Firefox 57 and NoScript 10.1.2

[Pansa]

I don't care for this new default behavior of allowing scripts by default, so i did as someone said above and changed the default default behavior to allow nothing from a domain and i will add as i please. i do love noscript overall, but the new ui is taking me quite a bit of getting used to and figuring how to do some of the old stuff a new way. keep up the good work.
thanks;

That is actually NOT the default behaviour of "default".
Most people just messed up the "default" settings one way or another. One way was a bug during the short 10.1.1 deploayment which made changes made to custom translate 1:1 to "default".
The blank reinstall to a fresh FF is "default" blocking everything.

> you can simply set to custom, and then the lock option appears in the master list

I don't see how that is simpler. you can do it in the ui or the master list either way, in custom or trusted, just not in untrusted. Since you are switching back to untrusted either way afterwards, complicating the instruction by giving redundant options seemed pointless.

You can also directly manipulate the "debug" output if you prefer that. (good idea to look there once in a while to confirm that the settings actually are as you think they are )

[Guest]

i just really wish the user interface would go back to text labels, this is confusing. a lot of the issues ppl were having from the green/red lock come from this.

also red / green as a differentiating color is a very poor choice because of how common red/green colorblindness is (8% of men of northern european descent). and speaking of issues like that, icons in general are worse for blind people who use a screen reader.

i know the fad right now has been icons with no text, but, the human race moved away from hieroglyphs for a reason.

[Pansa]

i just really wish the user interface would go back to text labels, this is confusing. a lot of the issues ppl were having from the green/red lock come from this.

also red / green as a differentiating color is a very poor choice because of how common red/green colorblindness is (8% of men of northern european descent). and speaking of issues like that, icons in general are worse for blind people who use a screen reader.

i know the fad right now has been icons with no text, but, the human race moved away from hieroglyphs for a reason.

Well.. there is mouse over text, and the colours basically stem from adopting how FF shows HTTPS in the browser, too.

As for screen readers, I don't now if the old menu UI was barrier free either.

All in all, the biggest issue is that it is new, uses new features that people haven't thought about before at all, and many users didn't understand what NS did before either.
It's now a week old. Some repeating questions are to be expected with such a major rework.
The biggest issue with the lock is that many people don't really care or pay attention to Http or Https in the first place, and therefore quite frankly just made things up what "a lock" could mean without hovering the mouse over it. It'll pass, if only because the actual expected behaviour will be implemented (suggesting a http inclusive rule when only Http is used by a provider)

[LearningGuest]

I am very grateful for noscript in general, and very much appreciate what the addon does for security. I am very annoyed (at the least) that firefox had to screw this all up, causing trouble for the noscript team and confusion for end users like myself.

I've read thru many of the FF57 posts, and have spent the past few hours trying to familiarize myself with the 10.1.2. I fully understand that updates have bugs to work out and the new UI takes some getting used to- please bear with me as I try to work it out myself and hopefully give some clarification to some of the problems I've been having.

-Unable to install from noscript.net site itself. I am constantly hit with connection failure notification. This has been particularly frustrating. I have created the about:config xpinstall.enabled true setting creation (it was not listed before when I searched), I have removed noscript from addons, and attempted to re-download/install it from the site, disabled all other addons, given permission to https://noscript.net for addons in the ff options, all to no avail. I AM able to install it via the mozilla add-on options, or so I hope. I bring this up because perhaps I have somehow been given the 10.1.1 version which had the default issues, despite it being listed as 10.1.2 in the addon tab- this leads into the next issue I'm finding.

-Default is not Default blocked. I saw that Pansa had responded to a couple of these issues already, that it was the earlier version bug, but I am still having trouble with it. For example, sports.yahoo.com automatically allow all scripts (all sites are doing this for me)- I must manually go line item in the drop down to set it as Untrusted. Again, perhaps I have the earlier bug issue version somehow still (despite it being listed in the dropdown menu as 10.1.2). Must all tracker/domains be line item blocked from now on? (I saw barbaz mentioning the 4 step fix in the earlier part of this thread, but again, this seems like a severe headache to do each and every time) Compounding the issue- in the options menu, since the Default option is not working, it remembers the manual setting of Untrusted and keeps it for all the blocked domains, creating a long list of domain names to manage, whereas the earlier list only needed to remember trusted sites.

