A Toggle to Completely Disable All Protections

[ReporterX]

I have Adblock Plus, NoScript and Referer Control.
Sometimes a website gets broken and I need to find out which is the culprit.
I disable one by one, but NoScript is cunning and often deceives me.
There are several parts which could break the site, but there is no way to disable them in one click.

1. Untrusted sites - I expect those sites in untrusted list should be allowed when you select "allow scripts globally", but they still work which is confusing, so you have to remove the site one by one to find the culprit.
2. Secure Cookies Management
3. ABE

I would like to have a button to toggle NoScript on and off.

[barbaz]

Moving to NoScript Development because it's an RFE.

So why isn't "Tools > Add-ons Manager > NoScript > Disable > Yes, remove ALL protections" good enough here?

[Thrawn]

1. Untrusted sites - I expect those sites in untrusted list should be allowed when you select "allow scripts globally", but they still work which is confusing, so you have to remove the site one by one to find the culprit.

Actually it's a useful feature: it allows you to put NoScript into a default-allow mode, while still being able to block things that you're sure you don't want (like advertisers). Not that I use it myself, but it does mean that the competing YesScript addon is redundant.

NoScript already blocks things by default. Marking them as untrusted is signalling to NoScript, "I'm sure that I will never ever want to whitelist this site, so don't even bother showing me the option again" (although it still appears in a submenu). So keeping it blocked, even in global allow mode, makes sense. If you really want to disable absolutely everything that NoScript does - just disable the extension.

[ReporterX]

Moving to NoScript Development because it's an RFE.

So why isn't "Tools > Add-ons Manager > NoScript > Disable > Yes, remove ALL protections" good enough here?

I have to restart Firefox which sometimes I don't want to.
This is also some of my clients told me.
Since they have to restart every time they find a site gets broken by Noscript and they don't have time to troubleshoot at that moment, some finally decided to remove NoScript. How sad. NoScript needs to be more user-friendly.

[ReporterX]

1. Untrusted sites - I expect those sites in untrusted list should be allowed when you select "allow scripts globally", but they still work which is confusing, so you have to remove the site one by one to find the culprit.

Actually it's a useful feature: it allows you to put NoScript into a default-allow mode, while still being able to block things that you're sure you don't want (like advertisers). Not that I use it myself, but it does mean that the competing YesScript addon is redundant.

NoScript already blocks things by default. Marking them as untrusted is signalling to NoScript, "I'm sure that I will never ever want to whitelist this site, so don't even bother showing me the option again" (although it still appears in a submenu). So keeping it blocked, even in global allow mode, makes sense. If you really want to disable absolutely everything that NoScript does - just disable the extension.

Yep, but sometimes it turns out the site needs you to load the advertiser/tracker domain or the site (or some functions) will be broken.
Not that I want to trust them, but they force me to load them.

The wording is still kinda misleading to me, because it says "Allow scripts globally". I don't know this also excludes the untrusted list. I believe most people get it wrong too. In this case, changing it into "Allow scripts globally (except untrusted)" would be clearer.

That's also what I hear why some people abandon Noscript - too much hassle.
At one time I thought Firefox profile was corrupt because it complained a video couldn't be loaded, but I could load it in another browser.
And I searched on the Internet and tried different solutions in vain.
It wasted me several hours before I realized the untrusted site might be the culprit. I tried it and bingo!
If they are busy, they couldn't bother spending so much time to troubleshoot.

A fast way to toggle NoScript on and off is preferred.
It helps the average Joe to stay with NoScript.

[barbaz]

I have to restart Firefox which sometimes I don't want to.

I think that NoScript 3 will be restartless, but not sure.

Yep, but sometimes it turns out the site needs you to load the advertiser/tracker domain or the site (or some functions) will be broken.
Not that I want to trust them, but they force me to load them.

Then ask for a surrogate script. May or may not be reasonable to surrogate these things.. but usually it is.

That's also what I hear why some people abandon Noscript - too much hassle.
At one time I thought Firefox profile was corrupt because it complained a video couldn't be loaded, but I could load it in another browser.
And I searched on the Internet and tried different solutions in vain.
It wasted me several hours before I realized the untrusted site might be the culprit. I tried it and bingo!
If they are busy, they couldn't bother spending so much time to troubleshoot.

Yeah, NoScript isn't for everyone. But again, depending what the untrusted site is it might be surrogate-able.

A fast way to toggle NoScript on and off is preferred.
It helps the average Joe to stay with NoScript.

Curious, how many other security software has its own internal "on/off" switch like that?

[ReporterX]

Yep, but sometimes it turns out the site needs you to load the advertiser/tracker domain or the site (or some functions) will be broken.
Not that I want to trust them, but they force me to load them.

Then ask for a surrogate script. May or may not be reasonable to surrogate these things.. but usually it is.

Well, for example, 2mdn.net
I need to allow it to load in some news sites (e.g. news.now.com). I use ABE to restrict it though.
For others I simply tell them to whitelist it.

