What's the right way to use Blocked Objects sub-menus?

[FunctionForm]

Hi,

Typically, a Blocked Objects sub-menu presents five choices--one above a line and the other four below the line. What is the right way to use a Blocked Objects sub-menu? How should one choose a Blocked Objects sub-menu item?

Mark

[Tom T.]

First, avoid those from third-party ad sites or data-miners, such as those listed here.

Then look for the one that corresponds to the specific function you want. E. g., "Temporarily allow shockwave-flash@http:/somesite.com", if you are trying to play a Flash video. Similarly for Java or other plug-ins. If the description/URL are too long to show in the menu, hovering the mouse pointer over the line should show the full URL of the line. Or you can click to allow it, then observe the full description in the Confirmation box. To ensure the confirmation box appears, go to NoScript Options > Embeddings and check "Ask for confirmation before temporarily unblocking an object > OK. This lets you examine the full description before allowing it, or to click "Cancel" if it's not the one you want.

Try to avoid generic permissions such as *@http:/somesite.com. This would allow *all* objects from that site. Also, there is rarely a reason to allow Font@somesite.com, and font downloads have been used maliciously at times.

If you have a specific site or sites to use for examples, and give us the steps to reproduce the Blocked Objects menu, that would be very helpful.

[Thrawn]

I can sympathise with the OP's question; it can easily be confusing.

Just AFAICT from looking at the actual menu entries:

• The item above the separator refers to the exact object being blocked. This is a good default choice.
• The first item below the separator refers to every object coming from the same site as the one being blocked. I wouldn't usually use this.
• The second item below the separator refers to every object coming from the same site as the one being blocked, but also makes reference to the current site, so possibly it means that those objects are allowed only on the current site? Not a bad option, but again, I wouldn't normally use it.
• The third item below the separator refers to the specific object being blocked, and also the current site, which possibly means that the object is allowed only on the current site? If so, this would be the most specific and restrictive option, ideal for Tom T.
• The last item appears to be the same as the one above the separator.

[Tom T.]

...The third item below the separator refers to the specific object being blocked, and also the current site, which possibly means that the object is allowed only on the current site? If so, this would be the most specific and restrictive option,...

IDK from memory that the third entry always does this, and it may vary -- would like to see an actual example, as requested.
But if any entry specifies both the desired object and the specific recipient (the site you are on), then yes, this is best.

ideal for Tom T.

And just what was THAT supposed to mean?


Seriously, if you mean "who always strives for maximum safety" , I'll take the compliment, thanks. Users who have a lower bar, or find max security too inconvenient (being compromised is *really* inconvenient), are welcome to choose their own level, of course... btw, didn't you do an ultra-paranoid sticky post yourself?


@ FunctionForm: My good friend Thrawn and I kid around a lot.
Apply both of our responses to your actual situation, and again, an example site or two would really let us nail this down for you.

[FunctionForm]

Hi,

Thank you, both, very much for all your help!

I'll post some good, illustrative pictures within the next couple of days. They'll help with the rest of my question, which is about the various Blocked Objects sub-menu icons.

If I understand correctly, it should be best to use the topmost ("confirmation") item when there aren't many blocked objects. Otherwise, it should be best to use the next-to-the-lowest item (assuming, of course, that only good websites are being used) because it's the most restrictive item (other than the topmost item).

I'll be back soon!

Thanks much,
Mark

[Tom T.]

Actually, just the URL and the steps to reproduce the Blocked Objects menu (i. e., which scripts you allowed) would let us see the BO menu for ourselves. Pics are always nice, but seeing it in our own browsers is useful, and less trouble for you. Then you can do the pics at your leisure.

(Attn: Thrawn also)
I should have added that I have seen as many as four completely different Blocked Objects in the BO sub-menu, each of which may have the five lines mentioned.
That is why my first priority was to make sure that you are choosing the right object first, before determining which of the choices for that object should be clicked.

For example, a Flash object is sometimes merely a third-party advertiser trying to run an animated ad. So if you want a Flash video to load, and you have several entries for Flash objects, be sure it's the one you want, not the advertisements or data-miners.

Same if you have multiple types of objects -- Flash, Java, Font, <IFRAME>, Silverlight, etc. -- some care and selectivity is required.
IFRAME can be tricky. Some versions of Yahoo Mail require an IFRAME to upload or download attachments, while other IFRAMEs are just advertisements. Hence, reading the source of the frame is prudent.

assuming, of course, that only good websites are being used

Good web sites do not necessarily have any control over the advertisers to whom they sell space on their site. A privacy-invasive, or even a malicious, ad could be loaded via these objects, without the good site's knowledge. Unfortunately, in today's Internet, eternal vigilance is the price of security.

[Thrawn]

Interesting...I was a little off, perhaps because the object I used as a sample was a Font object, which apparently doesn't have an actual path. Flash is a better sample.

It looks like the item above the line is the exact object, but all of the ones below the line refer to object types. So the first two menu items refer to 'all objects from this site', but the third and fourth refer to 'all objects of the same type as the one being blocked', eg 'all Flash from this site'. For Font objects, this looked the same as the above-the-line menu item.

