Scripts globally allowed

[bo elam]

Hi, I found something not working as in version 5 when allowing scripts globally. I dont know if is a bug or the feature has not yet been fully implemented or perhaps this feature is not going to works as it used to in version 5, but when I allow scripts globally, even domains set as Untrusted are allowed to run scripts. This is working differently than how it was in version 5 were Untrusted domains were not allowed to run scripts when scripts were globally allowed. Is this feature going to work in version 10 as it was in version 5, or not?

i get same behavior in 2 different computers and also tested using a new Firefox profile. The map in the picture below should not appear when scripts are forbidden to run. That picture was taken during a test using a new profile. I get same result in every site with every untrusted domain.

https://i.imgur.com/hnO0r4E.jpg

https://www.windy.com/?100m,12.078,-86.284,12

Bo

[barbaz]

I can confirm the behavior.

That is not right. Untrusted should mean forbidden. Period. No matter what.

The fact it doesn't behave this way is a serious bug, IMO.

[bo elam]

Thanks, barbaz. Appreciate the response.

Bo

[vitesse]

I want to use NoScript with a blacklist instead of a whitelist by leaving it on "Scripts Globally Allowed" and setting sites I want to block scripts on to Untrusted. I know it's much safer to have it block everything by default, but I don't have the time to tinker with every website I visit and I'm not the only one who uses my computer.

However, using Firefox 57 with NoScript v10.1.3c3, while having "Scripts Globally Allowed" on, setting sites to Untrusted doesn't block anything on those sites. I tested this using Javascript tester, for example.

There aren't many options in v10 so I don't know what else I could to do make this work like I need it to. Any suggestions?

Thanks in advance.

[barbaz]

Threads merged.

[barbaz]

There aren't many options in v10 so I don't know what else I could to do make this work like I need it to. Any suggestions?

The following steps seem to work around the bug -

1) Turn off Scripts Globally Allowed, if enabled

2) Set a site to Default

3) Mouse over the "Default" label and click the gear that shows up. You should now see a list of chekboxes.

4) Check all the checkboxes (this would make it match Trusted). If you want Trusted to still be more permissive, make sure that Default has at least "script", "font", "fetch", and "other" all checked.

5) Test that the resulting NoScript behavior is what you want.

[bo elam]

Barbaz, I tested your workaround a few times, thinking that maybe I was doing something wrong but I don't think it works, to replace the behavior of Untrusted domains when Scripts globally allowed is ticked. Anyway, I dont use the setting often but is nice than when you do, Untrusted domains cant run nothing.I been testing the setting with every version 10 that has been released, it hasn't work as intended in any. The Anti-XSS is not working either with this setting checked/enabled.

Bo

[barbaz]

You need to un-tick Scripts Globally Allowed to use the workaround.

[bo elam]

You need to un-tick Scripts Globally Allowed to use the workaround.

That is an ....aha moment.

Good workaround, it works. Untrusted domains dont load.

Bo

[Pansa]

You need to un-tick Scripts Globally Allowed to use the workaround.

That is an ....aha moment.

Good workaround, it works. Untrusted domains dont load.

Bo

Basically "globally allowed" means GLOBAL. (basically to shut down NS function without disabling the addon)

What you were looking for was to change what Noscript does to sites you haven't made a rule about (default behaviour), which is why it works when you change the default behaviour.
It is not as such an actual workaround, as it is a change in terms from ns5.
The new behaviour is actually more in line with the words than the old one.

[bo elam]

It is not as such an actual workaround, as it is a change in terms from ns5.

Thats what I was thinking yesterday. For my case use, this probably wouldn't work as a workaround if I needed the Scripts globally allowed feature as we knew it in version 5. Let me give you an example of how I was using this feature at the end of life of version 5.

Look at this picture from this site (game is live right now).
http://goatdee.net/index2.html

https://i.imgur.com/KW8bg7X.jpg

I watch a lot of games at that site, at the end of life of version 5, I couldn't watch games using NoScript as we normally use it. The games would not play, the site blocked the games. But I found that I could watch games by allowing scripts globally via the setting. Look at the domains that that site loads, they are nasty. After allowing scripts globally, only Default (twitter and Facebook) and Trusted domains loaded scripts. Untrusted were forbidden. The experience watching games was basically the same, no difference, with NoScript working at full capacity or with scripts globally allowed.

A big plus in version 10 for me. Once again, I can watch games in that site with NoScript working at full capacity. Thats a fix for me (Thank you, Giorgio). But I doubt the workaround would work if in the future the site blocks games again when it detects NoScript working at full capacity. I think the site allowed me to watch the games when it felt NoScript was sort of disabled. With this workaround, the site would still detect NoScript at full capacity.

To me personally, this is a useful feature that can come handy sometimes. Remember, I use the black list. I used this feature as Giorgio probably had in mind when he developed it. I got the juice out of it .

Bo

[barbaz]

Quoting Giorgio from another thread -

Globally allowing scripts seems to just turn NoScript off completely, unlike previous versions where globally allowing scripts would allow all scripts except for those on your blocklist. Is this a general problem with NoScript 10 or am I doing something wrong?

It is by design.
Now that you can customize the DEFAULT preset to be as permissive as you want, you can obtain the "old" behavior by just enabling all its capabilities.
On the other hand, "Allow Script Globally" now it's more literal, disabling content blocking outright, mostly for debugging purpose when everything else fails to make a site work