-Red/Green lock- is this the default UI setup going forward? I understand green lock mechanism is for https vs http- and that some sites do both and leaving it red lock allows it to have both go thru and that green lock means ONLY https go thru, correct? I assume the duplicate domains that show up in the dropdown list are listing one https and one http- when I go to set both as untrusted manually, refresh, one maintains the untrusted icon, while the other reverts to "default" blocked, but as I've noted earlier, I'm unsure of what that means now and whether it actually IS blocked. Or is it just a matter of https vs http? For example, some sites I visit have 2 google.com domain listings, but if I untrust both, only one is listed as untrusted while the other returns to default. Then, I went to try and allow both, clicking and toggling the lock icon on one, and that one disappeared, and reloading the page didn't allow it to reappear. hopefully that isn't as confusing to read and understand as it was when it happened =D

-Overall domain script affecting other scripts on the page- perhaps related to the red/green lock question, and maybe it's just a matter of the website. Before, when blocking the initial overall address for a website, it affected many, if not all the other domain/scripts running on the page, blocking them from loading, but this version does not do that automatically for all sites (some do, some do not, and perhaps again, this is maybe a site to site difference? for instance, amazon.com will block everything else from loading if the address itself is listed as untrusted, but other websites that used to do the same no longer do so)

-The allow options checkboxes under each domain- is there an faq or a site for what each checkbox means? For instance, I realized that facebook.com will only work in full if all are checked and allowed. But perhaps this is a bit above my understanding if it involves even basic js coding and technical info. If that is the case, in the event of trying to make a site work, should all be checked by default then?

-The refresh button option- I am torn on this option- whereas the prior autorefresh for any changes made could be inconvenient since it reloaded ALL tabs and pages open where applicable, I do think this option also provides some level of beneficial fine tuning for users- not having to reload streaming videos, or not having to reenter text on forums or online forms seems like a positive. From what I could see, the change occurs across all the tabs open where it applies, but doesn't require a refresh of those other pages? Or am I incorrect? Will the autorefresh come back in some form?

Again, please bear with any confusing sentences =P I very much plan to keep using noscript and maybe this helps others like myself who are struggling with the transition as well. Thanks to any who can help and keep up the great work =)

[Ellen S]

This same bug happened to me in 5.1.x and now in 10.1.x. It is utterly impossible to allow any website at all. I allow the same site over and over and over and over, and it remains blocked no matter what I do. I can't even allow this site, which means most of the time I can't see the stupid captchas or post here.

I also hate the new UI with the giant icons and NO legible, English words. I can't comprehend anything whatsoever, except the mouse-over title "Trusted". I now have literally no clue whatsoever what the rest of it does, and I see that almost all options are no longer available, removing all customizability and site permissions options that ever existed.


I desperately need a rollback to before 5.1.x ASAP

[Ellen S]

I too have been extremely grateful for NoScript for years, which is why its so upsetting that it has now suddenly made the entire internet unuseable. I probably will have to uninstall it now because it blocks absolutely everything, and cannot be made to allow anything. Clicking the lock thing to change its color does nothing, it still never allows anything no matter what.

Does anyone know if this is a problem that is being worked on? Or if there is a way to roll back to before 5.1.x?

[Pansa]

-Default is not Default blocked. I saw that Pansa had responded to a couple of these issues already, that it was the earlier version bug, but I am still having trouble with it. For example, sports.yahoo.com automatically allow all scripts (all sites are doing this for me)- I must manually go line item in the drop down to set it as Untrusted. Again, perhaps I have the earlier bug issue version somehow still (despite it being listed in the dropdown menu as 10.1.2). Must all tracker/domains be line item blocked from now on? (I saw barbaz mentioning the 4 step fix in the earlier part of this thread, but again, this seems like a severe headache to do each and every time) Compounding the issue- in the options menu, since the Default option is not working, it remembers the manual setting of Untrusted and keeps it for all the blocked domains, creating a long list of domain names to manage, whereas the earlier list only needed to remember trusted sites.

default is a group setting.
Just remove all check-marks from any one default, it means that THE default rules have changed.
They shouldn't have been set in the first place, but just remove them.

The bug was that if you tried to create a custom rule -> changes to default. That is fixed.

-Red/Green lock- is this the default UI setup going forward? I understand green lock mechanism is for https vs http- and that some sites do both and leaving it red lock allows it to have both go thru and that green lock means ONLY https go thru, correct? I assume the duplicate domains that show up in the dropdown list are listing one https and one http- when I go to set both as untrusted manually, refresh, one maintains the untrusted icon, while the other reverts to "default" blocked, but as I've noted earlier, I'm unsure of what that means now and whether it actually IS blocked. Or is it just a matter of https vs http? For example, some sites I visit have 2 google.com domain listings, but if I untrust both, only one is listed as untrusted while the other returns to default. Then, I went to try and allow both, clicking and toggling the lock icon on one, and that one disappeared, and reloading the page didn't allow it to reappear. hopefully that isn't as confusing to read and understand as it was when it happened =D

green: https only ; red : both http AND https.

