InformAction Forums

Icon Meaning Clarification

- this means that scripts and plugin contents are blocked for the current site and its subframes. Even if some of the 3rd party script sources imported by the page may be in your whitelist, no code could run because the hosting documents are not enabled.

http://noscript.net/features

Could you clarify that.

I go to http://slashdot.org/, nothing Allowed.

All scripts are blocked.

I Allow fsdn.com.
Even though I have, scripts from fsdn.com still will not execute because slashdot.org has not been Allowed?
So for instance, http://c.fsdn.com/sd/all-minified.js will not run.

Is that the idea?

Yes it is. When the main document is not in your whitelist, scripts imported with <SCRIPT src="some-other-domain.js"></SCRIPT> are not loaded at all, and even if they were loaded, couldn't execute anyway because their hosting "docshell" has JavaScript disabled.
That's why I slightly changed the icon behavior to reflect this thing, which was not very clear to many users: if the top level is disabled and you've got no active subframe, you get (totally forbidden) rather than (partially forbidden) like previously. The latter icon now is shown only if the top-level is allowed but some 3rd party resources are blocked.

However, if a subframe with a trusted source is loaded, it can execute scripts even if the top document is not allowed. In this case you get the new (subcontent allowed inside a forbidden document).

So more simply perhaps ...

For whatever reason, I have whitelisted (Allowed) badsite1.com & badsite2.com & badsite3.com.

Now I go & visit disney.com. I have NOT Allowed disney. Disney is harboring scripts from badsite1 & badsite2 & badsite3.

Since I have NOT allowed disney, I am not affected by any of those badsites.

Is that still correct?

Now once I allow disney, I am had.


And in that vein, it would seem not too smart (even less smart) for anyone to run with the setting, Temporarily allow top-level sites by default, enabled.

therube wrote:So more simply perhaps ...

For whatever reason, I have whitelisted (Allowed) badsite1.com & badsite2.com & badsite3.com.

Now I go & visit disney.com. I have NOT Allowed disney. Disney is harboring scripts from badsite1 & badsite2 & badsite3.

Since I have NOT allowed disney, I am not affected by any of those badsites.

Is that still correct?

Now once I allow disney, I am had.

And in that vein, it would seem not too smart (even less smart) for anyone to run with the setting, Temporarily allow top-level sites by default, enabled.

It's all correct, but why "even less smart"?
You've not been smart in first place when you allowed badsite1.com, badsite2.com & badsite3.com. If you didn't, when you allowed disney nothin bad would have happened.

Thanks.

I'm just thinking that some run with Temporarily allow top-level sites by default enabled, which in itself already lessens security. Now if they already happened (for whatever reason) to have some badsite Allowed (if by accident if nothing else), then they would be that much more less protected (so even less smart).

(Heh. <more less> now what kind of sense does that make .)

I'm still wishing for the opposite: I have every site at Yahoo Classic Mail either w/l or untrusted, but the blocked sub-objects for attachments and downloading of attachments still do not show in the solid-blue icon. I know this now, of course, but it has to be confusing some less-knowledgeable users when their attachments won't attach despite the all-blue logo. Yes, they should click the menu and see it, but they might not think to do so, since the logo is solid blue. TIA.

It does show the solid blue S if you're using Fx 3, but not in Fx 2. See my reply at http://forums.informaction.com/viewtopi ... 5692#p5692.

Edit: I stated this wrong. I meant to say It does not show the solid blue S if there's a blocked object when you're using Fx 3, but it still does in Fx 2.

Alan Baxter wrote:It does show the solid blue S if you're using Fx 3, but not in Fx 2. See my reply at http://forums.informaction.com/viewtopi ... 5692#p5692.

Saw it and replied there; thanks.