InformAction Forums

I have used NoScript for years (without ever trying to program anything) and I am very grateful for the work that is done to keep it up-to-date and useful. I have a few ideas for what may be improvements.

I use NoScript by selecting scripts I want to allow, and managing the list of allowed and not allowed scripts. That is as deep as I go. A difficulty I have is that I do not see how to revoke a permission for a given script. (The option exists to "revoke all temporary permissions" but not "revoke permissions" nor "revoke permission for ________ ".) This comes up, for example, when, if I go to a Google web service, and I need to give permission to Google.com, I navigate away and I want to revoke the permission.

When I look at Google on the list of scripts, the only option I am given is to "Forbid Google.com" Well, I do not want to forbid Google, I just want to restore the default status of "not allowed", which gives me the option to later grant permission or temporary permission. I would like to right-click and get a context menu option to "revoke permission for google.com". A more useful label for the permitted Google script might be "Google.com now has temporary permission" or "permanent permission", as the case may be; then I would right click on it to change the permission status. This would be very helpful in management of the scripts that I want to use or not use. (I just noticed the options of "Blocked objects", "Recently blocked sites" and "Untrusted"; this will be helpful; I hope you consider putting these options into a context menu.)

The context menu could also be used to list the various options which now occupy multiple lines in the management drop-down box, such as "Allow [script]" and "Temporarily allow [script]".

My other ideas relate to investigation of script owners. The biggest challenge is to decide which are safe to allow and which are not. To answer this question, I find it interesting to use the domain name of the script to investigate the owner of the script. Currently I am cutting and pasting the url. (Some of them go to an accessible web site and some of them do not.) Making the link hot would make this sort of investigation easier.

Then, what if I could right-click the domain name and get a selection that includes "Go to [url]", "Read comments for this script from other users", or "make a comment about this script". I would be able to share my impression of the owner of the script, and read impressions from others. Presumably these impressions would be entries in a devoted forum topic. They would help people to decide whether to permit a script based on their personal reasons for allowing or not allowing a script. (My reasons relate to not feeding the great consumer-data-base. Other people might be more concerned about avoiding computer malware.)

To summarize, I am suggesting a context menu for individual scripts, which would include: "Allow [script]", "Temporarily allow [script]", "Revoke permission of [script]", "Go to native domain website for script", "Go to comments for domain", and "make a comment about domain".

Perhaps in the future we would learn enough about domains which do not associate with a website to further investigate them and stream line their investigation. The one I recently encountered was actually a sub-domain of another domain which did have a web site.

All your RFE's already exist.

"Forbid ..." actually does mean "Revoke permission for ..." i.e. "return to default not allowed state", unless you explicity went to about:config and configured it to mean "Mark ... as Untrusted" (noscript.forbidImpliesUntrust).
You can also go into NoScript Options > Whitelist and remove individual permissions, both temporary (shown in italic type) or permanent (shown in normal type).

You can get the site evaluation thing that you want by middle-clicking (or shift+clicking) on the entry in the NoScript menu. If the default landing page isn't quite what you're looking for, you can set a different landing page by editing
about:config > noscript.siteInfoProvider

barbaz wrote:"Forbid ..." actually does mean "Revoke permission for ..." i.e. "return to default not allowed state"

Yep. I think the reason for the difference is to avoid confusion with the 'Revoke Temporary Permissions' option.

unless you explicitly went to about:config and configured it to mean "Mark ... as Untrusted" (noscript.forbidImpliesUntrust).

Or if you were in Global Allow mode, which sounds like it's not the case here.

Thrawn wrote:Or if you were in Global Allow mode, which sounds like it's not the case here.

If you've got Scripts Globally Allowed, the menu items say "Mark ... as Untrusted", not "Forbid ...".

Thank you for checking out my ideas.

From your responses, I don't feel understood. You have focused on the things that can already be done, and why would I ask for things that are already provided? But there are three things I am asking for which are not available. If you don't like these ideas, think they'd be too much work, whatever, I'm ok with that, you're doing the work, and you get to decide. I thank you for all that you have already done, and continue to do.

The first is in essence just consolidation. To bring operations together into one right-click menu. I am asking for simplified management (already provided less directly) and investigation (#2, not provided yet), and giving users a simple, easy way to document the scripts and script domains and what they do(#3, not provided yet). I realize it would be a lot of work for you as the coders (which I am not), and if you want to say it's too much work, I would completely respect that. I am not undertaking to do the coding myself.

The second idea is simply a hot link which would take me directly to the domain source of the script.

The third thing I do not see is a streamlined access to a devoted forum for cataloging the source domains. I am sure I could start cataloging my investigations into a forum post, but doing so would be very lonely. Creating a catalog would be useful only as a team effort, which my private efforts would not equal. I you don't already have that data base, it could prove very useful. Anyway, I would like to have a place to write what I have learned and read what others have learned. The point of building a devoted link and streamlined access is to make it a user function, something we can all do as users, to help each other.

All of this aside, I really appreciate NoScript and you its team, and what it does to help me maintain a sense of control over who gets into my computer. I'd be happier if you took my idea in the way I intended it, and accept or reject it on its own terms, but I am grateful for the work already done and I will certainly continue to tell my friends and others about how useful it is. Thank you.

mysticalatheist wrote:The first is in essence just consolidation. To bring operations together into one right-click menu. I am asking for simplified management (already provided less directly)

I still don't understand what you're asking. Could you please clarify this one?

mysticalatheist wrote:The second idea is simply a hot link which would take me directly to the domain source of the script.

That can be *really* dangerous and in general you should not do that when investigating a site!
-1 to that RFE.

A MUCH safer option, if you want to go that kind of route, would be to grab JSView, go to View > Page Info > Scripts, and look at the actual scripts that would run. They will be displayed as plain text in the browser so you can be sure that what you see is exactly what there is.

mysticalatheist wrote:The third thing I do not see is a streamlined access to a devoted forum for cataloging the source domains. I am sure I could start cataloging my investigations into a forum post, but doing so would be very lonely. Creating a catalog would be useful only as a team effort, which my private efforts would not equal. I you don't already have that data base, it could prove very useful. Anyway, I would like to have a place to write what I have learned and read what others have learned. The point of building a devoted link and streamlined access is to make it a user function, something we can all do as users, to help each other.

Right. My point is that if such a database/forum already exists somewhere, you can set about:config > noscript.siteInfoProvider to point to that site instead. It would be appreciated if you could also post that site here in case someone else wants the same.
It just might be possible that Giorgio will add a link to this site in the default Page Info page.

barbaz wrote:

mysticalatheist wrote:The second idea is simply a hot link which would take me directly to the domain source of the script.

That can be *really* dangerous and in general you should not do that when investigating a site!

Unless the OP meant going to the full URL of the script to view its source? I think you're assuming s/he meant the domain root.

Thrawn wrote:I think you're assuming s/he meant the domain root.

Yep, that's what it sounded like to me. That idea feels like a comparably good idea to one of us Moderators seeing if some account here belongs to a spammer by clicking the link they put in their website (not copy+paste.. click, so that referer info is sent), without any prior knowledge of the domain.