If you try to make a green lock rule and come back to default, make it a redlock rule and you are fine.
It's pretty basic: you create a rule, and when you reload it checks whether there IS a rule. If you made a https rule for a http script, it doesn't find a rule for http -> default.

-Overall domain script affecting other scripts on the page- perhaps related to the red/green lock question, and maybe it's just a matter of the website. Before, when blocking the initial overall address for a website, it affected many, if not all the other domain/scripts running on the page, blocking them from loading, but this version does not do that automatically for all sites (some do, some do not, and perhaps again, this is maybe a site to site difference? for instance, amazon.com will block everything else from loading if the address itself is listed as untrusted, but other websites that used to do the same no longer do so)

That is an interesting way of putting it..
But that is still mostly the case (except for the lack of sub domains at the moment)
It still is the case that if you allow the mainpage and reload, tons of new domains pop in asking for further rules, basically because the first level script loads MORE scripts, and if you don't run the first level it doesn't even get to know that there IS a second level.
You may start with 2 addresses, allow one, and then there are 10. Was that way, is that way.
Look at the age of of the "why must I press temp allow all" sticky thread. That is exactly about having to temp allow, and then again temp allow to load second level, and again for third.
Yes, it's site depended, because it is a matter of nested loading of scripts.

-The allow options checkboxes under each domain- is there an faq or a site for what each checkbox means? For instance, I realized that facebook.com will only work in full if all are checked and allowed. But perhaps this is a bit above my understanding if it involves even basic js coding and technical info. If that is the case, in the event of trying to make a site work, should all be checked by default then?

Those are all new. If you go by basic "what was there before" logic, there is basically only "all" and "none"
But be careful with the phrasing, because NO you don't want to allow them in the "default" group. you want the default behaviour for sites without rules to be "load nothing" (see first part above)
When in doubt the same logic back from NS5 applies. "when in doubt, NO" until you miss something, in which case, why not make a "custom" rule for that domain alone and incrementally set the checkmarks.
How did you figure out in the old NS which scripts you need and which you don't? you try to go by name and try and error. Think you are missing a "window" or a video? probably "frame" and "media". Fetch is about sending data back.

But that is all "bonus potential" compared with NS5.

-The refresh button option- I am torn on this option- whereas the prior autorefresh for any changes made could be inconvenient since it reloaded ALL tabs and pages open where applicable, I do think this option also provides some level of beneficial fine tuning for users- not having to reload streaming videos, or not having to reenter text on forums or online forms seems like a positive. From what I could see, the change occurs across all the tabs open where it applies, but doesn't require a refresh of those other pages? Or am I incorrect? Will the autorefresh come back in some form?

Probably yes. It was in 10.1.1, and it still works for the "temp allow all" button.
Don't know why it doesn't work currently, but it's been a week, and there are more important bugs still in there.
The issue of not understanding that a page is http and a https-only rule doesn't trigger will go away when the addon checks whether "https only" even makes sense.
And a lot of other issues will be fixed as well.
just for the moment, if you are still confused, just scroll through the debug log in the options menu.
If graphic interfaces are not your thing, the log contains the same (editable) full rule set in text form.

And it bears repeating: Even if the "default" is "block all"... If you move a page to untrusted, the same "greenlock/redlock" system applies, even though it should not. There is no locks to toggle in "untrusted" because you should never block JUST https. And blocking JUST http is achieved by allowing https alone. But currently if you JUST "untrust" it only creates a "block https only" rule. Switch to "trusted" or "custom", set the red lock, and THEN untrust. this way a "block both" rule is enforced.

[Ellen S]

As for screen readers, I don't now if the old menu UI was barrier free either.

Then why can't there be a user option to use the UI that has the fewest barriers? I will probably have to uninstall NoScript now because the blurry icons are utterly illegible, meaningless, and incomprehensible to me.

Why, for that matter, have absolutely every option the addon used to have now been removed?

I depended on NoScript and Adblockers to remove the barrier of ads, which give me sensory overload and literally hurt my eyes and brain. Now that I have to uninstall it I may actually have to stop using the internet alltogether.

[Pansa]

As for screen readers, I don't now if the old menu UI was barrier free either.

Then why can't there be a user option to use the UI that has the fewest barriers?

Barrier free is a specific term to be invalid friendly (and blind reader accessible).
My point was "I don't think the old menu style was either".

