Please, simple explanation of surrogate scripts

Questioner · Post by **Questioner** » Wed Jan 23, 2013 12:39 pm

Despite reading various pages about surrogate scripts, I still do not understand them: i get that the purpose of surrogate scripts is to fool a website by pretending that its script is being run while in reality NoScript substitutes a replacement, or surrogate.

Which of the following statements is correct:

[*]A surrogate script for Site X will be run whenever you have ALLOWED Site X
[*]A surrogate script for Site X will NOT be run when you have ALLOWED Site X (but that site's scripts will be run)
[*]A surrogate script for Site X will be run when you have DISALLOWED Site X
[*]A surrogate script for Site X will NOT be run when you have DISALLOWED Site X (nor will that site's scripts be run)
[*]A surrogate script for Site X will be run the FIRST TIME you visit Site X BEFORE you allow or disallow Site X
[*]A surrogate script for Site X will NOT be run the FIRST TIME you visit Site X BEFORE you allow or disallow Site X

And if none of the above statements are correct or if surrogate scripts are used / not used based on more complex criteria, please let me know.

Post by **Giorgio Maone** » Wed Jan 23, 2013 8:29 pm

Questioner wrote: [*]A surrogate script for Site X will be run whenever you have ALLOWED Site X

True for "@", "!@", "<", and ">" surrogates.

Questioner wrote: [*]A surrogate script for Site X will NOT be run when you have ALLOWED Site X (but that site's scripts will be run)

True for "!" surrogates.

Questioner wrote: [*]A surrogate script for Site X will be run when you have DISALLOWED Site X

True for "!", "!@" and "" surrogates.

Questioner wrote: [*]A surrogate script for Site X will NOT be run when you have DISALLOWED Site X (nor will that site's scripts be run)

True for "@", "<" and ">" surrogates.

Questioner wrote: [*]A surrogate script for Site X will be run the FIRST TIME you visit Site X BEFORE you allow or disallow Site X
[*]A surrogate script for Site X will NOT be run the FIRST TIME you visit Site X BEFORE you allow or disallow Site X

Surrogates don't keep track of the times you visit a page. "@" and "!@" surrogates will run if scripts are enabled for the page, "!" surrogates if they aren't, whenever you visit it.

If the answers above left you more confused than before, I suggest to read slowly and carefully the Script Surrogates Quick Reference

Guest · Post by **Guest** » Thu Jan 24, 2013 4:53 am

Thank you very much!

If the answers above left you more confused than before, I suggest to read slowly and carefully the Script Surrogates Quick Reference

I've skimmed over it but you're right, I will need to read it a few more times.

Follow-up question about first-time visits: I remember when I used NoScript on my previous computer, everything (except for the sites on the short whitelist built into NS) would be DISALLOWED the first time and you had to allow explicitly an origin site for its script(s) to be run.

On this machine, initially I set NS to block (click to start) Java and Flash but to allow all scripts generally. Later I removed the checkmark for the "allow all scripts" setting. Now, when I visit a new site, its scripts will be ALLOWED automatically. However, when I click on the NS icon in my menu bar, the new site will be shown in bold italics while other sites that I had previously allowed explicitly are shown in non-bold, non-italic type. At the same time, scripts that this new site invokes from other websites are not allowed by NoScript (but can be allowed manually).

Is this a design change in NoScript behavior?

Post by **Giorgio Maone** » Thu Jan 24, 2013 8:25 am

Guest wrote: Is this a design change in NoScript behavior?

No, most likely you also checked NoScript Options|Temporarily allow top-level sites by default.

Guest · Post by **Guest** » Thu Jan 24, 2013 9:53 am

You're right! Many thanks for the swift reply

Guest · Post by **Guest** » Thu Jan 24, 2013 10:34 am

By the way, because I accidentally had "temporarily allow top-level sites by default" set, just last week I hit on a web page with Trojan:JS/BlacoleRef.T, however, Microsoft Security Essentials caught and quarantined it.

Better to have NoScript, too, protecting my computer. So now I've unchecked that checkbox.

Many thanks to Giorgio Maone and his team for keeping so many people safe!

Post by **Thrawn** » Sat Jan 26, 2013 1:40 am

Guest wrote:By the way, because I accidentally had "temporarily allow top-level sites by default" set, just last week I hit on a web page with Trojan:JS/BlacoleRef.T, however, Microsoft Security Essentials caught and quarantined it.

Better to have NoScript, too, protecting my computer. So now I've unchecked that checkbox.

If you're concerned about accidentally clicking on things, you might also want to go to Options-Appearance and remove items from the menu. I personally like to hide 'Scripts Globally Allowed', 'Allow All This Page', and 'Temporarily Allow All This Page'.

Many thanks to Giorgio Maone and his team for keeping so many people safe!

Credit is mostly due to Giorgio (and I thoroughly agree) - but thanks!

InformAction Forums

Please, simple explanation of surrogate scripts

Please, simple explanation of surrogate scripts

Re: Please, simple explanation of surrogate scripts

Re: Please, simple explanation of surrogate scripts

Re: Please, simple explanation of surrogate scripts

Re: Please, simple explanation of surrogate scripts

Re: Please, simple explanation of surrogate scripts

Re: Please, simple explanation of surrogate scripts