InformAction Forums

Hi!

With NoScript 2.6.9.11 or 2.6.9.12 installed, thumbnails for the newtab page are not generated anymore.

STR:
1. Use any of the mentioned versions.
2. Exit Firefox
3. Delete the thumbnail cache. On Mac, this is in /Users/<Username>/Library/Caches/Firefox/Profiles/<ProfileID>.default
4. Start Firefox
5. Open a new tab.

With NS activated, thumbnails do not appear for the newtag entries.
Without NS, they appear one by one after a few seconds automatically.

Cheers,
TheOne

For reference, the related parts of the changelog:

https://noscript.net/changelog#2.6.9.5 wrote:v 2.6.9.5rc2
=============================================================
[...]
x Fully disable background processed thumbnail generation
unless noscript.bgThumbs.allowed about:config preference
is set to true
x Control JavaScript enabled in background thumbail
generation through the noscript.bgThumbs.disableJS
about:config preference

v 2.6.9.5rc1
=============================================================
+ Forcing remote browsers used for thumbnail generation to
disable JavaScript (thanks vpoint for reporting)

Basically, the thumbnail generation is done in a separate process which means it bypasses all extensions and has JavaScript enabled, so NoScript can't apply all its security measures there. Leaving it alone would be giving you a false sense of security.

Confirmed.
Some sort of weird interaction going on.
I did get 1 or 2 thumbs to load (which may or may not have actually been one of the blocks in the new tab page).

Dropped back to noscript-2.6.9.1rc2.xpi & the thumbs did populate.


(And how stupid is that, IMO, that content would be loading for that reason, that it actually goes out to those pages, just because you've opened a "new tab".)

Hi barbaz,

thanks for the reply.

However, this doesn't make much sense to me. Your explanation contradicts to what the changelog says:

From reading the changelog, I'd say you could just set both noscript.bgThumbs.disableJS and noscript.bgThumbs.allowed to true. But your post says, the background process bypasses all add-ons. But if so, why having a pref to enable/disable JS in the background process in the first place?

It's just another safety catch. You can do that, if you really want thumbnails, but bear in mind that while a significant security exploit is unlikely there with JS disabled, those thumbnails have NO privacy protection, so any domains you think you've blocked requests to in the browser, could still be requested...

Ah, OK, that there was even a NoScript related Pref never registered with me.

So once I toggle noscript.bgThumbs.allowed to 'true', the thumbs do populate as expected.

And with that done, it looks to be working as expected.

@therube: viewtopic.php?f=22&t=20286

But, I believe that if you have NoScript enabled, but set it "Allow Scripts globally (dangerous)"
it shouldn't block the background processed thumbnail generation and its Javascript.
Nor shouldn't I have to modify
noscript.bgThumbs.allowed
and
noscript.bgThumbs.disableJS
in about:config in this case.



Because that's what currently happens:

Using NoScript 2.9.0.14 with FF 49.0.1 x64 (with e10s disabled/not yet enabled by default) in win 10 x64.

I use NoScript mostly set to "Allow Scripts globally (dangerous)" (and set specific domains as Untrusted).

To reproduce: (it happens every time)
- Launch FF with a fresh profile, install NoScript, click "Restart now".
- After FF relaunch set NoScript to allow "Allow Scripts globally|Ok.
- Open a new tab. It will be like this:

- Open e.g. https://twitter.com in one tab and https://www.youtube.com in another (wait both to completely load)
- Open another new tab: you'll see that two new (empty) placeholders named yotube.com and twitter.com were added.
but, no longer how long you'll wait or how many times you refresh these tab (F5),
no thumbnail will be generated:

rick wrote:But, I believe that if you have NoScript enabled, but set it "Allow Scripts globally (dangerous)"
it shouldn't block the background processed thumbnail generation and its Javascript.
Nor shouldn't I have to modify
noscript.bgThumbs.allowed
and
noscript.bgThumbs.disableJS
in about:config in this case.

No? You think NoScript is only a script blocker?

The reasoning behind disabling thumbnails entirely is not related to script blocking. It's related mostly to ABE. By default, ABE blocks webpages access to stuff on your local network, such as your router: With ABE not present in the thumbnails, all that had to happen to bypass ABE is loading a page as a thumbnail.

As for disabling Javascript in the thumbnails even when scripts globally allowed? Again, NoScript is more than just a script blocker. When you Allow Scripts Globally, you are keeping all these "extra" protections, including ABE, XSS filtering, MIME type enforcement, etc. Some of these protections, such as ClearClick, are only useful if you're actually interacting with the webpage, not so much in a thumbnail. But some of the protections are needed regardless.
In the new tab thumbnail context, you have *none* of these protections.

Why does this stuff matter here? Well, let's put it this way:

Imagine it's a cold winter evening and you're going outside. You're wearing jeans and a T-shirt. You think "Hey, I don't need a coat, I'm not going far from the door. And besides, I've done this before and been OK haven't I?" and you just walk out the door. As soon as you step away from the house, the neighbor's dog comes up to you, snatches your key and runs off with it, and you find yourself locked out and you get frostbite before you can get help.

Yep, on the Web, if you're not aware of and secured against potential problems, it's just a matter of time before a disaster happens.

So ask yourself whether you would rather have thumbnails or true security. The choice is there - take your pick.

Does this explanation help?

barbaz wrote:Does this explanation help?

Of course!
I didn't know it had to do with all that.
Thanks for the detailed reply!

You're welcome!

BTW, for anyone who is interested in a more complete list of the protections NoScript has, check NoScript Options > Embeddings, NoScript Options > Advanced, and viewtopic.php?f=10&t=5920

Today I had the following issue:

Today I had to restore my Firefox profile from yesterday's backup. (See the PS for the backup procedure).

So, in my first FF launch:
all tabs from yesterday were restored ok,
Noscript was in ""Allow Scripts globally (dangerous)" as before,
and theses two entries about:config were still modifed (true, and false, respectively), as before.
noscript.bgThumbs.allowed
noscript.bgThumbs.disableJS
But, no thumbnails are generated (but, they should: they were generated every time I restored my FF profile - well, that was, before I installed Noscript - ).

If I disable Noscript+restart FF then the thumbnails are created.

If then I re-enable Noscript + restart FF, then new tiles in most cases they don't get a thumbnail, ever.

Why is this happening? (I've tried this multiple times)
(the prefs remain always modified)
I'm afraid it's some kind of bug.


PS. The backup procedure:

I backup in a daily basis this folder
C:\Users\User\AppData\Roaming\Mozilla
into a ZIP file.

So, to restore the profile:
I delete the existing folders:
C:\Users\User\AppData\Roaming\Mozilla and
C:\Users\User\AppData\Local\Mozilla.
Then I unzip the backup file to it's initial path.

Just to check, are thumbnails likewise blocked if you start with a new, clean profile, installing NoScript, and manually setting:
1) Allow Scripts Globally
2) about:config > noscript.bgThumbs.allowed to true

If that does work, try another clean profile test with also setting noscript.bgThumbs.disableJS to false

Let us know, thanks.

In a new profile,
having either, only the 1st pref toggled, only the 2nd, or both,
the thumbnails are generated ok.