Buttons
-
cloudfire
Buttons
I looked thru the FAQs but I do not see how to make buttons such as Search or Find Job or even Help available without making the whole page available. At sites such as CareerBuilder or GDIT the button does not give a code to enable so its either give the whole page temporary permission or it will not work. If there is any XSS on the page then I am toast, but I would be extremely angry that I had to grant the whole page permission causing my system to be compromised instead of having only the Search/Find Job/Go/Help button with permission. NoScript even prevents your web page from displaying properly and I have to give your whole page temp permission.
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120909 Firefox/15.0.1 SeaMonkey/2.12.1
Re: Buttons
Please do not post 142-character random strings, which I deleted. I very nearly deleted this post as spam.
If you have a legitimate question, please specify the site(s) where this occurs, and the steps for us to reproduce your error.
Else the entire post will indeed be deleted.
If you have a legitimate question, please specify the site(s) where this occurs, and the steps for us to reproduce your error.
Else the entire post will indeed be deleted.
Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1
-
cloudfire
Re: Buttons
Firstly Mr. T0m - Don't blame me for the character string, blame NoScript for not displaying your web page properly. Common sense would have ensured that YOUR products work with YOUR web page.
Secondly, I did tell you what was wrong. Did you even read this?
" At sites such as CareerBuilder or GDIT the button does not give a code to enable so its either give the whole page temporary permission or it will not work. If there is any XSS on the page then I am toast, but I would be extremely angry that I had to grant the whole page permission causing my system to be compromised instead of having only the Search/Find Job/Go/Help button with permission. NoScript even prevents your web page from displaying properly and I have to give your whole page temp permission."
**Sites where this occurs are www.pny.com, www.careerbuilder.com, www.dice.com, www.clearedjobs.com/net, www.microsoft.com, www.yahoo.com, www.hotmail.com, and any site with a Search button or Help button, or directional arrows. There is not code specifically for the buttons or arrows to allow with NoScript; the entire page has to be granted temporary permissions. How do I enable these features in NoScript without granting the whole page temporary permissions?
Have a good Sunday.
Secondly, I did tell you what was wrong. Did you even read this?
" At sites such as CareerBuilder or GDIT the button does not give a code to enable so its either give the whole page temporary permission or it will not work. If there is any XSS on the page then I am toast, but I would be extremely angry that I had to grant the whole page permission causing my system to be compromised instead of having only the Search/Find Job/Go/Help button with permission. NoScript even prevents your web page from displaying properly and I have to give your whole page temp permission."
**Sites where this occurs are www.pny.com, www.careerbuilder.com, www.dice.com, www.clearedjobs.com/net, www.microsoft.com, www.yahoo.com, www.hotmail.com, and any site with a Search button or Help button, or directional arrows. There is not code specifically for the buttons or arrows to allow with NoScript; the entire page has to be granted temporary permissions. How do I enable these features in NoScript without granting the whole page temporary permissions?
Have a good Sunday.
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120909 Firefox/15.0.1 SeaMonkey/2.12.1
Re: Buttons
The forums work OK with scripting disabled. I don't see the trouble...cloudfire wrote:Common sense would have ensured that YOUR products work with YOUR web page.
I'm afraid that allowing individual scripts is not possible, partly because of the limitations of the underlying CAPS engine, but mostly because it would not be practical. At all. Consider how many script *files* can be included in a page (sometimes hundreds), and then imagine trying to decide whether to allow/deny each JavaScript function. No way. You might as well do all of your browsing via telnet.There is not code specifically for the buttons or arrows to allow with NoScript; the entire page has to be granted temporary permissions. How do I enable these features in NoScript without granting the whole page temporary permissions?
On the bright side of things, NoScript will still protect you from XSS on trusted sites.
Btw, it's not polite, politic, or in any way accurate to suggest that the moderators of this forum have no common sense. They have a great deal of it, and although they're here to help (for free), they block dozens of spam posts and accounts every day, and I'm sure they could add yours to the list without a qualm if you insult them again. Just sayin'.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Re: Buttons
Firstly Mr. Cloudfire, as Thrawn said, it is a *requirement* of Forum Rules to remain civil at all times.
You will note that I used the word "please" twice, once in each of my requests to you.
I have viewed thousands of posts, and never seen a random string like that before. Either you put it there (did you not see it when you viewed your published post?), or malware on your machine put it there, or you have an extension conflict, although that would be a rather strange symptom of one.
