NoScript Tooth-Grinders - SOLVED

[runbei]

Complaining this morning:

1. I find it horrible that NoScript blocks Google Fonts out of the box (via Embeddings > Forbid @ font-face). This forces me as a web dev to NOT USE GOOGLE FONTS because I refuse to uglify the site for the preponderance of visitors who'll have NS installed in their browser.

2. Similarly, it's absolutely nuts that NoScript now blocks YouTube video play by default, with no simple way to fix this - requires research.

Really, what were they thinking. Seems like "we know better than our users" decision-making. I suspect that replies to this post will take the "It's for your own security" road. Well, just bleh.

[barbaz]

This forces me as a web dev to NOT USE GOOGLE FONTS

Which is a privacy bonus for *all* your visitors. Cool!

2. Similarly, it's absolutely nuts that NoScript now blocks YouTube video play by default, with no simple way to fix this - requires research.

It shouldn't be that way. That just might be considered a bug... please tell us what you had to do to get it working again.

Really, what were they thinking. Seems like "we know better than our users" decision-making.

No, it's "let the users explicitly tell NoScript what's safe and what's not, rather than make assumptions about what users as a whole are OK with" decision-making.

I suspect that replies to this post will take the "It's for your own security" road. Well, just bleh.

How about a reply that half kinda takes that route and half agrees with you?

[runbei]

Okay, thanks, i get it. Temporary loss of my sense of humor. Still, I do resent that I cannot use any of the wonderful Google fonts because 99.9 percent of readers will NOT know to un-check the appropriate NoScript setting. So, instead of seeing the stunningly refined Lora, they'll get bloody Arial. This is web design murder, yuck.

Still haven't solved the YouTube problem. For now, I'm just disabling NoScript.

[barbaz]

99.9 percent of readers will NOT turn know to un-check the appropriate NoScript setting.

Or know to look at the Blocked Objects submenu and click the entry above the menu separator, if they trust both you and Google and want to see the font?

Still haven't solved the YouTube problem.

Are you getting a placeholder for something @https://[...].googlevideo.com that doesn't go away when you click it? (if not, the rest of this post probably won't apply)

If so, and if you aren't deliberately doing anything that would force YouTube to serve you HTML5, 'googlevideo.com' needs to be added to the default whitelist. Since "other features" of YouTube are deliberately unblocked by default, it makes no sense at all to block video playback by default.

Does whitelisting googlevideo.com get video playback working (assuming you did *not* check "Apply these restrictions to whitelisted sites too" in NoScript Options > Embeddings)?
If you *did* check "Apply these restrictions to whitelisted sites too", does adding entry in about:config -> noscript.allowedMimeRegExp for googlevideo.com get it working?

[runbei]

Many thanks for the helpful reply.

With YouTube videos and NoScript default settings I see a black screen with a message: "An error occurred, please try again later. Learn More"

Very helpful. The link takes you to a long Google page with a tiresome list of things to try. Much easier to disable NS.

Whitelisting googlevideo.com doesn't work for me - still see the error message.

SUCCESS. Un-checking "Apply these restrictions to whitelisted sites too" under NoScript Options > Embeddings solved the problem.

I'll mark this solved. Will fast and pray until NoScript devs decide to allow their users to view Google fonts by default. Amen.

[barbaz]

Thank you for reporting back. Based on this thread I've requested adding googlevideo.com to the default whitelist: viewtopic.php?f=10&t=20513

[Thrawn]

Still, I do resent that I cannot use any of the wonderful Google fonts because 99.9 percent of readers will NOT know to un-check the appropriate NoScript setting. So, instead of seeing the stunningly refined Lora, they'll get Arial.

Well, you could use an appropriate <noscript> tag to give them directions...or if you host the content yourself, instead of loading it from Google, then it will be allowed when your site is allowed.

Unfortunately fonts can be a vulnerability, so NoScript will block them on untrusted sites.

[barbaz]

Thank you for reporting back. Based on this thread I've requested adding googlevideo.com to the default whitelist: viewtopic.php?f=10&t=20513

Update: This has been done in NoScript 2.6.9.19rc1.
(and 2.6.9.19 is now stable release)