A fast way to toggle NoScript on and off is preferred.
It helps the average Joe to stay with NoScript.

Curious, how many other security software has its own internal "on/off" switch like that?

All others that I know - Greasemonkey, Stylish, Adblock Plus, Referrer Control
I can switch it on/off completely with one click.
For example, you middle click Adblock Plus to completely disable all filters.

Imagine you have several filters, but you need to switch it off one by one. There is no "Switch them all off" function. How annoying.
This is the case of NoScript.

[barbaz]

Well, for example, 2mdn.net
I need to allow it to load in some news sites (e.g. news.now.com).

If it doesn't require login, exact URL please, what exactly is broken, and what is the full list of sites you must Allow to get it working?

All others that I know - Greasemonkey, Stylish, Adblock Plus, Referrer Control
I can switch it on/off completely with one click.
For example, you middle click Adblock Plus to completely disable all filters.

None of those are security software - ABP is an annoyance removal tool (which can double as a convenient reference), Referer Control is privacy software, Stylish is a user style engine, and Greasemonkey is a user script engine.
Disabling any of those entirely does not affect the user's security.

I meant more generically than browser addons. For example, do you know of any antivirus software where you can disable its background protection features without exiting its processes or uninstalling it?

[Thrawn]

This is also some of my clients told me.
Since they have to restart every time they find a site gets broken by Noscript and they don't have time to troubleshoot at that moment, some finally decided to remove NoScript. How sad. NoScript needs to be more user-friendly.

Er...if they are *completely disabling* NoScript every time they encounter a site that doesn't "just work", then they are not using NoScript properly at all. And it sounds like they should probably be running in Scripts Globally Allowed mode all the time, because at least that way they're protected from XSS and clickjacking. Or perhaps the 'Cascade permissions' mode, which my wife uses. And they probably shouldn't bother with the Untrusted menu.

IMHO, NoScript is about as user-friendly as a security tool for controlling JavaScript permissions can be. If people are disabling it, then obviously they disagree, or else "a security tool for controlling JavaScript permissions" is not what they really want - but an easier way to disable it will not solve their real problem. Specific examples of sites that are broken, so we can fix them (eg with surrogates, or XSS filter improvements), are welcome.

[ReporterX]

Sorry for late reply.

Well, for example, 2mdn.net
I need to allow it to load in some news sites (e.g. news.now.com).

If it doesn't require login, exact URL please, what exactly is broken, and what is the full list of sites you must Allow to get it working?

Any news, for example http://news.now.com/home/local/player?newsId=135631

With 2mdn.net being untrusted


You can't play the video.
The list of news does not display.

All others that I know - Greasemonkey, Stylish, Adblock Plus, Referrer Control
I can switch it on/off completely with one click.
For example, you middle click Adblock Plus to completely disable all filters.

None of those are security software - ABP is an annoyance removal tool (which can double as a convenient reference), Referer Control is privacy software, Stylish is a user style engine, and Greasemonkey is a user script engine.
Disabling any of those entirely does not affect the user's security.

Well ABP can be used as part of a security tool, although it is not its main purpose.
There are filters specifically for this purpose.

Gresemonkey can be used for security purposes too. It depends on what your script does.

I meant more generically than browser addons. For example, do you know of any antivirus software where you can disable its background protection features without exiting its processes or uninstalling it?

Some of them do provide such feature. You can disable the background protection in one click, for example Avira and Comodo AntiVirus.

[ReporterX]

This is also some of my clients told me.
Since they have to restart every time they find a site gets broken by Noscript and they don't have time to troubleshoot at that moment, some finally decided to remove NoScript. How sad. NoScript needs to be more user-friendly.

Er...if they are *completely disabling* NoScript every time they encounter a site that doesn't "just work", then they are not using NoScript properly at all. And it sounds like they should probably be running in Scripts Globally Allowed mode all the time, because at least that way they're protected from XSS and clickjacking. Or perhaps the 'Cascade permissions' mode, which my wife uses. And they probably shouldn't bother with the Untrusted menu.

IMHO, NoScript is about as user-friendly as a security tool for controlling JavaScript permissions can be. If people are disabling it, then obviously they disagree, or else "a security tool for controlling JavaScript permissions" is not what they really want - but an easier way to disable it will not solve their real problem. Specific examples of sites that are broken, so we can fix them (eg with surrogates, or XSS filter improvements), are welcome.

Running in Scripts Globally Allowed mode does not help. As the above post said, it can still break the site.
Also the name does not make it clear that untrusted scripts are still blocked in this mode.
I hope there is a way to "really" allow all scripts.

You may say they don't know how to use it properly, but it does not help the situation.
Just like the conventional firewalls, there were too many popups in the past and the users simply allow everything.
Either you change your product design to fit the users needs, or you can keep blaming the users on not using the software properly.

[barbaz]

Any news, for example http://news.now.com/home/local/player?newsId=135631

With 2mdn.net being untrusted
Image

You can't play the video.
The list of news does not display.

