript stopped it. Thank you gentlemen, sorry for the trouble.

Good to hear the noscript.untrusted has at least 1900 characters, gives me some room to grow!

I'd consider other news sources, but I can't imagine how anyone could beat Google's combination of comprehensiveness and lack of *innate* bias. Suggestions welcome, of course.

I do often surf in whitelist mode, but for some sessions I find it more painful than blacklist, and switching back and forth (with a toolbar-mounted javascript toggle) least painful.

Cheers.

[Ken]

Oops, spoke too soon, "Forbid META redirections inside <NOSCRIPT> elements" was already ticked. I also tried resetting and reinstalling NoScript, but it's still redirecting. What next?

[Tom T.]

If you don't want this kind of meta-refresh inside <noscript> element redirection to work, just tick
NoScript Options|Advanced|Untrusted|Forbid META redirections inside <NOSCRIPT> elements.

I had that set already, but as said, it didn't work.

You may see a message that "NoScript blocked a META redirection inside a <NOSCRIPT> element: http:/news.google.com etc." This should have prevented the original redirection also,... (but didn't)

Oops, spoke too soon, "Forbid META redirections inside <NOSCRIPT> elements" was already ticked. ...

So, we both reproduced the failure of META redirect blocking, as per my PM to you...

[Giorgio Maone]

Looks like a 3.6.x specific issue, then. Investigating.

[Giorgio Maone]

Please chek latest development build 2.3.9rc3, thanks.

[Tom T.]

Confirmed that with Fx 3.6.28 and NS 2.3.9rc3, in Globally Allow mode, with the Google sites blacklisted, the META redirect is blocked, and the appropriate message is displayed, thanks.

Also confirmed that on Fx 11.0, this symptom doesn't occur under the same circumstances, even before the fix. (2.3.9rc1).

To enhance my knowledge base, if you have time, could you please explain what structural difference(s) between F3 and F11 caused the META block to fail on the former, but not the latter?

OP states that this problem didn't occur at some earlier time, "though it may have been a while since I tried it with Scripts Globally Allowed".
Do you have any idea when or how the regression crept in?
If the explanation is too lengthy or there isn't time, no worries.

Tangential, but relevant: I'm getting feedback from some who dislike the F4+ branch enough to continue on 3.6.28, even though aware of the risks.
Will NS updates maintain back-compatibility for 3.6.x at all after 24 April?
If so, do you know for how long, or through what version of Fx?
(It's a good sign that you took time to fix a glitch for a browser that ends support in three days. Very generous, thanks.)

Thanks again for all.

[Giorgio Maone]

Will NS updates maintain back-compatibility for 3.6.x at all after 24 April?
If so, do you know for how long, or through what version of Fx?

NoScript users on Firefox versions < 4 are about 10% at this moment.
I plan to support them down to 5%, which I really hope happens as soon as possible, because the under-the-hood changes from 3.x to 4 are such that legacy support is seriously hampering future developments (for instance, all the NSA code is incompatible with 3.6).

[Tom T.]

Will NS updates maintain back-compatibility for 3.6.x at all after 24 April?
If so, do you know for how long, or through what version of Fx?

NoScript users on Firefox versions < 4 are about 10% at this moment.
I plan to support them down to 5%, which I really hope happens as soon as possible, because the under-the-hood changes from 3.x to 4 are such that legacy support is seriously hampering future developments (for instance, all the NSA code is incompatible with 3.6).

Thank you for the reply. I understand the difficulty in providing legacy support. It's unfortunate that some of the changes in 4+ caused such dissatisfaction.

Example: The removal of the Status Bar, where disappearing icons have brought the number of views of the thread on that topic to almost 17,000 ATM. (And one can no longer have NS icons on both top and bottom).

Example: Replacing the clean, text-based Tools > Add-ons box, with its simple buttons labeled "Find Updates" and "Restart Firefox", with a full page with many other items (plugins, etc.) , but the "Check for Updates" is invisibly hidden behind a nondescript, unlabeled gear icon, and the Restart prompt is in green-on-grey text, in several different places, but none in a box of its own as in F3.

<snip> I agree with the comment about the non-descript gear icon. I would have never had a clue to look there. <snip>

If Firefox were to return to a GUI that is more friendly to computer novices and/or new Fx users switching from, say, IE, perhaps there would be less resistance to the change.
Perhaps MZ might respect your opinion on these matters, were you to present it. (They ignored mine.)

All not just IMHO, but representing the opinions of other users, mostly average home users. All of my relatives and most of my RL friends are non-tech (so guess whom they call ), whereas it seems most techies pretty much associate with other techies, and may not be in touch with the vast majority.

Thank you for letting me voice these O/T issues.