Change Request: NoScript Audio Alert

[Stardance]

During the past three or four years, especially during the past two, I have more and more often discovered websites which have "chains" of JavaScript installs when a page loads:

(1) The browser fetches a page and NoScript alerts me that it has JavaScript which is not permitted to run. So I look at the list and, ordinarily, temporarily allow all.

(2) The browser reloads the page, but NoScript does not alert me that the page now has additional JavaScript which is not permitted to run. What happened, of course, is that an enabled JavaScript routine fetched yet more JavaScript from a server(s), after I permitted it to run and the page reloaded. Sometimes a page must be reloaded three or even four times before all of the JavaScript has been installed and allowed to run.

On the one hand, if I do not look at the NoScript list after each and every reload, some or all of the website features might not work, because all JavaScript has not been allowed to run. On the other hand, if all of the JavaScript has been allowed to run, then looking at the NoScript list again to confirm that nothing remains disabled wastes my time and effort.

What I want: NoScript to look at the page after each reload and issue the alert if any JavaScript is present that is not permitted to run.

For what it is worth, I don't kow a way to use NoScript to lessen the annoyance of routines that fetch other routines when a page reloads. Of course, if JavaScript is permitted (NoScript is not installed to prevent it), then the multiple fetches and the respective ensuing executions are all effected during the normal rendering of the page.

[Thrawn]

What I want: NoScript to look at the page after each reload and issue the alert if any JavaScript is present that is not permitted to run.

Thank you for not requesting that NoScript automatically allow all the scripts, like most people seem to think it should .

I didn't realise that the audio doesn't fire on reloads (I never use it). Good spot. NoScript ought to give you the yellow notification bar, though?

For what it is worth, I don't kow a way to use NoScript to lessen the annoyance of routines that fetch other routines when a page reloads. Of course, if JavaScript is permitted (NoScript is not installed to prevent it), then the multiple fetches and the respective ensuing executions are all effected during the normal rendering of the page.

All I can suggest is to work out what your usual sites need, and which sites are typically used as libraries (jquery, googleapis, etc), and choose to permanently allow some of them that you trust.

Good luck!

[Stardance]

.... Thank you for not requesting that NoScript automatically allow all the scripts, like most people seem to think it should .

I didn't realise that the audio doesn't fire on reloads (I never use it). Good spot. NoScript ought to give you the yellow notification bar, though?

You're welcome. I have not used the visual alert in years. I probably tried it with the audio alert when they were added to NoScript, and decided that the audio alert was enough. Now I have enabled it to show in the re-named "Add-on Bar" at the bottom of the screen. If there is no visual alert on reloads that have JavaScript that is not permitted to run, then I will post on this topic again to let you know.

Certainly, I have mixed feelings about enabling the JavaScript placed by many common third-parties to run by default. For a long time, it was possible to use NoScript to stop third parties from tracking me, just by enabling JavaScript to run only for the web site domain. But the big advertisers and data miners found out that people could use the websites where they placed their fleas without getting flea-bitten. So they leaned on the web site owners and operators to disallow visitors use of the site unless and until all JavaScript was enabled.

Since Google has made an "Advertising Cookie" opt-out available and has released a Google Analytics opt-out -- both of are Firefox extensions -- I decided to permanently allow Google in those two resepects. Aside from that, it is probably safe to enable JavaScript for most websites and most third-party JavaScript on those web sites. Since I must enable them to use the site, I will almost always (temporarily) permit them anyway. So it is reasonable to grant them permanent permission, although that is implemented as blanket permission across all web sites regardless of domain.

It may be reasonable, but I still don't do it. ............

[Thrawn]

I can sympathise with having to deal with lots of scripts - and layers of scripts - to get sites to work.

If it's privacy you're after, however, then you're better off using another addon such as RequestPolicy or Adblock Plus.

NoScript's only concern is whether a site is safe, ie whether it will attack you. If it is safe anywhere, then it is safe everywhere.

If you want to block >90% of advertising and tracking (maybe more like 99%), then Adblock Plus does a great job. If you want full control over cross-site requests, and are happy to let sites break until you work out what they need, then RequestPolicy will do that. NoScript does help with privacy, but is not specialised for this.

[Stardance]

.... If it's privacy you're after, however, then you're better off using another addon such as RequestPolicy or Adblock Plus.

NoScript's only concern is whether a site is safe, ie whether it will attack you. If it is safe anywhere, then it is safe everywhere."

That is a good point. I've been concerned first with safety, but also with privacy. It has been a long while since I used AdBlockPlus, and I stopped using it because I spent too much time configuring it and resolving various problems that it caused. It is probably a much better product today than it was then. I am not familiar with Request Policy.

For safety I use NoScript, Perspectives, and LastPass. But my primary defenses are HOSTS, Sandboxie, Windows 7 Firewall, and a Cisco Linksys E2500 NAT Router.

For privacy: the Google extensions Advertising Cookie Opt-Out and Google Analytics Opt-Out Brower Add-on; Better Privacy (obtain from Mozilla); Do Not Track Me; Permit Cookies; View Cookies; Self-Destructing Cookies; and last, but not least, User Agent Switcher.

Okay, I know I am paranoid, but am I paranoid enough?

[Thrawn]

Okay, I know I am paranoid, but am I paranoid enough?

Probably . But if you are paranoid, then at least give RP a try. It's very powerful; it really does close the few holes that NoScript leaves behind (eg the BREACH TLS attack).

[Stardance]

Probably . But if you are paranoid, then at least give RP a try. It's very powerful; it really does close the few holes that NoScript leaves behind (eg the BREACH TLS attack).

Okay, I will take another look. I am not familiar with the BREACH TLS attack but it doesn't have a nice name, does it?

UPDATE ON TOPIC:

The NoScript alert bar: As long as a page has JavaScript that is not permitted to run, the bar is displayed. It remains in place after a reload if more JavaScript has been fetched that is not permitted to run. However, if I use the option to "hide" the bar, then it will disappear after the number of seconds set to display it pass. As far as I can recall, before I deselected the "hide" option, the bar never re-appeared after the time expired (i.e., until a different page was loaded).

The NoScript button: This has brought to my attention that the button (which I have placed on the Firefox "Bookmarks Toolbar") has a mark on it continuously while the page has JavaScript that is not permitted to run. Hovering the mouse cursor over it displays a short message which says that. The button still has the mark after a reload if the page still contains JavaScript that is not permitted to run.

Regardless, I want the audio alert to sound again after a page is reloaded if it still has JavaScript that is not allowed to run. I am so accustomed -- "conditioned" might be a more appropriate term, at least to a psychologist -- to responding to the audio alert that I rarely look at the button on the bar. Instead I habitually click the mouse on an open area of the page that has been loaded to open the context menu, then select the NoScript entry and look at its list.

Maybe I should pay more attention to the toolbar button, and start using it to access the list of JavaScript that is not permitted to run (yet). But old habits die hard. Believe me, I am old enough to have learned that whether I've learned anything else.