NoScript More Aggressive?
NoScript More Aggressive?
FF vn 3.0.1.1
NS vn 1.9.9.3
Win XP sp2
I am not trying to start a fight. I use and value NoScript.
But since the last couple of updates, I am finding that NS has become quite aggressive, unless something else has happened to my setup. I do not _think_ that is the case.
Probably the most noticeable thing is that I use google advanced search as my home page. If I have NS in control of that, I lose info, and the cursor does not automatically show up in the search text box. NS off, and everything is fine. I think NS actually interfered with _this_ site until I turned it off. I have it temporary allow for this site right now.
I am finding myself having to temporarily allow (or for Google Search permanently) more and more pages to let me press buttons, enter text etc. It would seem strange to me that the Web has suddenly taken on a new form that has changed so many sites.
I am asking the question, but also asking if there is any setting on FF that may be interfering with NS.
Thanks for any help and advice
Nick
NS vn 1.9.9.3
Win XP sp2
I am not trying to start a fight. I use and value NoScript.
But since the last couple of updates, I am finding that NS has become quite aggressive, unless something else has happened to my setup. I do not _think_ that is the case.
Probably the most noticeable thing is that I use google advanced search as my home page. If I have NS in control of that, I lose info, and the cursor does not automatically show up in the search text box. NS off, and everything is fine. I think NS actually interfered with _this_ site until I turned it off. I have it temporary allow for this site right now.
I am finding myself having to temporarily allow (or for Google Search permanently) more and more pages to let me press buttons, enter text etc. It would seem strange to me that the Web has suddenly taken on a new form that has changed so many sites.
I am asking the question, but also asking if there is any setting on FF that may be interfering with NS.
Thanks for any help and advice
Nick
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Re: NoScript More Aggressive?
I'd try a #1 (a Reset), General troubleshooting: missing icons/menus, etc..
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090617 SeaMonkey/2.0b1pre
Re: NoScript More Aggressive?
That would be a typo, as the third decimal is still "3" or "4" or "5".OldNick wrote:FF vn 3.0.1.1
NS vn 1.9.9.3
It sounds as though you are running the previous stable release, 1.9.3.3.
It can't hurt to try the latest stable release, 1.9.5 (which includes other long-awaited enhancements; won't discuss here). There have been many bugs fixed since 1.9.3.3; please give the latest version a try and let us know if it helps. Thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
Re: NoScript More Aggressive?
OK. Thanks I have already tried that. I tried the other stuff up to rebuilding a profile, but not including. So far no luck.
Nick
Nick
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript More Aggressive?
do you mean "if google.com and google.co.uk are forbidden"?OldNick wrote: If I have NS in control of that
If they're not allowed, there's no wonder autofocus doesn't work, since it's a JavaScript function.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)
Re: NoScript More Aggressive?
As far as I know they are not forbidden. I have now completely recreated the Mozilla profile to a new folder, and NoScript still stops Google search from working, unless I actually allow it. I find I am simply allowing just about every site.
And please do not "No wonder" me. It may not be a wonder to you, but the behaviour of NS has changed on the last short time.
Nick
And please do not "No wonder" me. It may not be a wonder to you, but the behaviour of NS has changed on the last short time.
Nick
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Re: NoScript More Aggressive?
URL of your home page?
>the cursor does not automatically show up in the search text box
Again that points to JavaScript being disabled.
>more and more pages to let me press buttons
URLs where this occurs? Again, these buttons may rely on JavaScript to operate.
You have done a Reset?
>NoScript still stops Google search from working
In what way? Only in positioning the cursor? Or are no results returned?
>the cursor does not automatically show up in the search text box
Again that points to JavaScript being disabled.
>more and more pages to let me press buttons
URLs where this occurs? Again, these buttons may rely on JavaScript to operate.
You have done a Reset?
>NoScript still stops Google search from working
In what way? Only in positioning the cursor? Or are no results returned?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090627 SeaMonkey/2.0b1pre
Re: NoScript More Aggressive?
Like the originator of this thread I, too, have noticed that NoScript is more intrusive and less accommodating than I remember it being in the past. I came to this forum for that very reason. I am using 1.9.5 as of yesterday. Prior to that I was using 1.9.3 as I recall. I have what I believe is the latest version of FireFox.
I will give two examples. I tried to get a printable version of an article at the Wall Street Journal. NoScript, of course, jumped into the fray. I selected Allow All Scripts on this Page. The screen refreshed but didn't give me the printable version. I had to click on Allow All Scripts three separate times to finally get the printable version to display.
