Page 1 of 2
RFE: Prevent whitelisting of http:
Posted: Wed Sep 25, 2013 9:40 pm
by Thrawn
In light of situations like
this one, should NoScript prevent the user (or perhaps warn them) from whitelisting the whole http: protocol?
It makes sense to allow the whole chrome: or about: protocol, but whitelisting http: is almost certainly an accident (and a dangerous one).
Maybe there could be an 'allowWhitelistingAllHttp' setting in about:config that would act as a safety catch, so unless you've deliberately gone into about:config and toggled it, you can't whitelist
http:. Perhaps it could be a list of all protocols that are allowed to be globally whitelisted, defaulting to just the built-in ones (about, chrome, blob, resource). Maybe including data: as well, so you have the option to whitelist all data: if you want to.
This would probably apply to https: as well. There's slightly more sense in allowing all https: URLs, but I think it still makes sense to put a prompt or safety catch of some kind on it, because it's not normal.
Re: RFE: Prevent whitelisting of http:
Posted: Wed Sep 25, 2013 10:04 pm
by barbaz
+1, but wouldn't it make the most sense for NS to turn on "Allow Scripts Globally" when the user attempts to whitelist http: ? (I don't think that should happen when the user tries to whitelist https: .)
Re: RFE: Prevent whitelisting of http:
Posted: Fri Sep 27, 2013 10:48 pm
by dhouwn
wouldn't it make the most sense for NS to turn on "Allow Scripts Globally" when the user attempts to whitelist http: ?
So whitelist
https:, file: and maybe more as well just because the application tried to guess the user's intend? Please no, please nothing of the sort of such philosophy (something that might then be called something along the lines of "context-aware pervasive ambient intelligence computing"
)
Re: RFE: Prevent whitelisting of http:
Posted: Fri Sep 27, 2013 11:50 pm
by Thrawn
I wouldn't want to turn on Scripts Globally Allowed in this situation, because without clear intent by the user, I would assume that it was a mistake, and I wouldn't want to exacerbate it.
Re: RFE: Prevent whitelisting of http:
Posted: Sat Sep 28, 2013 3:10 am
by barbaz
Thrawn wrote:I wouldn't want to turn on Scripts Globally Allowed in this situation, because without clear intent by the user, I would assume that it was a mistake, and I wouldn't want to exacerbate it.
I would agree with you and dhouwn, but turning on Scripts Globally Allowed presents the user with a dialog where they could just click Cancel if they don't want that. As for users who don't understand the dialog, wouldn't they be more likely to click "Cancel" than "OK" in any case, thus saving them rather than exacerbating the situation?
(This forum doesn't allow posting from browsers that don't identify themselves as Gecko-based, even if they really are?)
Re: RFE: Prevent whitelisting of http:
Posted: Sat Sep 28, 2013 12:32 pm
by Thrawn
I would agree with you and dhouwn, but turning on Scripts Globally Allowed presents the user with a dialog
Oh, you meant with a confirmation dialog. Yeah, that could work, but it may as well have its own dialog rather than reusing that one.
(This forum doesn't allow posting from browsers that don't identify themselves as Gecko-based, even if they really are?)
I'm posting from the Symbian default browser right now.
Re: RFE: Prevent whitelisting of http:
Posted: Sat Sep 28, 2013 4:06 pm
by barbaz
Thrawn wrote:
I would agree with you and dhouwn, but turning on Scripts Globally Allowed presents the user with a dialog
Oh, you meant with a confirmation dialog. Yeah, that could work, but it may as well have its own dialog rather than reusing that one.
If whitelisting http:
wasn't a mistake, why would someone do that other than because they're frustrated with digging around in the NS menu repeatedly?
Thrawn wrote:
(This forum doesn't allow posting from browsers that don't identify themselves as Gecko-based, even if they really are?)
I'm posting from the Symbian default browser right now.
That browser has "Gecko" in its user-agent string. I was using an old Firefox with an Opera user-agent string. You're also a moderator while I'm a junior member.
This is getting complicated, so to keep this topic clean could you please split the discussion of allowed browsers to the Metaforum?
Re: RFE: Prevent whitelisting of http:
Posted: Sun Sep 29, 2013 9:32 pm
by Thrawn
barbaz wrote:
If whitelisting http: wasn't a mistake, why would someone do that other than because they're frustrated with digging around in the NS menu repeatedly?
Then they really ought to use the Allow Scripts Globally menu item, which is more convenient, more explicit, and gives more obvious feedback (like the changed icon).
Mind you, I'm OK with the idea of letting someone whitelist
http:, provided that they have made it clear that they really want to do it, they didn't just start typing and get distracted.
barbaz wrote:
This is getting complicated, so to keep this topic clean could you please split the discussion of allowed browsers to the Metaforum?
Actually, after a quick search, it's already been discussed
here.
Re: RFE: Prevent whitelisting of http:
Posted: Mon Sep 30, 2013 1:46 pm
by barbaz
I think there's something I'm not understanding about NS internals because I thought that saying "turn on Allow Scripts Globally when http: is whitelisted" was understood to mean "if the user tries to whitelist
http:, don't do that but instead act like they clicked the menu item." Also, with Scripts Globally Allowed it would be easier to block some sites from running active content by clicking "Mark site as untrusted". For users who don't want Scripts Globally Allowed, when would whitelisting http: be necessary and selectively allowing sites from Full Addresses wouldn't work?
