2.6.8.39 has stopped allowing top-level sites by default

[WaltR]

NoScript 2.6.8.39 has stopped allowing top-level sites by default. I was using 2.6.8.36, and when I updated to 2.6.8.39 I noticed the issue. Reverted back to 2.6.8.36 and it was okay again. It does it on XP and Vista with Firefox 31.

I tried resetting the Options and configuring again but it didn't help.

[Giorgio Maone]

Hi Walt, it works for me.
Did you try latest development build on a clean profile?

[WaltR]

Okay, I tried the developmental build on a clean profile and here's what happens. For example, if I open the main forum page, viewforum.php?f=3, the first time it loads NoScript doesn't allow it. If I refresh the page, then it does. Once I've refreshed the page, then all subsequent links opened from that page are allow. I suppose because informaction.com is now temporarily allowed. Something about refreshing the page makes it work.

I tried 3.6.8.39 on my normal profile and it behaves the same way. Refreshing activates "temporarily allow." It doesn't matter if I open a page from a bookmark or enter it directly, it does the same thing.

[barbaz]

For example, if I open the main forum page, viewforum.php?f=3, the first time it loads NoScript doesn't allow it

This may not make any difference, but are you loading it directly or via the redirect at http://noscript.net/forum?
Does it show up in NoScript Options -> Whitelist before you reload the page?

[WaltR]

I found what's causing it. It's "Cascade top document's permissions to 3rd party scripts." If it's checked, the top-level sites aren't temporarily allowed by default. I normally have it enabled and it's never caused a problem before now. If I uncheck it, top-level sites are again allowed. I tried it several times and every time it did the same thing.

If I add a site manually to the whitelist and allow it, then "Cascade top document's permissions" works fine.

[Giorgio Maone]

I found what's causing it. It's "Cascade top document's permissions to 3rd party scripts." If it's checked, the top-level sites aren't temporarily allowed by default. I normally have it enabled and it's never caused a problem before now. If I uncheck it, top-level sites are again allowed. I tried it several times and every time it did the same thing.

Ah, that makes sense.
It's mostly accidental, but probably for the good: in facts, these settings combined are almost equivalent to "Allow scripts globally", but with much less warning hints in the UI.
What I should actually do is making self-evident in the Options window that the two are incompatible.

[WaltR]

Does it have to be either or?

The way it was previously was safe and not like allow globally. With "cascade" enabled it didn't cascade the temporarily allowed ones, just the whitelisted ones. I only have a few whitelisted ones that are allowed globablly while the rest are partially blocked.

[WaltR]

Wait, I take it back. It does cascade even the temporarily allowed ones so it's basically like allowing globally. Sorry to waste everyone's time.

A feature so it only cascades the whitelisted ones you enter manually and allow would be a good idea, no?

[Thrawn]

A feature so it only cascades the whitelisted ones you enter manually and allow would be a good idea, no?

The thing is, when you enable 'Temporarily allow top-level sites by default', those sites are treated exactly as if you *had* allowed them manually. They're added to your temporary whitelist, and once there, they don't look any different.

Theoretically I guess it would be possible to cascade only permanent permissions, not temporary ones? But there isn't normally such a significant difference between the behavior of the two, and I don't like the idea that you set up temporary permissions for a site, find that it works, set 'Make Page Permissions Permanent' - and suddenly a whole raft of extra sites are cascaded.

[WaltR]

I was thinking along the lines of an additional option that would allow a person to cascade permanent permissions if they wanted to. If it was enable it would cascade permanent permissions only. It could be enabled or disabled however the user wanted. I've got a few sites permanently whitelisted, and some of them need 3rd-party scripts to work. These are sites I trust (as far as any site can be trusted these days), so cascading is a lot easier than trial and error and guessing what scripts need to be allowed.

Or another way to go might be to make cascading possible on a per site basis. For example, I've got sites X,Y, and Z permanently whitelisted, and I only want to cascade X and Z. There could be an option in the whitelist dialog where you could select a site then enable cascading on it.

I love NoScript just like it is, I was just thinking an additional option would be good, if it's not a big hassle to do.

[barbaz]

That sounds like it would be really confusing, and the people who use cascading permissions are generally less knowledgeable about the dangers of the Internet than those who don't.

cascade permanent permissions only. It could be enabled or disabled however the user wanted. I've got a few sites permanently whitelisted, and some of them need 3rd-party scripts to work. These are sites I trust (as far as any site can be trusted these days), so

So do you trust those 3rd parties no matter who they are and even if the list of those 3rd parties changes without notice to you?
Why not whitelist only those 3rd parties you choose to trust on the site, then use ABE to emulate per-site permissions? That would be much safer; the advantages include that unknown 3rd-parties couldn't run scripts without you vetting them first, and if the site you trust got hacked, 3rd-party scripts from malicious sites would be blocked.

IOW what you're suggesting would mean when you add a site to your permanent whitelist, you can't ever be 100% sure of what you're allowing, in such a way that you would have a false sense of security. And that is exactly what NoScript should NEVER do, because on the Internet, a false sense of security is more dangerous than no sense of security at all.

Or another way to go might be to make cascading possible on a per site basis. For example, I've got sites X,Y, and Z permanently whitelisted, and I only want to cascade X and Z.

You can already do that. For each site called by Y, do
NoScript menu -> Untrusted -> Mark (site that Y calls) as Untrusted

There could be an option in the whitelist dialog where you could select a site then enable cascading on it.

See above why that's a bad idea.
I audit my config from time to time, and I wouldn't want to have to scroll through every single whitelist entry to make sure cascading (and thus the dangers described above) is completely disabled. Please let's keep it to one checkbox/pref.

[WaltR]

ABE is way more complicated than I care to get involved with.

When you talk about trusting or not trusting 3rd party scripts, who knows whether you can trust any of them or not anyway? When you look at the list of scripts that are being blocked, you could spend the rest of your life trying to figure out what they are, and then try to figure out if you can trust it or not. When there's a site I depend on to work and the only way to make it work is either allow globally or cascade, I'm gonna do it. The only other option is to uninstall NoScript or quit the internet altogether.

[barbaz]

When you talk about trusting or not trusting 3rd party scripts, who knows whether you can trust any of them or not anyway?

If you don't know, you can middle-click the site's entry in the NS menu, and that will give you a page which links to information that might help you decide.

When there's a site I depend on to work and the only way to make it work is either allow globally or cascade, I'm gonna do it.

A somewhat safer, but still not too time-consuming, option would be to click "Temporarily allow all this page" repeatedly until you've allowed all the cascading scripts; then click "Make page permissions permanent" if you want to add those permissions to your whitelist. If you run into a situation where that doesn't work, but Allow Scripts Globally and/or cascading permissions does, please report it here because you would most likely have found a bug in NoScript.

[Thrawn]

When there's a site I depend on to work and the only way to make it work is either allow globally or cascade, I'm gonna do it.

Not to put too fine a point on it, but it doesn't sound like you're paranoid enough to need per-site cascading. If you don't have the patience to check each site, then why not just cascade them all?