Update to NS 2.6.9.28rc2 deleted entries from my whitelist

[barbaz]

NoScript 2.6.9.28rc2 completely removed the googleapis.com entry in my whitelist and did *not* give me ajax.googleapis.com. I have about:config > noscript.allowWhitelistUpdates set to false , and as such I did not expect any change to be made to my whitelist with this update. And even at that, the change I did get was a really unexpected one.

If that preference is going to be ignored when removing entries, including if the removal is the first step of a replacement, please make that pref not affect entry replacements at all either - i.e. replacements always allowed. I think that would be fine given that replacements are only one domain with another, and replacements are only used when a domain is moved, or (as in the case of googleapis) structurally changed and/or the whitelist becomes too broad for some reason.

Or, better, please split the functionality of noscript.allowWhitelistUpdates in two: have one pref that only toggles whether to make new additions that aren't replacements, and another that turns off NoScript's "automatic" updating the user's whitelist altogether. The reason I personally set that pref is for the former, not so much the latter.

Thanks

[therube]

> NoScript 2.6.9.28rc2 completely removed the googleapis.com entry in my whitelist
> and did *not* give me ajax.googleapis.com

Looks that way.
Can't really say just what was in my whitelist, but I have neither of them (now).
[Looking back at a backup of 6-9-15, prefs.js did not contain googleapis.com at all.]


> I have about:config > noscript.allowWhitelistUpdates set to false

Set to its default, true, on my end.

[barbaz]

Bump because the functionality of allowWhitelistUpdates is currently nothing and there are entries being added to my whitelist with near zero notice - and entries I do not need or want at that and that could be taken over by a malicious extension (I'm referring to whitelisting Pocket). Not everyone wants to use Pocket and I think people should have to opt in to it.

Please consider to put that whitelist behind a prompt so that people have to opt in to get Pocket entries on the whitelist, and please do not whitelist Pocket for SeaMonkey users. Thanks.

[Giorgio Maone]

Bump because the functionality of allowWhitelistUpdates is currently nothing and there are entries being added to my whitelist with near zero notice - and entries I do not need or want at that and that could be taken over by a malicious extension (I'm referring to whitelisting Pocket).

allowWhitelistUpdates, if set to false, should prevent new sites from being added to the whitelist but enforce removals (which are usually done for security reasons) nonetheless.
Unfortunately, as you noticed, currently does nothing because of a bug which is being fixed, thanks.

Not everyone wants to use Pocket and I think people should have to opt in to it.
Please consider to put that whitelist behind a prompt so that people have to opt in to get Pocket entries on the whitelist

I won't do it because

1. Forbidding those entries doesn't prevent Pocket from running, since it's an add-on (privileged code with the same permissions as the browser front-end): if it wanted to do something nasty, it would do despite of NoScript.
2. O the other hand, if those entries are not whitelisted, Pocket's UI (which to most users appears integral to the browser chrome) just breaks, with almost no clue for users on how to repair it (they get no indication of what to allow).

And please do not whitelist Pocket for SeaMonkey users. Thanks.

That's a bug as well, sorry if I didn't notice and thanks for the report. about: entries should never be added to a browser which doesn't support them.

BTW, in case you're wondering, about:pocket-xyz stuff is treated as a dependency of about:blank as a trick to ensure that it doesn't get added if user has been paranoid enough to remove about:blank from his whitelist.

[barbaz]

allowWhitelistUpdates, if set to false, should prevent new sites from being added to the whitelist but enforce removals (which are usually done for security reasons) nonetheless.

Can there please be an option to allow replacements but not additions, or is this not possible because they're indistinguishable internally?

That's a bug as well, sorry if I didn't notice and thanks for the report. about: entries should never be added to a browser which doesn't support them.

Thank you for setting out to correcting this.

[Giorgio Maone]

allowWhitelistUpdates, if set to false, should prevent new sites from being added to the whitelist but enforce removals (which are usually done for security reasons) nonetheless.

Can there please be an option to allow replacements but not additions, or is this not possible because they're indistinguishable internally?

What's gonna happen is that the URL to be replaced actually gets just removed, which preserves both the security intent of the update and the will of not having new stuff added to the whitelist which is presumably the meaning of setting allowWhitelistUpdates to false.

BTW, googleapis.com being removed instead of replaced by ajax.googleapis.com was a bug too, being fixed as well.

[Giorgio Maone]

Please check latest development build 2.6.9.30rc5, thanks.

[barbaz]

Thanks, fixes all but this:

BTW, googleapis.com being removed instead of replaced by ajax.googleapis.com was a bug too, being fixed as well.

Tested in SeaMonkey, upgrade NS from 2.6.9.26rc3 directly to 2.6.9.30rc5 in a clean profile - before updating: 1) whitelisted "about:pocket-signed" (which was removed, as expected ) and another site (to make the whitelist non-default), and 2) set noscript.allowWhitelistUpdates set to false.

[Giorgio Maone]

Thanks, fixes all but this:

BTW, googleapis.com being removed instead of replaced

Do you mean that after upgrading you didn't have ajax.googleapis.com in your whitelist?!

[DJ-Leith]

Profiles that 'had Pocket off' and then had 2.6.9.30rc4
(which added about:packet-save)
and then are updated to 2.6.9.30rc5
still have about:pocket-save

Profiles that 'had Pocket off' and had 2.6.9.30rc3 (or older)
and then were updated to 2.6.9.30rc5 (so 'never had 2.6.9.30rc4')
do not have about:pocket-save

All have
about:pocket-signup

I can remove the about:pocket-save and/or the about:pocket-signup

Giorgio, I don't think you need to try and fix this.
I am very grateful for all you do for us.

More details in
NoScript 2.6.9.30rc4 added wrong item to default whitelist
viewtopic.php?f=10&t=20994

DJ-Leith

[barbaz]

Do you mean that after upgrading you didn't have ajax.googleapis.com in your whitelist?!

With allowWhitelistUpdates set to false, yes; with it on I did get ajax.googleapis.com.

@DJ-Leith: are you sure this is the thread you intended to post that in?

[barbaz]

@Giorgio: I've looked at the code again, and I think I can try to write a patch which adds a "noscript.disallowWhitelistAdditions" pref, which if set blocks additions to the whitelist which are not replacements, but still allows replacements (and, of course, removals)...