The old system is gone, because Mozilla decreed it. This isn't a "choice", it's an enforcement by Firefox.
Gorgio basically stomped this one out in a VERY short time, because the explicit rules what flies and what not were sprung on addon developers last minute.

I will probably have to uninstall NoScript now because the blurry icons are utterly illegible, meaningless, and incomprehensible to me.

Why, for that matter, have absolutely every option the addon used to have now been removed?

I depended on NoScript and Adblockers to remove the barrier of ads, which give me sensory overload and literally hurt my eyes and brain. Now that I have to uninstall it I may actually have to stop using the internet alltogether.

Could you be more overdramatic?

If you really need text, go to options and edit the debug settings. That's a nice proper table, text only.

Actually there are a lot of MORE options that weren't there before, and to learn this one I don't find any more problematic than learning the old one in the first place way back when.
And a lot of things that ARE gone for the time are
a) Not yet supported by the Firefox API, this CAN'T be implemented at the moment (like ABE). No script always used "what Firefox provides as options", and Firefox just removed a lot of them in the move to switch to webextensions
b) have not been implemented in THE WEEK AN A HALF by the ONE developer of this addon.
c) were partially in a buggy version and removed because more mess then help. (I guess subdomain filtering falls here)

All in all, it's not that hard.
You have three presets "default, trusted and untrusted" applying to all it's members, and a custom setting applying to THAT domain only.
Rules now either apply to "https only" or "https and http" paying consideration that not being read as plaintext by every intermediary on the lines may be acceptable.

That is basically the core reworking of just clicking on scripts in the old menu.

You are acting like NS was noobfriendly in the old version, and anyone just read things and understood exactly what was going on.
Which decidely is not the case. There was a STEEP learning curve to messing with the core innards of webpages while still keeping them functional.
And if you look beyond page 6 of this forum, you can see the cries for "all I ever did was temp allow all" (which was absent from 10.1.1).
Yes this is new, yes it takes some getting used to. but reading the old menu wasn't "obvious and crystal clear" until one got used to over years of try and error either.

[Guest]

Thank u for the replies =D

-Default is not Default blocked. I saw that Pansa had responded to a couple of these issues already, that it was the earlier version bug, but I am still having trouble with it. For example, sports.yahoo.com automatically allow all scripts (all sites are doing this for me)- I must manually go line item in the drop down to set it as Untrusted. Again, perhaps I have the earlier bug issue version somehow still (despite it being listed in the dropdown menu as 10.1.2). Must all tracker/domains be line item blocked from now on? (I saw barbaz mentioning the 4 step fix in the earlier part of this thread, but again, this seems like a severe headache to do each and every time) Compounding the issue- in the options menu, since the Default option is not working, it remembers the manual setting of Untrusted and keeps it for all the blocked domains, creating a long list of domain names to manage, whereas the earlier list only needed to remember trusted sites.

default is a group setting.
Just remove all check-marks from any one default, it means that THE default rules have changed.
They shouldn't have been set in the first place, but just remove them.

The bug was that if you tried to create a custom rule -> changes to default. That is fixed.

I am still confused by this- does this mean if I remove all the checkmarks from any one particular domain I wish to block, noscript will revert back to a setting of automatically blocking all scripts? That is what I assumed is meant by default- blocking all scripts automatically. I didn't alter anything in particular once I installed this newest version addon, it just seemed to port my past rules, but now allows all sites- is it because of THAT the addon is allowing all scripts now? Namely, because I had some trusted sites that had went with the old simple forbid/allow rule rather than the check box options now, it caused the whole addon to adopt that as default?

[Ellen S.]

Firefox banned text and the English language on addons?

Could you be more overdramatic?

When I explain that I have a disability and this random UI change has created a severe barrier, dismissing my concern is not helpful. Just because this is easy and barrier-free to you does not mean that my difficulty with it is "overdramatic" or hyperreacting. Instead of accusing me of exaggeration or making things up, would you please have the respect to believe that I am telling the truth about having a real, actual disability? This is why I don't disclose online very often.


Can you please explain, POLITELY, what a debug setting is? Or where to find it? I have no idea. I opened a thing with a wrench which has a whitelist and blacklist under it. There is a small white box with the word debug next to it. I do not see any settings next to the word "debug".

Rules now either apply to "https only" or "https and http" paying consideration that not being read as plaintext by every intermediary on the lines may be acceptable.

I do not understand this at all starting with the word "paying"

[Ellen S.]

And by the way, calling disabled people "invalids" is a nasty slur. I am not bedridden nor braindead. Please do not use that word again.