There is no possible mechanism of which I am aware that would cause NoScript to add such a string to a user's post. Unless you have strong, substantial evidence that it did, and a mechanism of how it did so, please retract that rather serious accusation.
The only things lost by not allowing scripting here, AFAIK, are the toolbars at the top of the Compose box, the smileys, and some of the automatic functions that take you to a given page when appropriate. But it *displays* fine. Please feel free to disable scripting here, but also please see Paragraph 5 of FAQ 1.5.
You do not necessarily need to allow an entire page to make a site work.
For example, I use Yahoo webmail, so I must allow its scripts (which as Thrawn hinted at, are somewhere between 90 and 125 in number at any given moment).
But I do not allow the entire page. My whitelist has only:
mail.yahoo.com
mail.yimg.com
This is enough for most mail functions, without allowing all of yahoo.com. (I do not allow www.yahoo.com)
To edit Contacts or Account Options, which isn't very often, I TA (temporarily allow) yahooapis.com.
Help may indeed need an additional script allowed, but as I've used the service for years, Help is rarely needed.
If you apply this philosophy of allowing the scripts that are required *only for the functions you want* - yes, it may take a few minutes, but then you have a permanent whitelist and never need to mess with that site again.
I may try one or two of your sites and see if I can reduce likewise, without allowing the whole page.
I had a great Sunday. Thank you for your kind wishes.
You will note that I used the word "please" twice, once in each of my requests to you.
I have viewed thousands of posts, and never seen a random string like that before. Either you put it there (did you not see it when you viewed your published post?), or malware on your machine put it there, or you have an extension conflict, although that would be a rather strange symptom of one.
There is no possible mechanism of which I am aware that would cause NoScript to add such a string to a user's post. Unless you have strong, substantial evidence that it did, and a mechanism of how it did so, please retract that rather serious accusation.
The only things lost by not allowing scripting here, AFAIK, are the toolbars at the top of the Compose box, the smileys, and some of the automatic functions that take you to a given page when appropriate. But it *displays* fine. Please feel free to disable scripting here, but also please see Paragraph 5 of FAQ 1.5.
You do not necessarily need to allow an entire page to make a site work.
For example, I use Yahoo webmail, so I must allow its scripts (which as Thrawn hinted at, are somewhere between 90 and 125 in number at any given moment).
But I do not allow the entire page. My whitelist has only:
mail.yahoo.com
mail.yimg.com
This is enough for most mail functions, without allowing all of yahoo.com. (I do not allow www.yahoo.com)
To edit Contacts or Account Options, which isn't very often, I TA (temporarily allow) yahooapis.com.
Help may indeed need an additional script allowed, but as I've used the service for years, Help is rarely needed.
If you apply this philosophy of allowing the scripts that are required *only for the functions you want* - yes, it may take a few minutes, but then you have a permanent whitelist and never need to mess with that site again.
I may try one or two of your sites and see if I can reduce likewise, without allowing the whole page.
I had a great Sunday. Thank you for your kind wishes.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1
Re: Buttons
At Microsoft and Yahoo, allow only what you need. For example, to search for Windows Updates or KB articles, you may need technet.microsoft, but not social-whatever.MS, and certainly not the entire MS domain. Be choosy per function needed.
Same with Yahoo. For example. at finance.yahoo.com, the page displays correctly with *no* scripting allowed, and I can look up a stock for its current or closing price, see the day's chart, etc. If I want to view "custom charts" (month, year, 5 yrs, etc.), then I need to TA:
finance.yahoo.com
l.yimg.com
and no more. Custom interactive chart works fine.
Do you see the advantage in using third-level, or sub-domains (mail.yahoo.com; finance.yahoo.com)
instead of second-level, or "base" domains? (yahoo.com)
If these are not shown in the menu, open NoScript Options > Appearance. Undoubtedly Base 2nd level Domains is checked. Choose also either Full Domains or Full Addresses. I like the latter, because it shows the protocol, allowing you to allow https/somesite.com but not http/somesite.com, which is valuable for security at sensitive sites.
At careerbuilder, the report card for the site to function successfully was this:
+http://www.careerbuilder.com
+http://cdn.optimizely.com
+icbdr.com
Plus sign indicates (temp) Allowed
-http://log3.optimizely.com
-optimizely.com
Minus sign indicates left in default-deny mode; hence, not allowed.
!quantserve.com
!scorecardresearch.com
Exclamation point indicates that these are on my Untrusted list, the reason being here.
The frequent need to allow .cdn, .static, or .img script sites was described in NoScript Quick Start Guide, which might be helpful reading.
