The green lock icon

[pwabrahams]

What is the significance of the green and red lock/unlock icons that appear for every listed site?

[barbaz]

Green lock = permission applies only over HTTPS

Red unlock = permission applies over plain HTTP

[Ralph]

The behavior of NoScript v10.1.2. is now better than in v10.1.1., but there is a problem with setting a site to Trusted and the Green-Lock icon: When i click on the Trusted icon (regardless whether temporary or not), the site is set to trusted with HTTPS-only-match (Green lock). But when the site address doesn't have https: in it, the site still is set to DEFAULT instead of TRUSTED. So you have to click on TRUSTED, and the switching the Green-Lock icon back to the Red-Unlock icon, so that the site is set to trusted really (with http in the address).

You can see this for example with the site http://users.teilar.gr/~g1951d/: When you set it to trusted, it isn't trusted, because only HTTPS:// would be trusted (green-lock activated per default). So you need to click the green-lock icon also.

This behavior should be changed, so that after setting a site to Trusted, the red-Lock icon is the default setting, so both (https and http) will be trusted, and the user don't have to click to this icon in most cases.

When i use the new "Temporarily allow all this page", all sites are allowed with this Green-lock activated, so when the site doesn't have https in the address, i must click the Green-Lock on all these temporarily allowed sites, which is very annoying.

[barbaz]

Or just don't allow clicking the red unlock in the popup if there are no https scripts served from that site?

[Ralph]

This also would be ok. But the base setting for the Green-/Red-Lock icon should be the red state, so that http and https are being matched both.

[NoScriptian]

This also would be ok. But the base setting for the Green-/Red-Lock icon should be the red state, so that http and https are being matched both.

I guess the rationale behind this from a NS point of view is quite reasonable: Don't enter unsecure websites unless you specifically allow it. The thing is, you need to know and understand NS's behavior when this happens. I too was puzzled the first time.

[Ralph]

Probably this was the intention. But most users will see it as an error, when they are visiting a site (which is block by the default setting), manually setting it to Trusted, and the the site is still blocked, because it is a http-site (without https) and NoScript only blocks the https-address (which doesn't exists). It's not intuitive, and many users will complain about that.

[lancelot]

To me this just seems wrong. For a mixed content site, some sources can be using http and some https. So I have to guess whether or not I should click the green lock. While NoScript knows which protocol the source is using, so why doesn't it offer me the correct default (red lock when I click Trusted for an http source)?