InformAction Forums

Hi

I am relatively new to NoScript. Is there something basic I am missing?
When I am using a website that draws scripts from 5 or 10 or more domains, how can I determine which domains I need to allow for specific functions to work?

Well, you can either examine the source code of the page and the scripts that it's trying to run, or you can use trial and error...unfortunately there's not much that NoScript can do about that.

However, by middle-clicking on the menu entries, you can get information about the sites from Web of Trust and similar services, so you can get an idea of how trustworthy they might be.

Thrawn wrote:Well, you can either examine the source code of the page and the scripts that it's trying to run, or you can use trial and error...unfortunately there's not much that NoScript can do about that.

But when I right-click on an element, for instance a 'send-button', and choose 'inspect element', then I get a half-screen-window, where I can see the HTML-element, but there is no information about which domain that contains the js-code for that element - the send-button...?

I'm afraid you'll have to find all of the <script> elements in the page, manually download each of them, and hunt for JavaScript that refers to your Send button (hopefully using its ID, which will be easy enough to find).

Sorry, but this is what happens when web pages are built using a language that is not only Turing-complete but also interpreted and both object-oriented and function-oriented.

Thrawn wrote:I'm afraid you'll have to find all of the <script> elements in the page, manually download each of them, and hunt for JavaScript that refers to your Send button (hopefully using its ID, which will be easy enough to find).

It would be great, if that was a function in Noscript! Instead of me having to do it manually.

The JSView addon used to do this quite well, but unfortunately it appears to be dead.

You can try using the built-in Developer Tools, or Firebug if you need something extra.

However, regardless of the tool, you're looking at a tremendous amount of work. Per website.

> JSView ... appears to be dead

Dead in what way?

Oh, they took it off AMO?

See if this works, 2.0.8-mod, http://xsidebar.mozdev.org/modifiedmisc.html#jsview.

@therube, that mod of JSView is buggy, especially on Mac OS X. Philip Chee's changes exposed a bad bug resulting from sloppy coding in the original.
Even so, it does work partially, and it should run just as well on Fx as on SeaMonkey. Haven't touched any recent Fx versions though...

> that mod of JSView is buggy, especially on Mac OS X

In what way?


Oh, & this too, http://forums.mozillazine.org/viewtopic ... #p12683267
Source: http://forums.mozillazine.org/viewtopic ... #p12682115

therube wrote:> that mod of JSView is buggy, especially on Mac OS X

In what way?

The worst bug is that almost *all* of the JS/CSS in the menu, when clicked, point you to http://undefined/ . (In Linux it's only about a third of them.)
I'd prefer not to continue hijacking this thread, so therube, if you want to talk about JSView more, send me a PM.

Hero wrote:When I am using a website that draws scripts from 5 or 10 or more domains, how can I determine which domains I need to allow for specific functions to work?

I think I have found the best possible solution to my problem:

I have installed Ghostery. These people have examined scripts from different domains and classified them accordingly. So I let Ghostery block scripts and I have disabled the whole script-blocking in NoScript. I have not fully deactivated NoScript, it still does things like XXS, ABE etc.

Hero wrote: I think I have found the best possible solution to my problem:

I have installed Ghostery. These people have examined scripts from different domains and classified them accordingly.

That depends on what you consider to be the problem.

I would definitely not recommend Ghostery for the job of keeping you safe on the internet. It is for protecting your privacy, not security. And it has a history of not playing nicely with others.

Blacklists work OK for privacy, because the corporations that will want to track you are generally big, and therefore known. If someone set up their own personal tracking domain that no-one else knows about, then they wouldn't be collecting enough information for it to be a concern. But when it comes to security, all sites are equally capable of attacking you. An attacker just has to register a new domain that isn't on the lists, and they can hit everyone who comes to that domain until they get found by the blacklist maintainers. Then they register another domain. Or another few thousand domains.

If you really want a blacklist-based approach to security, where you rely on someone else to keep track of every bad site on the whole internet, then at least do yourself a favor and use Adblock Plus with the Anti-Malware subscription. It is at least designed for the job, which Ghostery is not.

Thrawn wrote:

Hero wrote: I think I have found the best possible solution to my problem:

I have installed Ghostery. These people have examined scripts from different domains and classified them accordingly.

That depends on what you consider to be the problem.

I would definitely not recommend Ghostery for the job of keeping you safe on the internet. It is for protecting your privacy, not security. And it has a history of not playing nicely with others.

Blacklists work OK for privacy, because the corporations that will want to track you are generally big, and therefore known. If someone set up their own personal tracking domain that no-one else knows about, then they wouldn't be collecting enough information for it to be a concern. But when it comes to security, all sites are equally capable of attacking you. An attacker just has to register a new domain that isn't on the lists, and they can hit everyone who comes to that domain until they get found by the blacklist maintainers. Then they register another domain. Or another few thousand domains.

My experience is that important parts of lots of websites depend on JS, so I can't just block all JS.
NoScript doesn't give me a way of knowing which features on a website depend on which script(-domains), so it's not REALLY useful.

Thrawn wrote:If you really want a blacklist-based approach to security, where you rely on someone else to keep track of every bad site on the whole internet, then at least do yourself a favor and use Adblock Plus with the Anti-Malware subscription. It is at least designed for the job, which Ghostery is not.

I do have Adblock Plus installed - just using the EasyList-filter. But I can't find a filter called Anti-Malware. Can you tell me how to find that, please?

Hero wrote:I do have Adblock Plus installed - just using the EasyList-filter. But I can't find a filter called Anti-Malware. Can you tell me how to find that, please?

https://adblockplus.org/en/subscriptions
scroll all the way down to "Malware Domains"

barbaz wrote:

Hero wrote:I do have Adblock Plus installed - just using the EasyList-filter. But I can't find a filter called Anti-Malware. Can you tell me how to find that, please?

https://adblockplus.org/en/subscriptions
scroll all the way down to "Malware Domains"

Thank you very much!! Hereby installed.
So now Ghostery is disabled, NoScript only does XXS, ABE and such and 2 AdBlock filters does 'the rest'. It doesn't feel 100% optimal for both privacy and security, but it's hell manually trying to figure out which JS-domains I need on each website and which are just spying on/tracking me...!?