With these choices, I saw the jobs listed, clicked on one, clicked to Apply, and was presented with the application form.
Perhaps other scripts may show up along the way, as at the Application page, or using other features of the site, but I hope you get the idea.
Please try it, and let us know if it helps with your complaint.
By the way, the easy way to report menu displays is to right-click in some blank area of the opened NS menu, typically "About NoScript vX.X.x".
This copies the menu display to the system clipboard for easy pasting into your post.
And yes, you are very welcome for this Moderator suggesting that this feature be added, which it was in changelog v2.2.9.
Same with Yahoo. For example. at finance.yahoo.com, the page displays correctly with *no* scripting allowed, and I can look up a stock for its current or closing price, see the day's chart, etc. If I want to view "custom charts" (month, year, 5 yrs, etc.), then I need to TA:
finance.yahoo.com
l.yimg.com
and no more. Custom interactive chart works fine.
Do you see the advantage in using third-level, or sub-domains (mail.yahoo.com; finance.yahoo.com)
instead of second-level, or "base" domains? (yahoo.com)
If these are not shown in the menu, open NoScript Options > Appearance. Undoubtedly Base 2nd level Domains is checked. Choose also either Full Domains or Full Addresses. I like the latter, because it shows the protocol, allowing you to allow https/somesite.com but not http/somesite.com, which is valuable for security at sensitive sites.
At careerbuilder, the report card for the site to function successfully was this:
+http://www.careerbuilder.com
+http://cdn.optimizely.com
+icbdr.com
Plus sign indicates (temp) Allowed
-http://log3.optimizely.com
-optimizely.com
Minus sign indicates left in default-deny mode; hence, not allowed.
!quantserve.com
!scorecardresearch.com
Exclamation point indicates that these are on my Untrusted list, the reason being here.
The frequent need to allow .cdn, .static, or .img script sites was described in NoScript Quick Start Guide, which might be helpful reading.
With these choices, I saw the jobs listed, clicked on one, clicked to Apply, and was presented with the application form.
Perhaps other scripts may show up along the way, as at the Application page, or using other features of the site, but I hope you get the idea.
Please try it, and let us know if it helps with your complaint.
By the way, the easy way to report menu displays is to right-click in some blank area of the opened NS menu, typically "About NoScript vX.X.x".
This copies the menu display to the system clipboard for easy pasting into your post.
And yes, you are very welcome for this Moderator suggesting that this feature be added, which it was in changelog v2.2.9.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1
-
cloudfire
Re: Buttons
Mr. Thrawn - Thank you for your post. Unfortunately for me I had not disabled NoScript and the code Captcha gave, the long string, was to be typed into the box below and there was only one box below, the dialogue box. After I granted the page temporary permission, the Captcha worked normally and the posts displayed normally. It was definitely a lesson learned but also emphasizes my concern about NoScript.
Mr. Tom - Thank you for your posts, although we disagree on the first post you gave. Yes you did use the word please twice but the tone of your post could be misconstrued as something other than civil. Thank you again for your time and research.
You can mark this thread as closed. I hope you both have a great week.
Mr. Tom - Thank you for your posts, although we disagree on the first post you gave. Yes you did use the word please twice but the tone of your post could be misconstrued as something other than civil. Thank you again for your time and research.
You can mark this thread as closed. I hope you both have a great week.
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120909 Firefox/15.0.1 SeaMonkey/2.12.1
Re: Buttons
Oh, the Captcha, right. It doesn't apply once you have an account, and I didn't notice that you were posting anonymously, so I forgot about it. I thought it could still work without JavaScript, though...cloudfire wrote:Mr. Thrawn - Thank you for your post. Unfortunately for me I had not disabled NoScript and the code Captcha gave, the long string, was to be typed into the box below and there was only one box below, the dialogue box. After I granted the page temporary permission, the Captcha worked normally and the posts displayed normally. It was definitely a lesson learned but also emphasizes my concern about NoScript.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Re: Buttons
I just tried it myself. If NS is enabled, you have to allow recaptcha.net, and click the placeholder of the flash object that appears. Then there is the box to paste the code as well as the box to create your post.
We spend hours a day deleting spam. All you had to do in the first place was to say that the string was the recaptcha code, and that it was an accident, and all would have been well, including tone of voice.
Cheers,
We spend hours a day deleting spam. All you had to do in the first place was to say that the string was the recaptcha code, and that it was an accident, and all would have been well, including tone of voice.
Cheers,
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1