Another example, I voted on a movie at IMDB. After doing so the screen refreshed with almost no content. I selected Allow All Scripts This Page and the screen refreshed but with only a tiny bit more information. After several iterations I gave up and just searched for another title.
I seem to recall that when I clicked on Allow All Scripts This Page in the past, it did exactly that. I have been recommending NoScript to novice users but I can no longer do so because they would be completely confused by this behavior. I hope this is a temporary aberration.
I will give two examples. I tried to get a printable version of an article at the Wall Street Journal. NoScript, of course, jumped into the fray. I selected Allow All Scripts on this Page. The screen refreshed but didn't give me the printable version. I had to click on Allow All Scripts three separate times to finally get the printable version to display.
Another example, I voted on a movie at IMDB. After doing so the screen refreshed with almost no content. I selected Allow All Scripts This Page and the screen refreshed but with only a tiny bit more information. After several iterations I gave up and just searched for another title.
I seem to recall that when I clicked on Allow All Scripts This Page in the past, it did exactly that. I have been recommending NoScript to novice users but I can no longer do so because they would be completely confused by this behavior. I hope this is a temporary aberration.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript More Aggressive?
What you're describing is not NoScript becoming more aggressive, but those sites becoming more obtrusive with scripts including other scripts including other scripts ad libitum.Cambot wrote: I had to click on Allow All Scripts three separate times to finally get the printable version to display. [...]
I selected Allow All Scripts This Page and the screen refreshed but with only a tiny bit more information. [...]
I seem to recall that when I clicked on Allow All Scripts This Page in the past, it did exactly that.
"Allow all script in this page" has this contract: NoScript will allow all the scripts currently visible in the page, i.e. those shown in the menu.
If other scripts are not currently present but will be included by the scripts you're going to execute, there's no way for NoScript to "foresee" them (until you execute the first batch of scripts).
On the other hand, changing NoScript's behavior to "Allow all the scripts, present and future, included by this page" would be stupid from a security point of view, since a very common form of infection nowadays comes from "legitimate" sites which are injected with 3rd party malicious scripts, usually coming from Chinese or Russian domains. While "Allow all scripts" keeps behaving like it does today, you've got a chance to catch "suspect" domains in the list before allowing them, at the (comparatively small) price of reiterating the allow action on particularly moronic sites with mindless matrioska-like script nesting schemes.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: NoScript More Aggressive?
I was about to express that myself but Giorgio very eloquently already beat me to it. The fact is that NoScript is a security tool, not a convenience tool and as is often the case with ANY security tool, it requires a bit of proactive and intentional action and interaction on the part of the user. Any security solution that you set and forget will inevitably fail you and make you regret you weren't more involved because it makes assumptions and decisions on your behalf that can undoubtedly be defeated since the human decision making element is removed. The behavior you are describing might as well be "Allow Scripts Globally" if there is no need to ACTUALLY know what you are allowing.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Re: NoScript More Aggressive?
I completely understand your point and agree that it this the more responsible and more secure way to go, but IMHO you are missing the key point: Temporarily allow all this page is a user's way of saying "I give up on being secure, just make this page display properly." When you define Temporarily allow all this page this way, all of the recent posts about Temporarily allow all this page not working 100% and requiring multiple uses to work make sense.Giorgio Maone wrote: "Allow all script in this page" has this contract: NoScript will allow all the scripts currently visible in the page, i.e. those shown in the menu.
If other scripts are not currently present but will be included by the scripts you're going to execute, there's no way for NoScript to "foresee" them (until you execute the first batch of scripts).
On the other hand, changing NoScript's behavior to "Allow all the scripts, present and future, included by this page" would be stupid from a security point of view, since a very common form of infection nowadays comes from "legitimate" sites which are injected with 3rd party malicious scripts, usually coming from Chinese or Russian domains.
From a use case point of view, I can't see any reason why you'd want to allow the current scripts and, upon a reload that revealed more scripts, would also *not* want to load those. And even if there was a reason to load some "waves" of scripts but not others, how would I know when to stop loading?
As I said, I agree that the current implementation is more secure. And I can't speak about the prevalence of the attacks you mentioned. However, because users are using Temporarily allow all this page as a "give up" and I don't see any viable use case for the current implementation, IMHO, Temporarily allow all this page should be changed to "Allow all the scripts, present and future, included by this page". If you think there is a meaningful amount of risk in making this change, add "(dangerous)" after Temporarily allow all this page like you have done with Allow Scripts Globally.
-Foam
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)
Re: NoScript More Aggressive?
