Page 1 of 1
Please, simple explanation of surrogate scripts
Posted: Wed Jan 23, 2013 12:39 pm
by Questioner
Despite reading various pages about surrogate scripts, I still do not understand them: i get that the purpose of surrogate scripts is to fool a website by pretending that its script is being run while in reality NoScript substitutes a replacement, or surrogate.
Which of the following statements is correct:
[*]A surrogate script for Site X will be run whenever you have ALLOWED Site X
[*]A surrogate script for Site X will NOT be run when you have ALLOWED Site X (but that site's scripts will be run)
[*]A surrogate script for Site X will be run when you have DISALLOWED Site X
[*]A surrogate script for Site X will NOT be run when you have DISALLOWED Site X (nor will that site's scripts be run)
[*]A surrogate script for Site X will be run the FIRST TIME you visit Site X BEFORE you allow or disallow Site X
[*]A surrogate script for Site X will NOT be run the FIRST TIME you visit Site X BEFORE you allow or disallow Site X
And if none of the above statements are correct or if surrogate scripts are used / not used based on more complex criteria, please let me know.
Re: Please, simple explanation of surrogate scripts
Posted: Wed Jan 23, 2013 8:29 pm
by Giorgio Maone
Questioner wrote:
[*]A surrogate script for Site X will be run whenever you have ALLOWED Site X
True for "@", "!@", "<", and ">" surrogates.
Questioner wrote:
[*]A surrogate script for Site X will NOT be run when you have ALLOWED Site X (but that site's scripts will be run)
True for "!" surrogates.
Questioner wrote:
[*]A surrogate script for Site X will be run when you have DISALLOWED Site X
True for "!", "!@" and "" surrogates.
Questioner wrote:
[*]A surrogate script for Site X will NOT be run when you have DISALLOWED Site X (nor will that site's scripts be run)
True for "@", "<" and ">" surrogates.
Questioner wrote:
[*]A surrogate script for Site X will be run the FIRST TIME you visit Site X BEFORE you allow or disallow Site X
[*]A surrogate script for Site X will NOT be run the FIRST TIME you visit Site X BEFORE you allow or disallow Site X
Surrogates don't keep track of the times you visit a page. "@" and "!@" surrogates will run if scripts are enabled for the page, "!" surrogates if they aren't, whenever you visit it.
If the answers above left you more confused than before, I suggest to read slowly and carefully the
Script Surrogates Quick Reference
Re: Please, simple explanation of surrogate scripts
Posted: Thu Jan 24, 2013 4:53 am
by Guest
Thank you very much!
If the answers above left you more confused than before, I suggest to read slowly and carefully the Script Surrogates Quick Reference
I've skimmed over it but you're right, I will need to read it a few more times.
Follow-up question about
first-time visits: I remember when I used NoScript on my previous computer, everything (except for the sites on the short whitelist built into NS) would be DISALLOWED the first time and you had to allow explicitly an origin site for its script(s) to be run.
On this machine, initially I set NS to block (click to start) Java and Flash but to allow all scripts generally. Later I removed the checkmark for the "allow all scripts" setting. Now, when I visit a new site, its scripts will be ALLOWED automatically. However, when I click on the NS icon in my menu bar, the new site will be shown in
bold italics while other sites that I had previously allowed explicitly are shown in non-bold, non-italic type. At the same time, scripts that this new site invokes
from other websites are
not allowed by NoScript (but can be allowed manually).
Is this a design change in NoScript behavior?
Re: Please, simple explanation of surrogate scripts
Posted: Thu Jan 24, 2013 8:25 am
by Giorgio Maone
Guest wrote:
Is this a design change in NoScript behavior?
No, most likely you also checked
NoScript Options|Temporarily allow top-level sites by default.
Re: Please, simple explanation of surrogate scripts
Posted: Thu Jan 24, 2013 9:53 am
by Guest
You're right! Many thanks for the swift reply
Re: Please, simple explanation of surrogate scripts
Posted: Thu Jan 24, 2013 10:34 am
by Guest
By the way, because I accidentally had "temporarily allow top-level sites by default" set, just last week I hit on a web page with Trojan:JS/BlacoleRef.T, however, Microsoft Security Essentials caught and quarantined it.
Better to have NoScript, too, protecting my computer. So now I've unchecked that checkbox.
Many thanks to Giorgio Maone and his team for keeping so many people safe!
Re: Please, simple explanation of surrogate scripts
Posted: Sat Jan 26, 2013 1:40 am
by Thrawn
Guest wrote:By the way, because I accidentally had "temporarily allow top-level sites by default" set, just last week I hit on a web page with Trojan:JS/BlacoleRef.T, however, Microsoft Security Essentials caught and quarantined it.
Better to have NoScript, too, protecting my computer. So now I've unchecked that checkbox.
If you're concerned about accidentally clicking on things, you might also want to go to Options-Appearance and remove items from the menu. I personally like to hide 'Scripts Globally Allowed', 'Allow All This Page', and 'Temporarily Allow All This Page'.
Many thanks to Giorgio Maone and his team for keeping so many people safe!
Credit is mostly due to Giorgio (and I thoroughly agree) - but thanks!