I guess that means there is no option for 'this specific object at this specific site'...at least until NS3. Oh, well.

@Tom: On a side note, which one do you think is safer, 'Allow all Flash at this site', or 'Allow this specific Flash object on any trusted site'? I'm guessing the former, because non-trusted top-level sites would still be restricted in any case, whereas the other Flash objects from a site are likely junk.

Seriously, if you mean "who always strives for maximum safety", I'll take the compliment, thanks.

Please do . I was referring to the fact that you make no compromises.

[Tom T.]

This one has *two* above the line, and the usual four below.
It might look like the top one is best, because it grants Flash permission specific to that (magnificent) artist. However, clicking on one of the song titles still gives a Flash placeholder to click. So we don't need to allow that one, and therefore, we don't.

It turns out that the third one below the line is best, because as we can see from the tooltip (of the highlighted blue one), it does indeed provide source of the object (Soundclick) and the recipient of the object. In this case, that is also Soundclick, but at other sites, e. g., attachments at Yahoo Mail, the IFRAME source is a different domain name from the mail page itself.

As said, sites vary -- such as the two above the line, each of which were both unnecessary and insufficient.
So it's a case-by-case basis. But if the third below the line (or any other) defines both sides of the equation, and is the most restrictive, and is sufficient, bingo.

btw, to test this, I had to reset about:config
noscript.allowedMimeRegExp
back to the default (none). This wonderful enhancement eliminated the need for these permissions at trusted sites, and the addition of the non-MIME-types FRAME and IFRAME in NS 2.9 took care of those pesky Yahoo Mail attachment objects. Thanks again to Giorgio!


EDIT what I forgot to answer

@Tom: On a side note, which one do you think is safer, 'Allow all Flash at this site', or 'Allow this specific Flash object on any trusted site'? I'm guessing the former, because non-trusted top-level sites would still be restricted in any case, whereas the other Flash objects from a site are likely junk.

The safest, which does give you your site-specific permission without NS 3 , is to not use Blocked Objects menu at all; configure NS to show placeholders for blocked objects; and to ask for confirmation before temp-unblocking. Then the confirmation box gives you something like this:

Code: Select all

Temporarily allow http://s.ytimg.com/yts/swfbin/watch_as3-vflry7sRc.swf#!flashvars#video_id=e7-QBw862zk
(application/x-shockwave-flash <EMBED> / http://www.youtube.com)

.... which is in fact unique to that particular video, and does *not* allow all (or any other) Flash at YouTube.
Less convenient than the BO menu if you're going to view multiple videos, but completely restrictive to a single video.
Othewise, I agree with your assessment.

Convenience >< Safety = always a trade-off.

They'll help with the rest of my question, which is about the various Blocked Objects sub-menu icons.

The curvy F appears to be specific to Shockwave and Flash (they're actually two different products), whereas the blue S, which is the NoScript logo, appears to be for generic permission (*@http:/site.com).

The rather indistinct coffee cup is a reflection of Java's icon in your system tray (bottom bar of the display itself, not the browser).

I don't use MS Silverlight.

The one for (I)FRAME is similar to the Windows logo for a generic file of unknown type. To see this, create a new text file, then remove the extension from it. This doesn't work if you have automatic extensions enabled. Uncheck it, or go to C:\WINDOWS\system32\drivers\etc and observe the HOSTS file, which has no extension.
That path includes hidden and system folders. so it might be easier just to do a Search for HOSTS, and in Advanced Options, include subfolders and hidden and system folders.

[FunctionForm]

Hi,

Thank you very much for your help, Tom T. and Thrawn.

Actually, when I wrote "assuming, of course, that only good websites are being used", I meant that EVERY website involved, including the advertisers" websites (if any) were good (trustworthy). I don't deliberately unblock advertisements, anyway.

As I've certainly used NoBlock a lot, I'm very aware of which Blocked Objects to unblock and which Blocked Objects to not unblock (assuming or presuming that I can trust a number of "things", including NoScript. The safest way to use a computer is to not use it. I do enjoy using computers! Unfortunately!)

Regarding NoScript's Blocked Objects sub-menus, there are Blocked Objects sub-menus that have two or more--many more, sometimes--items/choices above the horizontal line/rule. (Check out, for just one example, Yahoo!'s OMG!. Wouldn't you just KNOW it?! As soon as I want to find a good example, I can't find one to save my life! I'll post as soon as I find one!)

Tom T., at least in a lot of cases, wouldn't the item/choice above the line (assuming that it's the item (video, for example) that you want to unblock) be more restrictive than the next-to-bottom item/choice (below the horizontal line/rule)? YouTube.com is a good example.

NoScript's basic instructions (how-to guide) should have a "how to use Blocked Objects" section (assuming that it doesn't). (I think that it does not.)

Mark

[Tom T.]

Actually, when I wrote "assuming, of course, that only good websites are being used", I meant that EVERY website involved, including the advertisers" websites (if any) were good (trustworthy).

