I can't remember offhand, but I'll come back here if I come across it again. One of them was where I enabled all the sites one-by-one and I still could not get their comment system to work.Hecuba's daughter wrote:It'd be very helpful if you could give concrete examples where possible for this - or any - kind of problem.npcomplete wrote: but to be honest, it just breaks a lot of things for me. There are some sites, after experimenting with allowing each single included site, still does not work correctly.. but that's a separate issue than nested allows I guess.
That way, power users in the forum can possibly suggest workarounds and Giorgio may see something that may need his attention. Perhaps open a new topic with a concrete example of your problem?
Yes, but it would be nice if you can extend that idea to nested allows as well. That is, give the user the choice to make that decision of who to implicitly trust through nested allows.For the breaking of payments due to unforseen scripts being called, as explained above, making exceptions for any site (except those that Giorgio has vetted for the default install of NS) is breaking the security at the heart of NoScript...only those sites which the user gives trust to are able to run scripts. It doesn't matter whether a site serves https or is whitelisted, the user must hold that final decision whether to allow any other site to also be whitelisted.npcomplete wrote:Could this option be allowed for say, trusted sites, and/or https ?
I've just encountered another breakage. http://backerkit.com is used by crowdfunding folks on kickstarter.com and indiegogo.com to manage user perks, which can also include credit card info to buy additional items beyond the crowdfunded perk. So I've allowed that. Then in an https session, while submitting forms, one that deals with street addresses was taking a while after clicking next. After submitting the form for that step, it was just sitting there staying busy. It turns out the submission / clicking next then references http://smartystreets.com to verify addresses. Remember the problem is that you don't know this before hand as there is nothing more to allow before hitting next/submit.I've hit the occasional third-party payment gateway site that breaks this way.npcomplete wrote: And one real danger is resubmitting or redoing something, after experimenting with "allows" that can lead to multiple transactions (e.g. two credit card charges).
However, in my experience of using NS for many years, the risk of duplicating payments is not there if the gateway breaks; only when the gateway is able to run scripts will it process a transaction.
Thus I can be pretty confident, once I've found which site needs to be whitelisted (the "Recently blocked sites" menu item is very helpful here - if you don't want to configure Globally allow for that transaction) that only a single payment will be processed.
If you are in any way uncertain, you are always able to delay the next attempt at the transaction until you check with your account, or the retailer, to verify that a payment hasn't been processed when the transaction appears to have been broken.
Here's the problem I find with "experimenting": after I did allow smartystreets.com, it reloaded and the backertkit intermediate page in this secure session is just hung. Perhaps it thought it submitted info to smartystreets.com, but in reality it didn't, so it's just waiting for nothing. So my session not only became invalid, I think it somehow triggered a security measure, because when I tried to start over, I had to get my account reset.
Let me give you some more examples of when nested allows would be useful: Newegg.com uses credit card verification, again, you only know what sites to allow *after* you submit. BUT that verification page automatically load another site to complete the verification process. So it results in two sites you didn't know you had to allow. It is the same with apmex.com. Previously it referenced in nested/auto-loading fashion three other sites to process your credit card and verify. Now it's down to just two. I've had similar issues a site using with stripe.com btw.
Problem with experimenting is that it can result in personal headaches like the backerkit.com example above. Two verification failures with Citibank and they lock your account for another example. Sometimes it's the merchants themselves. The Wacom.com store will temporarily lock your account for any credit card after *ONE* verification failure. Sometimes the breakage can even be dangerous. When you're dealing with cryptocurrencies like bitcoin, litecoin, etc. you don't get second chances. There's no third party bank to call and transactions occur right then and there and are irreversible.