Request for additional surrogates

[access2godzilla]

Since Noscript already has surrogates, can we have more surrogates added to the list from this custom list (mostly compiled by me from various sources).

http://pastebin.com/g8pjvDxi

Please note:
1. I actually grepped for "js" and "analytics" from a much bigger list of all ad servers, social buttons, trackers etc. that I maintain for personal use, to block them, so all of them might not be (tracking) scripts, but most should be. Also, the list only specifies patterns for detecting/blocking such scripts.
Some rules are there like Outbrain,analytics,widgets\\.outbrain\\.com\\/,,,, which might not look like they block scripts, but actually it blocks http://widgets.outbrain.com/OutbrainRater.js.
Hence, some testing is needed before the scripts can be actually detected (I should actually have maintained a list of the scripts, but unfortunately...).

2. Some of them are already in Noscript, like ga.js. Please ignore those.

I'd be glad to see those surrogates in Noscript, and want to thank all who coded the extension.

Regards,

[Thrawn]

Thanks for compiling that list. It's up to Giorgio, of course, but I think the key question is whether these scripts will break sites when blocked. Can you give real-world examples of that happening? If so, I expect Giorgio would be keen to include your surrogates .

[Tom T.]

Thanks for compiling that list. It's up to Giorgio, of course, but I think the key question is whether these scripts will break sites when blocked. Can you give real-world examples of that happening? If so, I expect Giorgio would be keen to include your surrogates .

Speaking officially for the forum, what Thrawn said is correct: Surrogates are needed only when pages break when you block them.

For example, Yahoo has a data-miner, analytics.yahoo.com. But blocking it has never broken anything for me, and I use Yahoo webmail.
They'll always be blocked by NoScript's "default-deny" policy, unless you whitelist the or temp-allow them. (but why would you?)

Mark them as Untrusted if you like, to keep them out of the main menu.
Or read ABE FAQ and add ABE rules like:

Code: Select all

Site: .analytics.yahoo.com
Deny

and want to thank all who coded the extension.

Those all would be Giorgio Maone, sole developer.
(Perhaps a little behind-the-scenes help from a couple of associates here and there, but he is solely responsible for what's in the code.)

Also, all who translated it into other languages are seen by opening NS Menu > About NoScript.

As this has become a full-time project for Giorgio, please feel free to donate what you can to enable its continued enhancement.
(Everyone else is a volunteer. But we appreciate the kind words. )

[access2godzilla]

Thanks for compiling that list. It's up to Giorgio, of course, but I think the key question is whether these scripts will break sites when blocked. Can you give real-world examples of that happening? If so, I expect Giorgio would be keen to include your surrogates .

Since my list had been actually meant for blocking, and since it is based on sources, giving examples are a bit difficult, I can say. You can search first for the widgets (those are the ones that usually break first, like discussion threads (Disqus), social buttons (Facebook, Twitter, Addtoany, Feedburner), "related links"(Outbrain), and then for the analytics and tracker parts.

Surf a few sites, with such filters (though I do not know of any addon that filters using regexp) and you can create a nice list that way.

[Thrawn]

Thanks for compiling that list. It's up to Giorgio, of course, but I think the key question is whether these scripts will break sites when blocked. Can you give real-world examples of that happening? If so, I expect Giorgio would be keen to include your surrogates .

Since my list had been actually meant for blocking, and since it is based on sources, giving examples are a bit difficult, I can say. You can search first for the widgets (those are the ones that usually break first, like discussion threads (Disqus), social buttons (Facebook, Twitter, Addtoany, Feedburner), "related links"(Outbrain), and then for the analytics and tracker parts.

As Tom T mentioned, NoScript blocks all active content by default, so all trackers are automatically blocked. And most sites will still work normally without them, but on those occasions when a site has (unwisely) tied itself to the tracking code such that it breaks without it, then surrogates can step in and fix things.

I haven't seen sites that break without eg their social buttons...but if I do, then I'll certainly come back to comment here and ask for the inclusion of one of your surrogates. But if you - or anyone - wants to add those surrogates to your personal copy of NoScript, then by all means, you can do it, and be confident that you're unlikely to need many (or any) extra surrogates in the future.

Surf a few sites, with such filters (though I do not know of any addon that filters using regexp) and you can create a nice list that way.

NoScript's ABE module can .

[access2godzilla]

Not all users surf without "scripts allowed globally", since too many things break without them.

Some examples that I mentioned in my former post are some examples of things that break (it's not that the pages don't break, but the social buttons hardly work any more and so on.)

