No script download permissions

Ask for help about NoScript, no registration needed to post
ltron

No script download permissions

Post by ltron »

Addons manager updated no script today and is telling me I need to give permission to no script to be able to download files and read and modify the browser's download history if I want to update. Why does no script require these permissions and is this legitimate?
Mozilla/5.0 (Linux; Android 7.0; SHIELD Tablet Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Safari/537.36
Guest

Re: No script download permissions

Post by Guest »

I wondered myself about this. But then I looked at release notes and all made sense. The download related permissions are needed for the new settings import/export feature.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: No script download permissions

Post by Giorgio Maone »

Guest wrote:The download related permissions are needed for the new settings import/export feature.
This :) WebExtensions cannot interact with the local filesystem, except for user driven uploads and downloads, and for the latter this permission is required.
Mozilla/5.0 (Android 7.1.1; Mobile; rv:58.0) Gecko/58.0 Firefox/58.0
tomsch
Posts: 6
Joined: Wed Nov 22, 2017 9:03 pm

Re: No script download permissions

Post by tomsch »

As far as i understand, WebExtensions now(?) use HTML to make their config pages. Wouldn't it be sufficient to include a "input type=file" for the import and a data-url for the export in the NoScript page?

The thing is, i am a bit unsure whether i want to grand the new rights to any webextension.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Myriadorn
Posts: 5
Joined: Sun Dec 10, 2017 8:07 pm

Re: No script download permissions

Post by Myriadorn »

tomsch wrote:As far as i understand, WebExtensions now(?) use HTML to make their config pages. Wouldn't it be sufficient to include a "input type=file" for the import and a data-url for the export in the NoScript page?

The thing is, i am a bit unsure whether i want to grand the new rights to any webextension.
I have to agree with you on this. Giving this permission to any web-extension is something I will not do. Guess I'll be staying at v10.1.5.6 for a while.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Guest

Re: No script download permissions

Post by Guest »

Can't trust NoScript with downloading files and erasing download history. Sorry.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Nielsen
Posts: 1
Joined: Sun Dec 10, 2017 8:57 pm

Re: No script download permissions

Post by Nielsen »

It's generally security-minded people who use noscript, so what everybody will read from the firefox permissions screen is "this addon will download stuff and hide it from you, yes/no?" So, yeah. Maybe find another way that doesn't require that permission?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: No script download permissions

Post by Giorgio Maone »

You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Myriadorn
Posts: 5
Joined: Sun Dec 10, 2017 8:07 pm

Re: No script download permissions

Post by Myriadorn »

Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Actually no. And had I known I'd not used it back then.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: No script download permissions

Post by Giorgio Maone »

Myriadorn wrote:
Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Actually no. And had I known I'd not used it back then.
Any "legacy" add-on (not just NoScript, even the most stupid glorified bookmaklet) has the same powers as your browser.
It's just like installing another application.
Of course, it's up to you to judge what applications you trust and what you don't (consider NoScript 5 is built-in into the Tor Browser, though).
And the ability to monitor filter all your network traffic (which is required to any content-blocking WebExtension) is already pretty scary (much scarier than the ability to download files, IMHO).
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Myriadorn
Posts: 5
Joined: Sun Dec 10, 2017 8:07 pm

Re: No script download permissions

Post by Myriadorn »

Giorgio Maone wrote:
Myriadorn wrote:
Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Actually no. And had I known I'd not used it back then.
Any "legacy" add-on has the same powers as your browser. It's just like installing another application. Of course, it's up to you to judge what applications you trust and what you don't (consider NoScript 5 is built-in into the Tor Browser, though).
Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: No script download permissions

Post by barbaz »

Myriadorn wrote:Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
Says the person using Firefox 52 ESR.
*Always* check the changelogs BEFORE updating that important software!
-
Myriadorn
Posts: 5
Joined: Sun Dec 10, 2017 8:07 pm

Re: No script download permissions

Post by Myriadorn »

barbaz wrote:
Myriadorn wrote:Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
Says the person using Firefox 52 ESR.
Yes, that's the only browser available on this current computer.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: No script download permissions

Post by Giorgio Maone »

Myriadorn wrote: Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
So, let me check if I got this right: you find scarier the ability to download a file, after a mandatory prompt and in a location of your choice (or in the Downloads directory) than the ability of monitoring and filtering all your network traffic, which is required by any content-blocking WebExtension (including adblockers and, of course, NoScript)?
And you install only software more scrutinized than the Tor Browser (whose code is under the lens of practically all the security experts of all stripes all the time, including of course NoScript)?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: No script download permissions

Post by barbaz »

Myriadorn wrote:Yes, that's the only browser available on this current computer.
Perhaps you should be spending your time asking the admin of your current computer to change that, if this is such a big deal to you?
*Always* check the changelogs BEFORE updating that important software!
-
Locked