I don't trust any advertisers. Most are not satisfied with merely showing you an ad. They want to place a tracking cookie, a web bug, a Flash PIE (tracking device placed in subfolders of C:\Documents and Settings\USERNAME\Application Data\Macromedia\Flash Player (or whatever path on other OS, or later versions of Windows), etc. Data-mining is part of advertising these days.

As I've certainly used NoBlock a lot,

Not familiar with that one. (or is it a typo?)

Regarding NoScript's Blocked Objects sub-menus, there are Blocked Objects sub-menus that have two or more--many more, sometimes--items/choices above the horizontal line/rule.

The pic I posted has two above the line.

Tom T., at least in a lot of cases, wouldn't the item/choice above the line (assuming that it's the item (video, for example) that you want to unblock) be more restrictive than the next-to-bottom item/choice (below the horizontal line/rule)? YouTube.com is a good example.

Please see my screenshot and the comments below it.

This one has *two* above the line, and the usual four below.
It might look like the top one is best, because it grants Flash permission specific to that (magnificent) artist. However, clicking on one of the song titles still gives a Flash placeholder to click. So we don't need to allow that one, and therefore, we don't.

It turns out that the third one below the line is best, because as we can see from the tooltip (of the highlighted blue one), it does indeed provide source of the object (Soundclick) and the recipient of the object. In this case, that is also Soundclick, but at other sites, e. g., attachments at Yahoo Mail, the IFRAME source is a different domain name from the mail page itself.

You are correct that at YouTube, the top one is video-specific, and therefore preferable. But at Soundclick, the top ones are not only non-specific, they're useless.
I don't know what percentage of all sites follow the YT model, but these two reinforce that you have to go case-by-case.

NoScript's basic instructions (how-to guide) should have a "how to use Blocked Objects" section

The entire FAQ needs an overhaul, but everything will change dramatically with NoScript 3.x for the desktop, which will simplify a lot of the things that people ask about (or complain about). It was hoped to be released by the end of 2011. The "rapid release" policy of Mozilla has broken many things in NoScript (check the changelog); new web threats emerge; so when not dealing with those, Giorgio (who is the sole coder/developer of NS and Flashgot) is making the release of NS 3 the highest priority. Yes, that's a bit harder on users for now, but it gives us volunteer support people something to do, keeping us off the streets and out of trouble.

btw, why the purple color? It's much harder to read, and this job involves enough reading already. The forum automatically changes b/g color of each successive post, which is good enough for visual distinction. Thanks.

[FunctionForm]

Hi,

It should have been obvious from the context that "NoBlock" is/was a typo.

In general, I had been choosing the (correct) item above the line. If there were more than a few (desired) objects to unblock, I chose the bottom-most item. From now on (tentatively, and on a case-by-case basis), I'll choose the next-to-the-bottom (third) item.

Mark

[Thrawn]

The safest, which does give you your site-specific permission without NS 3 , is to not use Blocked Objects menu at all; configure NS to show placeholders for blocked objects; and to ask for confirmation before temp-unblocking. Then the confirmation box gives you something like this:

Code: Select all

Temporarily allow http://s.ytimg.com/yts/swfbin/watch_as3-vflry7sRc.swf#!flashvars#video_id=e7-QBw862zk
(application/x-shockwave-flash <EMBED> / http://www.youtube.com)

.... which is in fact unique to that particular video, and does *not* allow all (or any other) Flash at YouTube.

I use placeholders too. But is that unique to the embedding site? Or could other sites embed that same video, and it would already be (temp) allowed?

Less convenient than the BO menu if you're going to view multiple videos, but completely restrictive to a single video.
Othewise, I agree with your assessment.

Convenience >< Safety = always a trade-off.

For me, the real issue with using placeholders is that, depending on what they are and how embedded, they sometimes don't show up, or are too small to easily spot+click.

[Tom T.]

The safest, which does give you your site-specific permission without NS 3 , is to not use Blocked Objects menu at all; configure NS to show placeholders for blocked objects; and to ask for confirmation before temp-unblocking. Then the confirmation box gives you something like this:

Code: Select all

Temporarily allow http://s.ytimg.com/yts/swfbin/watch_as3-vflry7sRc.swf#!flashvars#video_id=e7-QBw862zk
(application/x-shockwave-flash <EMBED> / http://www.youtube.com)

.... which is in fact unique to that particular video, and does *not* allow all (or any other) Flash at YouTube.

I use placeholders too. But is that unique to the embedding site? Or could other sites embed that same video, and it would already be (temp) allowed?

IIUC, you're going to YT, watching a video that is stored there, then going somewhere else, concerned that another site might have that same video embedded?
If they import it directly from YT or another site you trust, and it has the same ID# as it did at YT, it doesn't seem that they could tamper with it, at least without affecting the confirmation dialog.

But note that the confirmation above specifically limits the permission to

Code: Select all

<EMBED> / http://www.youtube.com)

Wouldn't that render this temp permission invalid at any other site on the planet?

For me, the real issue with using placeholders is that, depending on what they are and how embedded, they sometimes don't show up, or are too small to easily spot+click.

Examples? (URL + STR)

I can't remember having this problem so long as NS was properly configured to work in this manner, but it may have happened. An example would be excellent.