InformAction Forums

hi noscript, thanks for the most important firefox add-on, i've been using it for many years

i've recently had some confusion using it in conjunction with 'https-everywhere' and 'ghostery' as follows

over time i wondered why when some sites are listed as blocked by noscript, can appear accessed in either 'https-everywhere' or 'ghostery' and appear in a simple network trace so i did a small test, chose a site that has lots of scripts/trackers and was wondering what your thoughts are and if you could help explain some things:

apparatus:

firefox 19 portable
noscript 2.6.5.7 - temporarily allow base 2nd level domains
ghostery 2.8.4
https everywhere 3.1.3

method:

noscript ACTIVE;
https everywhere ACTIVE;
ghostery ACTIVE;

start firefox with blank page
wait for sync and other phone-home dns requests to finish
start wireshark, filter for dns, check that all other dns requests have ceased/slowed
access forbes.com and eventually arrive at forbes.com/home_usa
wait 1 min
stop capture

Results:

98 dns requests
see also screen grabs below

Notes:

noscript only allows:

forbes.com
forbesimg.com

*nothing else is in whitelist*

dns query responses

1.
where does gravatar come from?
noscript and ghostery make no mention of gravatar nor edgecast?
or is it something like a CDN such as amazon or akamai?
or is this non js?

www.gravatar.com: type A, class IN
www.gravatar.com: type CNAME, class IN, cname cs91.wac.edgecastcdn.net
cs91.wac.edgecastcdn.net: type A, class IN, addr 68.232.44.121

2.
where does wikinvest come from? noscript blocked the script.
is this non js?

www.wikinvest.com: type A, class IN
www.wikinvest.com: type CNAME, class IN, cname wikinvest.com
wikinvest.com: type A, class IN, addr 66.81.238.4
wikinvest.com: type A, class IN, addr 66.81.238.6

3.
how is a query to embed.newsinc.com allowed to receive a response if noscript blocked newsinc.com?
or is it something like a CDN such as amazon or akamai?
or is this non js?

embed.newsinc.com: type A, class IN
embed.newsinc.com: type CNAME, class IN, cname NDN-LB-PS2-741778336.us-east-1.elb.amazonaws.com
NDN-LB-PS2-741778336.us-east-1.elb.amazonaws.com: type A, class IN, addr 23.21.228.118
NDN-LB-PS2-741778336.us-east-1.elb.amazonaws.com: type A, class IN, addr 54.243.116.97
NDN-LB-PS2-741778336.us-east-1.elb.amazonaws.com: type A, class IN, addr 23.21.78.170
NDN-LB-PS2-741778336.us-east-1.elb.amazonaws.com: type A, class IN, addr 23.21.167.194
NDN-LB-PS2-741778336.us-east-1.elb.amazonaws.com: type A, class IN, addr 107.22.216.41
NDN-LB-PS2-741778336.us-east-1.elb.amazonaws.com: type A, class IN, addr 54.243.65.92
NDN-LB-PS2-741778336.us-east-1.elb.amazonaws.com: type A, class IN, addr 54.243.110.60
NDN-LB-PS2-741778336.us-east-1.elb.amazonaws.com: type A, class IN, addr 23.21.170.135

4.
same for assets.newsinc.com?

assets.newsinc.com: type A, class IN
assets.newsinc.com: type CNAME, class IN, cname assets.newsinc.com.edgesuite.net
assets.newsinc.com.edgesuite.net: type CNAME, class IN, cname a1683.g.akamai.net
a1683.g.akamai.net: type A, class IN, addr 124.40.52.72
a1683.g.akamai.net: type A, class IN, addr 124.40.52.74


Conclusions:

the only explanation i can think of is that either forbes.com and/or forbesimg.com are forwarding all of these requests to other domains?
i'm also not sure if these 3 add-ons are interfering with eachother, which i hope not.

The short answer is that NoScript will only block active content: JavaScript, Java, Flash, Silverlight, etc.

For the complete list of which types you're currently blocking, look in Options - Embeddings and see which boxes are checked in the top section. NoScript does not (usually) care about images, stylesheets, frames (by default), links (which may trigger DNS prefetching), or any other non-active content. It is first and foremost a security tool, with privacy being a side benefit, so those non-active requests are generally ignored. The exception is if you configure the ABE module, which can control all requests (even those originating from the browser's internal chrome, if I'm not mistaken; use with care!).

Ghostery is a privacy tool, dealing with trackers including web bugs, so it will catch some images that NoScript will ignore. Personally I prefer RequestPolicy, but that's not for the faint-hearted. HTTPS Everywhere deals with all requests, so it should report everything, active or not.

As to the specific sites:
- Gravatar: provides avatar icons that are intended to follow you across different sites. Usually a site just loads an image from gravatar, so this won't get blocked by NoScript, and it wouldn't be registered as a tracker, so it would get ignored by Ghostery.
- Wikinvest: sounds like some kind of investment portfolio manager. Web of Trust doesn't seem to mind it, but it's probably an advertiser. Your opinion of advertising is up to you.
- embed.newsinc.com and assets.newsinc.com are probably embedding non-active content like stylesheets and images, which NoScript will allow. However, they're likely to be embedding JavaScript as well, which will be blocked, which is why they show up in NoScript's menu.