Contrast this to whitelisting
https:, where someone may want to temporarily do that to complete a financial or other sensitive transaction without allowing insecure active content to run but not potentially messing up the payment/whatever by blocking the wrong thing at the wrong time.
Speaking of which, if we're going with confirmation dialog for whitelisting
https:, how about offering three options: Cancel, Temp-allow, and Allow? Thoughts?
Thrawn wrote:Actually, after a quick search, it's already been discussed
here.
Thanks, that makes sense.
Re: RFE: Prevent whitelisting of http:
Posted: Mon Sep 30, 2013 10:34 pm
by Thrawn
barbaz wrote:I think there's something I'm not understanding about NS internals because I thought that saying "turn on Allow Scripts Globally when http: is whitelisted" was understood to mean "if the user tries to whitelist
http:, don't do that but instead act like they clicked the menu item."
Yes, that's what I assumed you meant. I don't like it. If they want to click on the menu item, they should click on the menu item.
Also, with Scripts Globally Allowed it would be easier to block some sites from running active content by clicking "Mark site as untrusted". For users who don't want Scripts Globally Allowed, when would whitelisting http: be necessary and selectively allowing sites from Full Addresses wouldn't work?
I agree that there is not much of a use case for whitelisting
http:, which is why I think it's (almost always) a case of user error, hence this RFE.
Contrast this to whitelisting
https:, where someone may want to temporarily do that to complete a financial or other sensitive transaction without allowing insecure active content to run but not potentially messing up the payment/whatever by blocking the wrong thing at the wrong time.
Thus I'm open to the idea of allowing users to override the protection if they really want to. But I think that https: should still have a restriction of some kind.
Speaking of which, if we're going with confirmation dialog for whitelisting
https:, how about offering three options: Cancel, Temp-allow, and Allow? Thoughts?
Maybe, but I'm assuming that the user probably didn't really mean to do this, and there's almost no good reason why they might want to, so it's not necessary to give them extra options. It's just a safety catch.
Re: RFE: Prevent whitelisting of http:
Posted: Mon Sep 30, 2013 11:50 pm
by barbaz
Thrawn wrote:It's just a safety catch.
Oh, I didn't realize this wasn't about use cases. In that case, I think it would be best to go with a boolean about:config preference like you suggested for http: and a simple confirmation dialog for https: (being less dangerous, it doesn't need as big a safety catch).
Update: @Thrawn & Giorgio: Just for fun, I've made a working PoC of the above and it turns out that it's enough to insert
Code: Select all
if ((site == "https:" && !noscriptUtil.prompter.confirm(window, "NoScript", "Do you really want to whitelist the entire HTTPS protocol?")) || (site == "http:" && !ns.prefs.getBoolPref("allowWhitelistingAllHttp"))) return;
at line 370 of noscriptOptions.js. That being said there are obvious UI / localization issues with this, but it doesn't look like they're hard to resolve.
Re: RFE: Prevent whitelisting of http:
Posted: Tue Oct 01, 2013 11:25 pm
by Thrawn
Huh.
http://forums.informaction.com/viewtopi ... =7&t=17205
Who'd have thunk?
I like the PoC, although I wouldn't have seen it unless I came back to add the above link, because editing your post doesn't make it show up in my Unread Posts...
What do you think about the earlier suggestion of having an about:config preference that would list all the protocols you're allowed to whitelist?
Re: RFE: Prevent whitelisting of http:
Posted: Wed Oct 02, 2013 12:53 am
by barbaz
My reaction too. Despite what I was saying earlier, I'd never have thought of
that use case.
Even so, that just shows why it's a good idea to keep the safety catch on https: as simple as possible.
Thrawn wrote:I like the PoC, although I wouldn't have seen it unless I came back to add the above link, because editing your post doesn't make it show up in my Unread Posts...
Even though you're a Moderator who needs to be notified of potential spamming? Another discussion for the Metaforum, I suppose...
Thrawn wrote:What do you think about the earlier suggestion of having an about:config preference that would list all the protocols you're allowed to whitelist?
For a feature intended to protect only a couple of protocols, that seems a bit much. If we're going with an about:config pref that's listing protocols, better to list the ones you
shouldn't be allowed to whitelist by default (ignoring the ones in noscript.mandatory, of course).
Re: RFE: Prevent whitelisting of http:
Posted: Thu Jun 26, 2014 5:19 am
by barbaz
Bump
I could provide a more complete (meaning everything other than localization) patch for this as applied on top of the latest NoScript dev build, if that would be helpful.
Re: RFE: Prevent whitelisting of http:
Posted: Sat Mar 14, 2015 2:36 am
by barbaz
Bump
With the new Allow HTTPS scripts globally on HTTPS documents feature introduced in NS 2.6.8.37rc2, now it's probably best to instead prompt about setting that mode when attempting to whitelist all HTTPS
@Giorgio, do you think this is a good idea?
Let me know & if you like this idea I'll attempt to update the patch