noscript.confirmSiteInfo
noscript.confirmSiteInfo
Hey guys,
I've got a profile created some years ago under Firefox 2. It has been carefully maintained and updated for Fx 3, 3.5, 3.6 and then our recent 4+ builds, but I think it's time to make a new one. I'm currently checking NoScript about:config prefs to decide what I want in my new profile.
So I have noscript.confirmSiteInfo and it's absent from the new profile currently. Is it a deprecated pref that's not used anymore in the latest NoScript release ?
Or is it a hidden pref we're meant to create manually. In that case, what does it do ?
Thanks
I've got a profile created some years ago under Firefox 2. It has been carefully maintained and updated for Fx 3, 3.5, 3.6 and then our recent 4+ builds, but I think it's time to make a new one. I'm currently checking NoScript about:config prefs to decide what I want in my new profile.
So I have noscript.confirmSiteInfo and it's absent from the new profile currently. Is it a deprecated pref that's not used anymore in the latest NoScript release ?
Or is it a hidden pref we're meant to create manually. In that case, what does it do ?
Thanks
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: noscript.confirmSiteInfo
Some additional prefs that I forgot exactly what they do. Could you tell me ? I can't find their description on the web anymore.
Prefs set as default in the new profile:
noscript.consoleLog (probably logs into Firefox error console. Is there any performance impact ?)
noscript.docShellJSBlocking (old profile sets to 2)
noscript.forbidIFramesContext (old profile sets to 1. What do 1 and 2 mean ?)
noscript.untrustedGranularity
noscript.xss.trustExternal (old profile sets to false)
Finally, what's the difference between the noscript.filterXExceptions string and all the prefs under noscript.filterXExceptions.* ? Assuming I set the string to "", should I also set all following booleans to false ?
Thanks again
Prefs set as default in the new profile:
noscript.consoleLog (probably logs into Firefox error console. Is there any performance impact ?)
noscript.docShellJSBlocking (old profile sets to 2)
noscript.forbidIFramesContext (old profile sets to 1. What do 1 and 2 mean ?)
noscript.untrustedGranularity
noscript.xss.trustExternal (old profile sets to false)
Finally, what's the difference between the noscript.filterXExceptions string and all the prefs under noscript.filterXExceptions.* ? Assuming I set the string to "", should I also set all following booleans to false ?
Thanks again
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
What do these NoScript prefs do ?
So anyone knows what those prefs are for ? If you can only answer for one pref please do, that's better than nothing
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: noscript.confirmSiteInfo
> Or is it a hidden pref we're meant to create manually.
If it's not there, I would think it deprecated.
When it was there if it were in bold, then either you created or modified it from its default.
- consoleLog, I would think there would be performance impacts & only to be used when trying to diagnose something
You might pick up some references, hints, from NoScript CHANGELOG, otherwise ...?
If it's not there, I would think it deprecated.
When it was there if it were in bold, then either you created or modified it from its default.
- consoleLog, I would think there would be performance impacts & only to be used when trying to diagnose something
You might pick up some references, hints, from NoScript CHANGELOG, otherwise ...?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0 SeaMonkey/2.17a2
Re: noscript.confirmSiteInfo
Thanks, there are some answers in the changelog. Search engines didn't catch them for some reason...
Now it's better, but I would need a couple more answers if you have some.
2nd level domain is supposed to be informaction.com.
Giorgio must have a list of what all prefs do somewhere. Has he considered making it public ? He does (or did) explain what prefs do when he introduces them, but that info seems to vanish over time.
Now it's better, but I would need a couple more answers if you have some.
What's the difference between a site and a domain ? Like (but I doubt it), is domain actually top-level domain (.com), and site is third-level domain ? (forums.informaction.com)noscript.forbidIFramesContext:
controls if actually enforcing IFRAME blocking depending on the parent page:
0 -- block always
1 -- block if parent is in a different site (default)
2 -- block if parent is in a different domain
3 -- block if parent is in a different 2nd level domain
2nd level domain is supposed to be informaction.com.