OK, and what is the full list of sites you must Allow for it to work? 2mdn is one, and the main site is presumably another... what else (if anything) have you got Allowed?

Well ABP can be used as part of a security tool,

Not for its request blocking it can't: https://issues.adblockplus.org/ticket/549
You can't protect yourself with software that whether it works or not is a lottery.

You can disable the background protection in one click, for example Avira and Comodo AntiVirus.

Interesting. This might be worth doing then.

If this will be implemented I'd vote for an about:config-only toggle of "disable everything but ABE", with a warning when it's used - then:
- your clients won't do that willy-nilly, but you can recommend them to do it if they are in a hurry and want to troubleshoot more later
- if the user toggles that and it doesn't work, they know to look in the Browser Console (Ctrl-Shift-J) and if they don't know what to do next, they know to ask for ABE help; and OTOH, they still have _some_ protection left
- user can then just un-check NoScript Options > Advanced > ABE > Enable ABE to fully disable everything. The toggle should remind to enable ABE again if ABE is disabled at the time this toggle is used to turn NoScript on.

Running in Scripts Globally Allowed mode does not help. As the above post said, it can still break the site.
Also the name does not make it clear that untrusted scripts are still blocked in this mode.
I hope there is a way to "really" allow all scripts.

You may say they don't know how to use it properly, but it does not help the situation.
Just like the conventional firewalls, there were too many popups in the past and the users simply allow everything.
Either you change your product design to fit the users needs, or you can keep blaming the users on not using the software properly.

People don't browse in Safe Mode every time a website doesn't work in Firefox, do they?

Again, the one example you provided, you also can provide enough information to try to come up with a surrogate.

But again, if this "master toggle" is hidden in about:config and used only for diagnostics, it could be worth doing.

[therube]

The video at http://news.now.com/home/local/player?newsId=135631 does not look to work at all, in Mozilla, regardless of any extensions?

Code: Select all

Error: Error: Bootstrap requires jQuery
Source File: http://widgets.compargo.com/assets/js/bootstrap.js
Line: 9

Code: Select all

Error: ReferenceError: jQuery is not defined
Source File: http://widgets.compargo.com/assets/js/jquery.metadata.js
Line: 122

(It does play in some old version of Chrome.)

[ReporterX]

Any news, for example http://news.now.com/home/local/player?newsId=135631

With 2mdn.net being untrusted
Image

You can't play the video.
The list of news does not display.

OK, and what is the full list of sites you must Allow for it to work? 2mdn is one, and the main site is presumably another... what else (if anything) have you got Allowed?

Only the main site and 2mdn.

Well ABP can be used as part of a security tool,

Not for its request blocking it can't: https://issues.adblockplus.org/ticket/549
You can't protect yourself with software that whether it works or not is a lottery.

I see. According to the description, it states ABP aims to improve privacy and security and the way you view the web. Security is one of the goals aimed by the developer.

You can disable the background protection in one click, for example Avira and Comodo AntiVirus.

Interesting. This might be worth doing then.

If this will be implemented I'd vote for an about:config-only toggle of "disable everything but ABE", with a warning when it's used - then:
- your clients won't do that willy-nilly, but you can recommend them to do it if they are in a hurry and want to troubleshoot more later
- if the user toggles that and it doesn't work, they know to look in the Browser Console (Ctrl-Shift-J) and if they don't know what to do next, they know to ask for ABE help; and OTOH, they still have _some_ protection left
- user can then just un-check NoScript Options > Advanced > ABE > Enable ABE to fully disable everything. The toggle should remind to enable ABE again if ABE is disabled at the time this toggle is used to turn NoScript on.

That sounds great.

Alternatively I think it can be set as a session-only toggle. That means the "disable everything but ABE" will be unchecked again once you restart Firefox (another session starts). In this way, we may put this option in GUI.

[barbaz]

Only the main site and 2mdn.

Thank you I will look into this later today or sometime tomorrow.

Well ABP can be used as part of a security tool,

Not for its request blocking it can't: https://issues.adblockplus.org/ticket/549
You can't protect yourself with software that whether it works or not is a lottery.

I see. According to the description, it states ABP aims to improve privacy and security and the way you view the web. Security is one of the goals aimed by the developer.

Yeah it used to be that way but the change causing that issue got released in ABP 2.6 - so ABP 2.5.1 is the last release that can be depended on for any security/privacy purposes.

These days ABP is just an annoyance removal tool with the goal of making the online advertising more Web-surfer-friendly; it can also function as a convenient store for blacklists for use with other tools (like NoScript).

Alternatively I think it can be set as a session-only toggle. That means the "disable everything but ABE" will be unchecked again once you restart Firefox (another session starts). In this way, we may put this option in GUI.

Good idea, this mode is probably useful only within a single session anyway, and a restart of the browser is a good emergency exit for those users who don't know what they did.
Where in the GUI do you think this should go?