I'll give some examples (I got them after a lot of looking around here and there):

Code: Select all

http: //b.scorecardresearch.com/beacon.js
https: //sb.scorecardresearch.com/beacon.js
http: //assets.newsinc.com/ndn.2.js
http:/ /d.yimg.com/mi/ywa.js
http: //o.aolcdn.com/os/omniture/prod/om ... tal_min.js
http: //munchkin.marketo.net     [full path of script unknown]
http: //w.sharethis.com/button/sharethis.js
addthis_widget.js
http: //connect.facebook.net/      [full path of script unknown]
http: //widgets.outbrain.com/OutbrainRater.js
http: //widgets.outbrain.com/outbrainWidget.js

[Tom T.]

Please see this post.

[Thrawn]

Not all users surf without "scripts allowed globally", since too many things break without them.

Some examples that I mentioned in my former post are some examples of things that break (it's not that the pages don't break, but the social buttons hardly work any more and so on.)

Oh, you meant sites to blacklist (in NoScript parlance, 'Mark as Untrusted'). Sorry about the confusion; it was your mention of surrogate scripts that threw me off. Quite a different topic.

NB Surrogates do not prevent scripts from running. Surrogates run only when the sites are already blocked by NoScript, and are used to prevent poorly-designed sites from breaking due to the scripts being blocked. If a site is on your whitelist, or if you run in Scripts Globally Allowed mode, then the real script will run, not the surrogate.

[Tom T.]

Some examples that I mentioned in my former post are some examples of things that break (it's not that the pages don't break, but the social buttons hardly work any more and so on.)

Sorry, but if you want the (script-powered) social button to work, you probably have to allow the script that powers it. Or do without the button.
Yes, those button-sites are undoubtedly gathering information on you. That's why those sites are free, yet Mark Zuckerberg is worth about $8 billion.

Note that a few of them (google plus one, etc.) do have surrogates. Not being a button-pusher myself, IDK if they do let the button run, or merely stop the page from breaking. Try leaving googleplusone default-denied, and see if the button still works.

[access2godzilla]

if you run in Scripts Globally Allowed mode, then the real script will run, not the surrogate.

If that is the case, could I request to have a feature whereby the script will be run even if scripts are globally allowed? It could enhance the privacy of users who choose to let the scripts run.

That's why those sites are free, yet Mark Zuckerberg is worth about $8 billion. Note that a few of them (google plus one, etc.) do have surrogates. Not being a button-pusher myself, IDK if they do let the button run, or merely stop the page from breaking.

Neither do I press the buttons (I already have them blocked with ad-blocking subscriptions, and I don't give a s*** about what Zuckerberg earns), but many people sure like to, and having to type http ://www.facebook.com/sharer.php?url=http: //example.com/example in the address bar is a big PITA.

[Thrawn]

if you run in Scripts Globally Allowed mode, then the real script will run, not the surrogate.

If that is the case, could I request to have a feature whereby the script will be run even if scripts are globally allowed? It could enhance the privacy of users who choose to let the scripts run.

Well, if you're running in Scripts Globally Allowed mode, you can still 'Mark as Untrusted' to stop a particular site from running. But if you really insist on running in Scripts Globally Allowed mode, may I suggest Adblock Plus? Keep NoScript, because it still gives some limited protections even in that mode, but clearly it doesn't fit your use case. Used with its default settings, NoScript happens to be an excellent ad-blocker (simply because most ads are active content), but that's not its purpose, so if it doesn't make a good ad-blocker in Scripts Globally Allowed mode (which switches off most of your protections), then that's not really an issue.

But as I mentioned, you can still mark sites as untrusted. You can even export your whitelist to a file, add the list of untrusted sites to the right place, and re-import it to quickly populate your blacklist. The page that Tom T pointed you to has more details.

[Tom T.]

if you run in Scripts Globally Allowed mode, then the real script will run, not the surrogate.

If that is the case, could I request to have a feature whereby the script will be run even if scripts are globally allowed? It could enhance the privacy of users who choose to let the scripts run.

Sorry that I'm not making this clear enough. If your friends want enhanced privacy, even in Globally Allowed mode, have them mark as Untrusted those particular scripts. But it may well cost them the ability to push the buttons. As said, IDK, so tell them to try it and see. Generally, though, in life you can't have your cake and eat it, too.

That's why those sites are free, yet Mark Zuckerberg is worth about $8 billion. Note that a few of them (google plus one, etc.) do have surrogates. Not being a button-pusher myself, IDK if they do let the button run, or merely stop the page from breaking.

Neither do I press the buttons (I already have them blocked with ad-blocking subscriptions,

More bad news: Many ad-blocking tools don't prevent the item from being loaded; they only prevent it from being displayed. This reduces distraction and annoyance, but depending on the particular tool and the particular situation, may do nothing to protect your privacy. (Thrawn, copy that?)