I've had this happen to me. Upon allowing one script, when the page reloads, *the color change in the icon* alerts you that the new page is trying to load more scripts that weren't in the first one. This *gives you a chance to vet these new scripts* before allow.Foam Head wrote:I completely understand your point and agree that it this the more responsible and more secure way to go, but IMHO you are missing the key point: Temporarily allow all this page is a user's way of saying "I give up on being secure, just make this page display properly." When you define Temporarily allow all this page this way, all of the recent posts about Temporarily allow all this page not working 100% and requiring multiple uses to work make sense.Giorgio Maone wrote: "Allow all script in this page" has this contract: NoScript will allow all the scripts currently visible in the page, i.e. those shown in the menu.
If other scripts are not currently present but will be included by the scripts you're going to execute, there's no way for NoScript to "foresee" them (until you execute the first batch of scripts).
On the other hand, changing NoScript's behavior to "Allow all the scripts, present and future, included by this page" would be stupid from a security point of view, since a very common form of infection nowadays comes from "legitimate" sites which are injected with 3rd party malicious scripts, usually coming from Chinese or Russian domains.
From a use case point of view, I can't see any reason why you'd want to allow the current scripts and, upon a reload that revealed more scripts, would also *not* want to load those. And even if there was a reason to load some "waves" of scripts but not others, how would I know when to stop loading?
<snip>
-Foam
Some users may regard TAATP as a "give up". To me, and maybe to others, it means, "I've seen all the domains trying to load scripts on this page, and they're all acceptable to me". When the situation changes, I appreciate the opportunity to re-assess.
"Security is the opposite of convenience". If everyone were honest, you wouldn't go around with that key chain (or whatever) in your pocket. There would be no need for locks on your house, car, bicycle, etc. It would be much more convenient (plus you wouldn't forget where you left your keys, like hare-brain here ). Unfortunately, there are dishonest people in the world; hence the locks and keys, and hence the "locks" on your browswer, and the "keys" of w/l, allow, TA, etc. (My, we're in a metaphorical mood today! ) NS is for security. Giorgio cites a real-world threat. I don't know the "percent" of occurrence -- no one has exact figures. Conficker: 2 million? 12 million? ... but random surveys/audits have shown 80-90 % of home PCs have *some* form of malware.
Preventing the possibility of a legitimate site infected with a 3rd-party malicious script bot-netting your machine, etc., is worth a few extra clicks - else why run NS?
You stop loading when the function you want is working properly, and you stop loading when you see scripts from domains that you don't trust -- or even that you don't need. This gets into "what is a trusted site?", but you're way above that level, Foam..... how would I know when to stop loading?
I wish sites wouldn't do this multi-layer loading, but they do; the web keeps getting more and more complex, usually for no good purpose; and Giorgio responded appropriately. The ire should be directed at the attacker (overly-complex and unsecurely-coded sites), not at the defender.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
Re: NoScript More Aggressive?
I don't necessarily notice the icon, but I do realize whether the page works as expected or not.when the page reloads, *the color change in the icon* alerts you that the new page is trying to load more scripts that weren't in the first one. This *gives you a chance to vet these new scripts* before allow.
Agreed. The first go-around, at least I have acknowledged what was on the list. Might not have any clue what it means, but I've seen it, & decided to go ahead in any case. Now after that, if another 12 domains would pop in & those too would automatically be allowed, no way that I would want that."I've seen all the domains trying to load scripts on this page, and they're all acceptable to me". When the situation changes, I appreciate the opportunity to re-assess.
Yep, I've run into a case or two that had me reaching for that Give UP! button.give up
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090705 SeaMonkey/2.0b1pre
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: NoScript More Aggressive?
I don't use it that way. I use it the same way Tom T. and therube do. I do not want it to be changed.Foam Head wrote:However, because users are using Temporarily allow all this page as a "give up" and I don't see any viable use case for the current implementation
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: NoScript More Aggressive?
It's a pile on, but here's my 2c for the record
Quoth therube
Edit: removing suggestion of personal details.
Quoth therube
Same here, and if a page then wants to pull another babushka doll out of that one, I give up on the service, or whomever and take my eyes and/or my business somewhere else - and mostly this decision is not for security (since I could always research it, couldn't I) but for the time-waste these webmasters create for people with even half a brain.I don't necessarily notice the icon, but I do realize whether the page works as expected or not. [...]Agreed. The first go-around, at least I have acknowledged what was on the list. Might not have any clue what it means, but I've seen it, & decided to go ahead in any case.
Edit: removing suggestion of personal details.
Last edited by Grumpy Old Lady on Tue Oct 20, 2009 8:13 am, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1) Gecko/20090624 Firefox/3.5