[LearningGuest]

Thank u for the replies =D

-Default is not Default blocked. I saw that Pansa had responded to a couple of these issues already, that it was the earlier version bug, but I am still having trouble with it. For example, sports.yahoo.com automatically allow all scripts (all sites are doing this for me)- I must manually go line item in the drop down to set it as Untrusted. Again, perhaps I have the earlier bug issue version somehow still (despite it being listed in the dropdown menu as 10.1.2). Must all tracker/domains be line item blocked from now on? (I saw barbaz mentioning the 4 step fix in the earlier part of this thread, but again, this seems like a severe headache to do each and every time) Compounding the issue- in the options menu, since the Default option is not working, it remembers the manual setting of Untrusted and keeps it for all the blocked domains, creating a long list of domain names to manage, whereas the earlier list only needed to remember trusted sites.

default is a group setting.
Just remove all check-marks from any one default, it means that THE default rules have changed.
They shouldn't have been set in the first place, but just remove them.

The bug was that if you tried to create a custom rule -> changes to default. That is fixed.

I am still confused by this- does this mean if I remove all the checkmarks from any one particular domain I wish to block, noscript will revert back to a setting of automatically blocking all scripts? That is what I assumed is meant by default- blocking all scripts automatically. I didn't alter anything in particular once I installed this newest version addon, it just seemed to port my past rules, but now allows all sites- is it because of THAT the addon is allowing all scripts now? Namely, because I had some trusted sites that had went with the old simple forbid/allow rule rather than the check box options now, it caused the whole addon to adopt that as default?

HUZZAH! I THINK ok, I THINK, I figured this out- and hopefully this clarifies for other folks like me having trouble with it!

For whatever reason, the Default got set to allowing all- I don't know if it was because I was confused by the new setup initially and did something to the default settings or because the rules ported over and caused it. I DID figure out how to do it tho:

-----As u said, going into the dropdown or options, choose the Default option, and UNcheck ALL boxes. Refresh, and that sets it back to the familiar noscript behavior of autoblocking. -----

Incidentally, this alleviates one of the earlier points of confusion I listed- why I had accumulated such a long blocklist- I had become confused with why Default allowed all and manually untrusted a bunch of normally blocked sites, and that was recorded in the options list. I am now able to set those back to the fixed default and not have such a long list =)

[Pansa]

Thank u for the replies =D

-Default is not Default blocked. I saw that Pansa had responded to a couple of these issues already, that it was the earlier version bug, but I am still having trouble with it. For example, sports.yahoo.com automatically allow all scripts (all sites are doing this for me)- I must manually go line item in the drop down to set it as Untrusted. Again, perhaps I have the earlier bug issue version somehow still (despite it being listed in the dropdown menu as 10.1.2). Must all tracker/domains be line item blocked from now on? (I saw barbaz mentioning the 4 step fix in the earlier part of this thread, but again, this seems like a severe headache to do each and every time) Compounding the issue- in the options menu, since the Default option is not working, it remembers the manual setting of Untrusted and keeps it for all the blocked domains, creating a long list of domain names to manage, whereas the earlier list only needed to remember trusted sites.

default is a group setting.
Just remove all check-marks from any one default, it means that THE default rules have changed.
They shouldn't have been set in the first place, but just remove them.

The bug was that if you tried to create a custom rule -> changes to default. That is fixed.

I am still confused by this- does this mean if I remove all the checkmarks from any one particular domain I wish to block, noscript will revert back to a setting of automatically blocking all scripts? That is what I assumed is meant by default- blocking all scripts automatically. I didn't alter anything in particular once I installed this newest version addon, it just seemed to port my past rules, but now allows all sites- is it because of THAT the addon is allowing all scripts now? Namely, because I had some trusted sites that had went with the old simple forbid/allow rule rather than the check box options now, it caused the whole addon to adopt that as default?

just TRY it. click on "default" (the leftest of the four settings), remove the checkmarks, reload and then start clicking through all the other "default" buttons.
If you set !THE DEFAULT! to allow scripts, scripts get run for every page that you don't explicitly distrust. That is what "default" means.

Or just look into the debug log.

[Pansa]

And by the way, calling disabled people "invalids" is a nasty slur. I am not bedridden nor braindead. Please do not use that word again.

I didn't call you anything.

the term BARRIER FREE is a SET TERM, for having SPECIFIC RULES that ACTUALLY INVALID PEOPLE have access to content.
Which means !norms! for how appliances like braille readers or text to voice applications work, and websites support them.
Colour shemes to obey, how system settings for specific handicaps work..

You just kept abusing the term "barrier" to mean "I don't like it". which I took issue with.

I don't think the icons are the issue. Text doesn't seem to work much better.....