what browser prefs are involved?

[Nine]

Hi, I'm assuming that NoScript works this way: Firefox has the builtin ability to block connections to a list of URLs. NoScript provides the front end to manipulate that list.

If true, what are the Firefox prefs used? Thanks. (I just want to understand how it all works.)

[therube]

whitelist based pre-emptive script blocking

[Nine]

Thanks, but that link only goes to the home page, which does not contain the answer nor have any links which seem to go to the answer (including the faq, which I'd already looked through). The site is all about how to use it, not about how it works.

[barbaz]

Its not pref controlled, it's all done by code hooking/implementing internal Gecko interfaces.

If you're really curious, you can disassemble NoScript as follows:
1) Download the xpi (right-click > Save Link As)
2) Change the .xpi to .zip
3) unzip it
4) There is an inner .jar file. Also change that extension to .zip and unzip that.

If you need help understanding the code, https://developer.mozilla.org/ is a really good resource.

Hope that helps.

[Thrawn]

It used to be controllable by CAPS, which was indeed based on preferences. Although manually controlling them would be a whole lot of work.

CAPS is dead now; there's no preference-based system.

[Nine]

Thanks for both replies. So then it's done using XPCOM and XUL. Way more involved than I'd figured. (btw, saw FlashIdiocy.js

But if NoScript hooks into Gecko, then it should be possible to also prevent inline scripts by rewriting the main source HTML, right? Yet I think I'd read somewhere that NoScript can't (or at least 'doesn't') do that.

[barbaz]

it should be possible to also prevent inline scripts by rewriting the main source HTML, right? Yet I think I'd read somewhere that NoScript can't (or at least 'doesn't') do that.

It doesn't, why would it need to do that? I mean, it can, but that's way too complicated compared to the current approach.

[Nine]

Why? I use NoScript for privacy as well as for security (and also to cut down on page-loading times -- which makes a big difference, e.g., on newspaper sites).

By preventing javascript, you prevent browser fingerprinting.

[edit: Come to think of it, that would seem to provide better security, too.]

[barbaz]

???
Of course NoScript blocks in line scripts, if it didn't then it wouldn't be a security tool now would it?

I meant it doesn't block them by removing them from the DOM, it uses internal Gecko APIs to instruct Gecko not to run JS on the site, that is a much simpler approach than yanking out the <script> elements as they come (and leaving the <script> elements alone makes it easier to examine a page's source anyway).

[Thrawn]

that is a much simpler approach than yanking out the <script> elements as they come

And much more reliable, too. Browsers are very forgiving when they parse a page, as Giorgio (who maintains an XSS filter) is well aware.