NoScript completely blocks the script that both serves the ad and tries to grab your data. It isn't intended to be an ad-blocker, but as Thrawn noted, since almost all ads are served by scripting and other active content, it ends up being a de facto ad blocker, a nice lagniappe.

May I suggest that you have a look at RequestPolicy, to prevent these cross-site image requests in the first place? Its ability to block non-executable content dovetails nicely with NoScript's focus on executable content. The developers of each wholeheartedly endorse using the combination of the two.

and I don't give a s*** about what Zuckerberg earns),

The reason I mentioned it was as evidence that these social media garner valuable data from you. Apparently, a *lot* of data, and *very* valuable. (hence Mark Z's fortune.) Something to keep in mind when deciding whether to use one.

but many people sure like to, and having to type http ://www.facebook.com/sharer.php?url=http: //example.com/example in the address bar is a big PITA.

If I think something is that valuable, I'd copy the address or use Copy Link Location, and just e-mail it to those to whom I thought it might be interesting.
Takes a few more seconds, but keeps my privacy. IMHO. YMMV.

p. s. Using NS's script-blocking is not so hard as it may seem at first. Please read NoScript Quick Start Guide, then perhaps peruse the NoScript FAQ. All of your favorite sites need to be configured only *once* (unless big changes are made to them), then you won't even notice NS working for you there. With a bit of experience, checking out a new site becomes second nature. And you can check the scripts at that site against the (non-exclusive) list in SOME SITES YOU MIGHT NOT WANT TO ALLOW, as mentioned at the post to which I linked earlier. (I believe Thrawn had confounded that one with the one about mass-blacklisting, but it would be easy to find that one, too.)

[access2godzilla]

NB Surrogates do not prevent scripts from running. Surrogates run only when the sites are already blocked by NoScript, and are used to prevent poorly-designed sites from breaking due to the scripts being blocked. If a site is on your whitelist, or if you run in Scripts Globally Allowed mode, then the real script will run, not the surrogate.

I had initially assumed seeing "noscript.surrogates.*" in about:config that Noscript provided the surrogates, regardless of whether sites are blocked, but I was mistaken at that (as per your quote).

so if it doesn't make a good ad-blocker in Scripts Globally Allowed mode (which switches off most of your protections), then that's not really an issue.

What I was requesting (and had already mentioned in my earlier post but was completely ignored, hence I repeat) was to extend the surrogate functionality of Noscript so that the surrogates may regardless of whether scripts are globally allowed and sites are blacklisted: that would also make Noscript an extension that gave provided some privacy to its users. I never wanted Noscript to work as an ad blocker, that is the job of other extensions.

May I suggest that you have a look at RequestPolicy, <snip> Using NS's script-blocking is not so hard as it may seem at first.

I am really not interested in using Noscript with scripts forbidden, it breaks too many things, and please do not mention what happens to unknown websites. And as for Requestpolicy, I cannot stare at imageless websites with Times New Roman text on them.

[Giorgio Maone]

I've looked at your pastebin but I couldn't see any surrogate there.

What I could rather see is a list of regular expressions, presumably of resources to be blocked (3rd column of a CSV file containing other data too).

I believe what you're looking for, rather than surrogates, is turning those regular expression into a giant ABE rule to block them (and possibly having surrogates run for them if they break something):

http://pastebin.com/eqMw08er

If you're interested in how to do keep it up-to-date by yourself, here's a bookmarklet you can use on a pastebin like your original one:

Code: Select all

javascript:Site%20%5E.*(%3F%3A%22%20%2B(document.getElementById(%22paste_code%22).value.split(%22%0A%22).filter(function(l)%20%7B%20return%20l.indexOf(%22%2C%22)%20%3E%200%20%7D).map(function(l)%20%7B%20return%20l.split(%22%2C%22)%5B2%5D.replace(%2F%5C%5C%2Fg%2C%20%22%5C%22)%20%7D).join(%22%7C%22))%20%2B%22)%0ADeny%20INC%22

[Tom T.]

....What I was requesting (and had already mentioned in my earlier post but was completely ignored, hence I repeat) was to extend the surrogate functionality of Noscript so that the surrogates may regardless of whether scripts are globally allowed and sites are blacklisted...

Nothing was ignored. Surrogates do run when sites are blacklisted, even in Globally Allowed mode, as you were told.
There is no need to run a surrogate for a blacklisted site if blocking the script doesn't break the page.
You can do the giant ABE rule, as Giorgio said, but why not just mark these sites as Untrusted, and be done with it?

Here is a convenient way to mass-blacklist your list of unwanted sites.