InformAction Forums

I made a patch available on github that adds a floating window GUI to NoScript. It's available here:
https :// github.com /ludotronic/noscript

This is a hack / proof of concept. Note that you need to build the extension from the source, so I guess it is for developers or adventurous. But if you're willing to try it, I'm interested by your feedback.

PS: I'm new to this forum and a recent user of NoScript. Many thanks to the creators and maintainers of this amazing extension.

I haven't tested this yet, but it looks like a cool idea, thanks . Giorgio will decide whether he can easily incorporate it.

Here what I have in mind.

o) if there is a lot of interest and we want it to be incorporated. I can volunteer to do the work the way Giorgio wants it. I think github gives us the right tools in terms of code review, comments, code change, testing. This is a patch, there is definitely a lot of work to do. But why not.

o) if there is some interest by few persons. I can keep it the way it is and merge periodically the latest changes from the upstream avian2 (which I think is the official github repository ?) with my own changes.

o) if there is no interest, maybe I'm deluding myself to think this can be a cool addition.

To give more context.

IMO the NoScript UI design took the path of being out the way. This works very well because we usually have a ecosystem of sites we visit. So the extension has to be configured once and after that, we are at 1 to 3 click away of what's needed. This works transparently.

This patch tries to take the other approach of being always in the way (but not too much hopefully). Like a remote control, accessible and providing valuable information. More "educative" maybe.

Going a bit off topic with a next idea.
I particularly like the "Security and Privacy Info" feature of NoScript. It allows you to find out what a site is about, where it is registered, its Google and Alexa rating, its reputation, user reviews,.... This is a gold mine. Unfortunately I'm not using the feature very often because it is too disruptive in my workflow. It opens a new tab, with some links to follow. I'd like to have it more like a tooltip (yet an another floating window) that popups up on the current page to sum up the various information. Technically that's doable.

To sum up I'm not sure where I want to go with this patch but I'm interested to get some feedback.

Thanks Thrawn and keep me posted.

ludotronic wrote:maybe I'm deluding myself to think this can be a cool addition.

That's exactly what's happening given that patch as it is, regardless of how many people like the UI enhancement.
Looked at the diff & gave it a try, and immediately noticed a huge problem: your patch enables *webpages* to change NoScript permissions. (Took about 5 minutes to make a PoC of this.)
It's also theoretically possible to exploit the new UI with a clickjacking attack, and it makes webpage detecting NoScript much easier.

Not cool.

That's serious enough that I even asked whether this topic should be hidden until that's fixed and I would then send you a PM with more details than I've posted, however I never got an answer.
So instead I've broken the link. Feel free to unbreak the link once the patch doesn't compromise NoScript.

To fix the patch, you'll need to re-write it to not inject anything in the webpage, period. Keep everything in chrome context please.
Feel free to PM me for more info.

------------------------

That aside, my comments on the idea:

ludotronic wrote:This patch tries to take the other approach of being always in the way (but not too much hopefully). Like a remote control, accessible and providing valuable information. More "educative" maybe.

Unfortunately IMO this is reminiscent of those annoying popups you get on webpages that come up semi-randomly asking about "get free whatnot blah blah blah" (or sometimes survey).

If you want the NoScript menu to really stay put, you can do that without any patches: configure it to open on hover and be sticky, then click on the icon.

It seems that I crossed a red line with my patch / proof of concept.
If this is the case, I'm sorry this was not my intention.

Do not worry about making this topic hidden and there is no need to edit my post to break url links. I deleted my github repository so the link is now permanently invalid.

Sorry again, thanks for your feedback and keep up the good work.

ludotronic wrote:I deleted my github repository so the link is now permanently invalid.

Well, you don't need to go that far...the concept is still potentially valid. However, as barbaz mentioned, injecting code into the page opens you up to problems. You need to keep NoScript controls in places where web pages can never touch them.

If you can find a way to make this float without the page being able to tamper with it, then it may yet be useful.

Thrawn wrote:If you can find a way to make this float without the page being able to tamper with it, then it may yet be useful.

Agreed.
One possible way to do that could be to put the floating window inside a (semi-)transparent arrowpanel anchored to the NoScript icon... then it would look basically the same, most of your code is probably reusable, but the webpage can't access it and you *know* it's above the webpage (so not clickjackable).
Basically you inject the floating window in the arrowpanel instead of the webpage, open up the arrowpanel when you want to display the floating window (make sure it doesn't steal all clicks or close on a click outside of it), and you additionally close the arrowpanel with the 'X'.

Bear in mind that NoScript supports Firefox 3.0.9 and later so you would have to be careful to either only use code compatible with all those Gecko versions or be sure to disable the feature in browsers too old for the code you use.