help understanding changelog

Ask for help about NoScript, no registration needed to post
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

help understanding changelog

Post by barbaz »

Just got 2.6.8.26rc1, and saw in the changelog:
http://noscript.net/getit#devel wrote:+ noscript.cascadePermissions preliminary backend implementation
+ noscript.restrictSubdocScripting preliminary backend implementation
I see that both prefs by those names in about:config are set to false.
What are these features / what do they do?
What aspects of them are enabled by default or always enabled?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: help understanding changelog

Post by Giorgio Maone »

These are features being added by request of the TOR project, useful for TOR Browser users but possibly also for some regular NoScript users.

At this moment they are pretty much work in progress (the UI side, for instance, is still unaffected), but in the end they should amount to:
  1. "Block scripting in whitelisted subdocuments of non-whitelisted pages" (noscript.restrictSubdocScripting)
    • If /true/, frames and iframes whose parent document's URL is not whitelisted will be prevented from running and loading scripts, no matter whether they're themselves whitelisted.
    • If /false/, current behavior which bases scripting permissions for subdocuments only on their own origin, independently from their parent's, will be kept.
  2. "Cascade parent document's permissions to 3rd party scripts" (noscript.cascadePermissions)
    • If /true/, user will just need to allow/forbid the top-level document's origin or forbid it, to block/unblock all the scripts on the page (including those in subdocuments): also, in order to avoid confusion, when this mode is active the NoScript menu will show Forbid/Allow commands for the top-level origin only (currently in bold).
    • If /false/, current behavior which allows full granularity to forbid/allow scripts by their origin will be kept.
    • In either case, subdomain scripts from 'untrusted'/blacklisted sites will continue to be blocked, and if the user has selected to enable the "Untrusted" NoScript appearance option, these subdomain blacklist choices will still be displayed.
    • NoScript will provide an associated configuration UI control for this preference.
[Edit]
A requirement added and implemented later, is that "[Temporarily] Allow all this page" commands affect the top-level document only when Cascade Permissions mode is enabled (i.e. no 3rd party script get actually whitelisted, they're just implicitly allowed as long as their top ancestor page's domain is whitelisted).
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: help understanding changelog

Post by therube »

1. So that will do things like block a foreign hosted video from displaying in the current page, until the current page has been allowed, even if the foreign hosted video site had already been Allowed.

Allow youtube.com ytimg.com
Visit http://failblog.cheezburger.com/

The Youtube videos display & will play without allowing cheezburger.com.

Toggle the Pref.

The Youtube videos will not display or play until you have Allowed cheezeburger.com.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: help understanding changelog

Post by barbaz »

Thank you for the explanations.
Giorgio Maone wrote:
  1. "Block scripting in whitelisted subdocuments of non-whitelisted pages" (noscript.restrictSubdocScripting)
    • If /true/, frames and iframes whose parent document's URL is not whitelisted will be prevented from running and loading scripts, no matter whether they're themselves whitelisted.
    • If /false/, current behavior which bases scripting permissions for subdocuments only on their own origin, independently from their parent's, will be kept.
I like this. Probably can eventually replace some of my ABE rules to do essentially that, so I'll be enabling this feature soon.
Is it planned to be possible to add exceptions to this behavior when enabled?
Giorgio Maone wrote:[*]"Cascade parent document's permissions to 3rd party scripts" (noscript.cascadePermissions)
  • If /true/, user will just need to allow/forbid the top-level document's origin or forbid it, to block/unblock all the scripts on the page (including those in subdocuments): also, in order to avoid confusion, when this mode is active the NoScript menu will show Forbid/Allow commands for the top-level origin only (currently in bold).
  • If /false/, current behavior which allows full granularity to forbid/allow scripts by their origin will be kept.
  • In either case, subdomain scripts from 'untrusted'/blacklisted sites will continue to be blocked, and if the user has selected to enable the "Untrusted" NoScript appearance option, these subdomain blacklist choices will still be displayed.
  • NoScript will provide an associated configuration UI control for this preference.
[/list]
Scary :shock: :o
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140427 Firefox/24.0 PaleMoon/24.5.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: help understanding changelog

Post by Thrawn »

barbaz wrote: Scary :shock: :o
I agree - but often requested.

Should there at least be some kind of message telling the user which sites were whitelisted? Maybe a message bar like the one for XSS and ABE actions?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: help understanding changelog

Post by barbaz »

Thrawn wrote:Should there at least be some kind of message telling the user which sites were whitelisted? Maybe a message bar like the one for XSS and ABE actions?
I would guess that people who want cascading permissions wouldn't care too much what sites are getting Temp-Allowed via cascading.

Wouldn't it be enough if all sites (other than top level) allowed via cascading are displayed only as "Mark (site) as Untrusted" in the main menu, like currently seen with "Scripts Globally Allowed"?

EDIT Oh, and there's this too:
Giorgio Maone wrote:In either case, subdomain scripts from 'untrusted'/blacklisted sites will continue to be blocked, and if the user has selected to enable the "Untrusted" NoScript appearance option, these subdomain blacklist choices will still be displayed.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: help understanding changelog

Post by therube »

Isn't #1, when set to True, the way things were some time ago (maybe a long time ago)?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26
Hannibal

Re: help understanding changelog

Post by Hannibal »

Thanks for the explanations :)

To make sure I got it right: Is #2 (noscript.cascadePermissions) kinda similar to "allow all this page" except it works on a domain instead of just a page ?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: help understanding changelog

Post by Giorgio Maone »

Hannibal wrote:Thanks for the explanations :)

To make sure I got it right: Is #2 (noscript.cascadePermissions) kinda similar to "allow all this page" except it works on a domain instead of just a page ?
It works on any page, i.e. if the top-level document origin is whitelisted, all the scripts imported by it and by its subdocuments are allowed to run independently from their actual origins, which on the other hand these don't get automatically whitelisted: if there's another tab with the same 3rd party scripts but whose top-level document origin is not whitelisted, its scripts won't run.
therube wrote: Isn't #1, when set to True, the way things were some time ago (maybe a long time ago)?
Nope, each frame used to have (and has) the same permissions on desktop NoScript, unless noscript.docShellBlocking is true (which is not the default and is deprecated anyway).
NSA at this moment uses a mechanism akin to noscript.docShellBlocking (but will change as soon as I find the time to put it back on its rails), therefore works more or less the way you say.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Hannibal

Re: help understanding changelog

Post by Hannibal »

Loud and clear, thanks again !
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: help understanding changelog

Post by Giorgio Maone »

Thrawn wrote:
barbaz wrote: Scary :shock: :o
I agree - but often requested.
By people who should be careful what they wish for, nevertheless (link courtesy of Grumpy Old Lady).
As I said, this feature has been asked by the TOR project, but this doesn't mean I support it "ideologically" at all, and in facts it won't be enabled by default.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: help understanding changelog

Post by barbaz »

It's probably worth saying that restrictSubdocScripting won't do anything in Gecko < 28. I got quite a surprise in Pale Moon (based on Gecko 24) when frames were running scripts despite the pref set to true and the parent site not whitelisted.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 (PaleMoon)
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: help understanding changelog

Post by Thrawn »

By the way, I can think of a sensible use case for cascading permissions: if you also use RequestPolicy.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
Post Reply