No script download permissions
No script download permissions
Addons manager updated no script today and is telling me I need to give permission to no script to be able to download files and read and modify the browser's download history if I want to update. Why does no script require these permissions and is this legitimate?
Mozilla/5.0 (Linux; Android 7.0; SHIELD Tablet Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Safari/537.36
Re: No script download permissions
I wondered myself about this. But then I looked at release notes and all made sense. The download related permissions are needed for the new settings import/export feature.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: No script download permissions
This WebExtensions cannot interact with the local filesystem, except for user driven uploads and downloads, and for the latter this permission is required.Guest wrote:The download related permissions are needed for the new settings import/export feature.
Mozilla/5.0 (Android 7.1.1; Mobile; rv:58.0) Gecko/58.0 Firefox/58.0
Re: No script download permissions
As far as i understand, WebExtensions now(?) use HTML to make their config pages. Wouldn't it be sufficient to include a "input type=file" for the import and a data-url for the export in the NoScript page?
The thing is, i am a bit unsure whether i want to grand the new rights to any webextension.
The thing is, i am a bit unsure whether i want to grand the new rights to any webextension.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Re: No script download permissions
I have to agree with you on this. Giving this permission to any web-extension is something I will not do. Guess I'll be staying at v10.1.5.6 for a while.tomsch wrote:As far as i understand, WebExtensions now(?) use HTML to make their config pages. Wouldn't it be sufficient to include a "input type=file" for the import and a data-url for the export in the NoScript page?
The thing is, i am a bit unsure whether i want to grand the new rights to any webextension.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Re: No script download permissions
Can't trust NoScript with downloading files and erasing download history. Sorry.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Re: No script download permissions
It's generally security-minded people who use noscript, so what everybody will read from the firefox permissions screen is "this addon will download stuff and hide it from you, yes/no?" So, yeah. Maybe find another way that doesn't require that permission?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: No script download permissions
You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Re: No script download permissions
Actually no. And had I known I'd not used it back then.Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: No script download permissions
Any "legacy" add-on (not just NoScript, even the most stupid glorified bookmaklet) has the same powers as your browser.Myriadorn wrote:Actually no. And had I known I'd not used it back then.Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
It's just like installing another application.
Of course, it's up to you to judge what applications you trust and what you don't (consider NoScript 5 is built-in into the Tor Browser, though).
And the ability to monitor filter all your network traffic (which is required to any content-blocking WebExtension) is already pretty scary (much scarier than the ability to download files, IMHO).
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Re: No script download permissions
Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.Giorgio Maone wrote:Any "legacy" add-on has the same powers as your browser. It's just like installing another application. Of course, it's up to you to judge what applications you trust and what you don't (consider NoScript 5 is built-in into the Tor Browser, though).Myriadorn wrote:Actually no. And had I known I'd not used it back then.Giorgio Maone wrote:You realize that NoScript 5 can do this and a lot more, like for instance formatting your hard disk or uploading its entire encrypted content to a remote location, don't you?
And yes, "input type=file" works for the Import feature (that's the way it's actually implemented), but "regular" downloads (especially data: URLs) cannot be triggered from the background page (where the configuration lives) without using the browser.downloads API, which is what the permission is for.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Re: No script download permissions
Says the person using Firefox 52 ESR.Myriadorn wrote:Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
*Always* check the changelogs BEFORE updating that important software!
-
Re: No script download permissions
Yes, that's the only browser available on this current computer.barbaz wrote:Says the person using Firefox 52 ESR.Myriadorn wrote:Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: No script download permissions
So, let me check if I got this right: you find scarier the ability to download a file, after a mandatory prompt and in a location of your choice (or in the Downloads directory) than the ability of monitoring and filtering all your network traffic, which is required by any content-blocking WebExtension (including adblockers and, of course, NoScript)?Myriadorn wrote: Well, good thing FF 57 came along then some we can make sure we don't install web extensions that does this.
And you install only software more scrutinized than the Tor Browser (whose code is under the lens of practically all the security experts of all stripes all the time, including of course NoScript)?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Re: No script download permissions
Perhaps you should be spending your time asking the admin of your current computer to change that, if this is such a big deal to you?Myriadorn wrote:Yes, that's the only browser available on this current computer.
*Always* check the changelogs BEFORE updating that important software!
-