What's docShell JS and why is that pref set to 1 even when I have "Forbid Frames" and "Apply these restrictions to trusted sites" checkboxes ticked in NoScript's UI ?noscript.docShellJSBlocking:
0 - no docShell JS blocking
1 - (default) docShell JS blocking for untrusted sites (enables
effective blacklists for defalut-deny modes)
2 - docShell JS blocking for every non-whitelisted site (enables
cross-frame inheritance of JS blocking)
But it doesn't say what the different values are for.noscript.untrustedGranularity:
+ Whitelisting sites from NoScript Options|Whitelist obeys to the
noscript.untrustedGranularity preference
Giorgio must have a list of what all prefs do somewhere. Has he considered making it public ? He does (or did) explain what prefs do when he introduces them, but that info seems to vanish over time.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: noscript.confirmSiteInfo
I believe http://forums.informaction.com would be a site, forums.informaction.com would be a domain, and informaction.com would be a 2nd-level domain.Nanosaur wrote: What's the difference between a site and a domain ? Like (but I doubt it), is domain actually top-level domain (.com), and site is third-level domain ? (forums.informaction.com)
2nd level domain is supposed to be informaction.com.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Re: noscript.confirmSiteInfo
That could be it, but Wikipedia says otherwise. Giorgio is very technical-literate so he probably use the terms correctly, but your suggestion makes more sense that what I would think is "correct"... >_<
http://forums.informaction.com is a full domain name I believe. Seems faire to say it's the "site" from the quote.
forums.informaction.com is a third-level domain name.
informaction.com is a second-level domain name.
.com is the top level domain name.
But if you're a moderator you probably know Giorgio and might be used to how he uses these terms, so I'm torn. :p
I'll go with what you say for now and set the pref to 2. (today's default isn't 1 anymore, it's 3)
Okay, remain 2 questions if someone walks by!
http://forums.informaction.com is a full domain name I believe. Seems faire to say it's the "site" from the quote.
forums.informaction.com is a third-level domain name.
informaction.com is a second-level domain name.
.com is the top level domain name.
But if you're a moderator you probably know Giorgio and might be used to how he uses these terms, so I'm torn. :p
I'll go with what you say for now and set the pref to 2. (today's default isn't 1 anymore, it's 3)
Okay, remain 2 questions if someone walks by!
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: noscript.confirmSiteInfo
Per NS Options > Appearance,
http://www.noscript.net is a "Full Address", because it includes a protocol for addressing and replying. (HTTP, HTTPS, FTP, gopher, socks, etc.)
It does seem to be called "Site" in that config option.
www.noscript.net is a "Full Domain", containing the total domain name less the protocol.
You are correct that .com, .net, .org, etc. are Top-Level Domains.
Hence noscript.net is indeed a Second-Level Domain.
news.yahoo.com is a Third-Level Domain.
(This is useful because I use Yahoo Mail, and therefore must allow mail.yahoo.com. but prefer to forbid www dot yahoo.com)
There are fourth- and fifth-level domains -- every new term to the *left* of the previous left-most dot -- but I can't think of any offhand. You can probably find some.
@ Giorgio: RFE: A new page in noscript,net, something like noscript.net/aboutconfigprefs, where all such configurable prefs, and a simple explanation of the meaning of each possible value, are listed, preferably in alphabetical order. I realize this may take quite a bit of time, but surely it would be a valued resource to many.
http://www.noscript.net is a "Full Address", because it includes a protocol for addressing and replying. (HTTP, HTTPS, FTP, gopher, socks, etc.)
It does seem to be called "Site" in that config option.
www.noscript.net is a "Full Domain", containing the total domain name less the protocol.
You are correct that .com, .net, .org, etc. are Top-Level Domains.
Hence noscript.net is indeed a Second-Level Domain.
news.yahoo.com is a Third-Level Domain.
(This is useful because I use Yahoo Mail, and therefore must allow mail.yahoo.com. but prefer to forbid www dot yahoo.com)
There are fourth- and fifth-level domains -- every new term to the *left* of the previous left-most dot -- but I can't think of any offhand. You can probably find some.
What it is would probably only complicate the discussion more, but why it defaults to 1 instead of 2 is a very good question. If I don't whitelist a site, certainly I don't want to whitelist JS in frames from or to it. I'll ask Giorgio, but in the meantime, I'm going to set mine to 2 and see if anything breaks.noscript.docShellJSBlocking:
0 - no docShell JS blocking
1 - (default) docShell JS blocking for untrusted sites (enables
effective blacklists for defalut-deny modes)
2 - docShell JS blocking for every non-whitelisted site (enables
cross-frame inheritance of JS blocking)
What's docShell JS and why is that pref set to 1 even when I have "Forbid Frames" and "Apply these restrictions to trusted sites" checkboxes ticked in NoScript's UI ?
