Unstable And Confusing White/Black-listing Feature

[TrulyHuman]

I am really confused as to how this version of NoScript works. In the past, you'd have a drop-down menu with a list of websites being called from, you'd click on one to allow or disallow, and you're done. Here, it works differently.

Not only do you have to set the site to trusted, you have to be sure if you need to set the lock. The lock controls the privileges of HTTP - if it's red, both HTTPS and HTTP are allowed; if it's green, only HTTPS is allowed. This feature is what really tripped me up. The way I see it, the color green means go; that should mean both HTTP and HTTPS links provided by the listed URL in question should be safe. Not all websites work this way. Tumblr uses BOTH HTTP and HTTPS, as well as sites that provided enhanced web application scripts like AJAX and jQuery. I have a Tumblr site where I use jQuery, and every time I enable the features and click on the lock (because "green means go"), the scripts that rely on jQuery fail to load. The only way I can view my Tumblr pages that rely on jQuery is if I disable the add-on complete.

You need to change the way how to white/blacklist a website. I liked the old way where I first do a global allow, then block scripts from the top down so that I can see which sites are required for those pages to load. I like that kind of control, and this version takes that away from me. The first time I used this new NoScript, the global allow checkmark found in the add-on's Options page feels more like a "Temporary Allow All Websites For This Session Only" command than it does "Global Allow (Dangerous)" in the old versions.

I have a suggestion on how to clear up the visuals. I can see it like this:

You have a lock with a hinge as the icon for security. Whichever side is not closed/covered (left or right hole) defines which HTTP is allowed.

If the left side is covered but the right side isn't, then only HTTP is allowed.

If the right side is covered but the left side isn't, then only HTTPS is allowed.

If both sides are locked, then the site is trustworthy and both HTTP and HTTPS are allowed.

A change in the icon would really help me to figuring out which sites are safe or not.

[bo elam]

Not only do you have to set the site to trusted, you have to be sure if you need to set the lock. The lock controls the privileges of HTTP - if it's red, both HTTPS and HTTP are allowed; if it's green, only HTTPS is allowed. This feature is what really tripped me up. The way I see it, the color green means go; that should mean both HTTP and HTTPS links provided by the listed URL in question should be safe. Not all websites work this way. Tumblr uses BOTH HTTP and HTTPS, as well as sites that provided enhanced web application scripts like AJAX and jQuery. I have a Tumblr site where I use jQuery, and every time I enable the features and click on the lock (because "green means go"), the scripts that rely on jQuery fail to load. The only way I can view my Tumblr pages that rely on jQuery is if I disable the add-on complete.

I think you are worrying too much about the red and green. This are some examples of how I am handling the lock. If the domain is colored in black in the menu and I need to allow it/trust it for a website I visit often, I white list it (green lock). If a domain is red colored and is required by a site I visit often, bookmarked site, I allow it/trust it (red lock). If the domain is already in my white list with the green lock and I visit a site at random and the the domain appears as red colored in the menu, I temporarily allow it/temp trust it (red lock). Thats pretty much how I am handling that. The colors work themselves up pretty much automatically and the NoScript menu tells you if the domain is http pr https.

I liked the old way where I first do a global allow, then block scripts from the top down so that I can see which sites are required for those pages to load. I like that kind of control, and this version takes that away from me. The first time I used this new NoScript, the global allow checkmark found in the add-on's Options page feels more like a "Temporary Allow All Websites For This Session Only" command than it does "Global Allow (Dangerous)" in the old versions.

The scripts globally allowed setting is not working right now as it did in version 5. Hopefully it will sometime in the future.

Bo

[Pansa]

This feature is what really tripped me up. The way I see it, the color green means go; that should mean both HTTP and HTTPS links provided by the listed URL in question should be safe.

It is following the colour scheme of the green HTTPS lock in the browser.
If you are visiting an HTTPS site, the browser displays a green lock in front of the URL in the address bar to tell the user that they are "safe".

That's why Noscript shows a green lock, too, to refer to HTTPS only rules.

[FranL]

The scripts globally allowed setting is not working right now as it did in version 5. Hopefully it will sometime in the future.

Can you elaborate on how Scripts Globally Allowed works differently in 10.x compared to 5.x? Thanks in advance!

[barbaz]

Can you elaborate on how Scripts Globally Allowed works differently in 10.x compared to 5.x? Thanks in advance!

https://forums.informaction.com/viewtop ... 10&t=23875

[bo elam]

Can you elaborate on how Scripts Globally Allowed works differently in 10.x compared to 5.x? Thanks in advance!

You read the link posted by barbaz but basically the difference is that scripts from Untrusted domains run when you enable the setting. And thats not supposed to happen. The setting should work regarding Untrusted domains as when you click to Temporarily allow all this page (scripts from Default and Trusted domains run, but not the ones in your black list).

Bo