It's "probably" whether to match Untrusted by 2nd level domain, 3rd, full, etc. as discussed above, because you may configure Appearance to show only Base 2nd Leve Domains, yet blacklist a third-level domain, either manually or when Appearance was set differently. But I don't like "probably", so I'll ask Giorgio to clarify that also, and what the numbers mean.noscript.untrustedGranularity:
+ Whitelisting sites from NoScript Options|Whitelist obeys to the
noscript.untrustedGranularity preference
But it doesn't say what the different values are for.
I did, because I don't use those sites. Two seem to have escaped: ebay and medicare, perhaps added since I last went through about:config. I toggled those to false, also.Finally, what's the difference between the noscript.filterXExceptions string and all the prefs under noscript.filterXExceptions.* ? Assuming I set the string to "", should I also set all following booleans to false ?
There was a fairly extensive list in this topic, but yours don't seem to have been included. (Else your search would have found them.) Excellent idea.Giorgio must have a list of what all prefs do somewhere. Has he considered making it public ? He does (or did) explain what prefs do when he introduces them, but that info seems to vanish over time.
@ Giorgio: RFE: A new page in noscript,net, something like noscript.net/aboutconfigprefs, where all such configurable prefs, and a simple explanation of the meaning of each possible value, are listed, preferably in alphabetical order. I realize this may take quite a bit of time, but surely it would be a valued resource to many.
Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0.1
Re: noscript.confirmSiteInfo
noscript.confirmSiteInfo is for when you middle-click on a site in the NoScript menu. It controls whether the confirmation prompt appears. It gets set to true or false depending on whether you check or clear the 'Always ask for confirmation' checkbox.
Mozilla/5.0 (X11; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0
Re: noscript.confirmSiteInfo
Thanks for adding that, as my post was already rather long.mjh563 wrote:noscript.confirmSiteInfo is for when you middle-click on a site in the NoScript menu. It controls whether the confirmation prompt appears. It gets set to true or false depending on whether you check or clear the 'Always ask for confirmation' checkbox.
To be more specific, if set to "True", then whenever you use the Site Info feature, you get this prompt first:
It seems kind of intuitive to me that you are asking NoScript to do something for you, so I set it to False. Some might like to know exactly where the query goes: It goes to noscript.net, until you click any of the links shown in the reply, which are no longer under NoScript's control. Thanks again.You're about to ask for information about the "news.yahoo.com" site
by submitting a query to http://noscript.net.
Do you want to continue?
Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0.1
Re: noscript.confirmSiteInfo
It looks like the default for noscript.forbidIFramesContext is tough. It's unusual that I customize NS to make it more lenient (I set it from full address to only domain, which might isolate third-level domains as well as domain; at least that's the behavior I want)
I'll keep confirmSiteInfo as default and wait to hear back if you get news for the 2 other prefs. (For now untrustedGranularity is on default and docShellJSBlocking is 2)
I'm undecided on filterXExceptions because, while I used to know exactly what it means, it's become rather blurry what it translates to concretely on the battle field. Guess I'll need to refresh this knowledge some time later...
Anyway thank you both for the replies!
I'll keep confirmSiteInfo as default and wait to hear back if you get news for the 2 other prefs. (For now untrustedGranularity is on default and docShellJSBlocking is 2)
I'm undecided on filterXExceptions because, while I used to know exactly what it means, it's become rather blurry what it translates to concretely on the battle field. Guess I'll need to refresh this knowledge some time later...
Anyway thank you both for the replies!
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: noscript.confirmSiteInfo
Those are automatic, default exceptions to the XSS filter. They were put there for the same reason as most of the default whitelist entries: to make NS easier for novices to use "right out of the box", with the most popular sites allowed in whitelist. Presumably the XSS list is because those sites, also quite popular, seem to generate false positive XSS messages.Nanosaur wrote:I'm undecided on filterXExceptions because, while I used to know exactly what it means, it's become rather blurry what it translates to concretely on the battle field. Guess I'll need to refresh this knowledge some time later...
No harm in making them all False, especially sites you don't use, and see whether indeed the others do generate XSS messages. Perhaps some have cleaned up their code a bit. If it's too annoying, and, in Giorgio's words (XSS FAQ), "you're very confident the target web page is immune to XSS vulnerabilities", you can always toggle back that particular site to True.
I've been to email, banking, and some other sites, and so far docshellJSblocking on 2 hasn't broken anything. Will let you know if it does.
Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0.1