InformAction Forums

When a site is blocked, I always middle-click to run a security check on it, and if McAfee Site Advisor says the site is safe, I ALWAYS allow the site permanently. (This might not be wise, but this is what I do. However, it takes a lot of time to do this.) Is there any way to have NoScript automatically add a site to one's personal whitelist if a specified NoScript site security service indicates that it is safe? Thanks.

This is not currently possible. However, if McAfee offers a NoScript whitelist subscription, you could use that...

I'd vote no to this as a RFE.
Every user has a different idea of what is "safe" or not, and McAfee's criteria for what constitutes "safe" may not match up with the NoScript user's. Assuming they check for malware type activity, that only covers a fraction of, say, the sites I wouldn't trust. Others probably also have a broader sense of "unsafe site" than just "malware".

Plus, domains change hands every so often... if a site is Allowed permanently just because McAfee said it was safe at one time, but the domain is later used by a malicious entity and McAfee says it's not safe anymore, it'll still be in your whitelist...

Also what if the service, and a site you visit, are both hacked? The hacker tells the service that their malicious domain is safe, and you visit the site with their malicious domain... NoScript as-is will protect you by not Allowing the hacker's site; with this feature added.. "oh, no "

Hi Barbaz,
Thank you for your suggestions.
The trouble is, I don't have enough time to become an expert on all these security issues, so I am going to have to trust some site security service. The only thing that making the site security check automatic would change is that it would save me a lot of time. I do not see any way that anyone could avoid all the dangers you warn of unless they just avoided every site that was not on the default NoScript whitelist. That would prevent me from using most of the sites I use.

nkennington wrote:Hi Barbaz,
Thank you for your suggestions.

You're welcome, but my suggestions above were less than optimal for your case - apparently I missed part of what you were saying in your OP...

nkennington wrote:The trouble is,

... that you're investigating way too many script sources to make NoScript reasonably usable for you?
Don't bother unless some site functionality you want to use is broken without JavaScript. That will dramatically reduce the number of domains in your whitelist and the number of domains you check with McAfee. The fewer sites in your whitelist, the less likely you are to hit the scenarios I'm talking about. Plus, why Allow scripts you have zero need or desire for?

I'm not sure why you're encountering new domains so often that this is eating up your time. As barbaz suggested, are you investigating and allowing sites even when the page is working? There's no need for that; if a particular script isn't needed, then you save time and bandwidth by just leaving it blocked.

If you really are going to so many new sites all the time that this is a burden, then perhaps it's all the more important to have NoScript protecting you, because you never know whether the next site will actually be malicious. (And I wouldn't necessarily trust McAfee to get it right; what if the attacker is new?)

Hi Barbaz,

You suggested that perhaps I am "...investigating way too many script sources to make NoScript reasonably usable for you?". Do you mean to suggest that I could safely set some NoScript options differently so as to allow more pages to load without interruption? If so, could you suggest some options to investigate? Thanks.

@nkennington: What I am trying to tell you is that you don't have to Allow active content from every "safe" site you ever encounter on the Internet. Not every page requires JavaScript or other active content (in general, ignore what they say about whether active content is required and find out for yourself). Whether active content is required on a website depends on what you want to do on that website.

Here are some guidelines that won't necessarily apply everywhere, but you can use as a starting point:

• Usually if you just want to read a site, active content is not needed on that site, so you can leave the NoScript menu alone. The main exception is if some images are missing, and you want to see those images - they're probably set to "lazy load" (load only when they're first visible), and that requires JavaScript. Some pages lazy load text too, same story there as with images.
• If you want to leave a comment, upload something, fill out and submit a survey, or otherwise submit content to a site - you probably need to enable JavaScript. There are several ways you can determine which sites are needed, but it sounds like you want to use the method "if McAfee says it's OK, then it's OK".
• Any interactive feature of a site (where you click on something and it does something to that page) generally requires JavaScript or some plugin. Some interactive things where you just hover with the mouse may be CSS-only.
• You will need to Allow _some_ type of active content to listen to audio and/or watch videos, but it may or may not include JavaScript. Some players are Flash-based whereas others use HTML5 <audio>/<video>. Check the Blocked Objects sub-menu in these cases for more information.
• Your current method of Allowing everything McAfee thinks is safe, is generally appropriate only for "sensitive" sites, e.g. anything dealing with your money such as shopping sites and bank sites; in those cases having it "just work" while not opening yourself up to dangerous sites is very important.
• Some sites are stupidly designed... so, well, if whatever you want to do doesn't work, you may need to try Allowing stuff even if there is no sane reason to require JavaScript. But don't necessarily expect those to work even with all active content sources Allowed. These sites may even do stuff that (rightfully) trips other security features of NoScript...
• Try to use the "Temporarily allow" commands instead of the "Allow" commands if you don't think you'll return to the site in such a way that requires active content. The permanent whitelist is for sites you are sure you will visit again and that you are SURE you can trust. Remember, the fewer sites in your whitelist, the fewer sites that, if hacked, can run scripts to exploit you. I personally don't Allow anything unless I find myself Temporarily allowing it very frequently.

Hope that helps.

Hi Barbaz,

Thank you very much for your very extensive suggestions!

I have not been clear previously that about half of the sites I visit are blocked from even an initial display of any kind by NoScript. I think I am doing fairly typical Internet surfing. I am not trying to do anything fancy, just not get hacked. (I think I am supposed to tell you that I am running NoScript 2.6.9.26.)

I have wondered whether NoScript might be blocking so many sites because I have set some NoScript options too conservatively. I have just used the "Reset" button on the "Options" page to (hopefully) reset the options to "factory default" values. (Before "resetting", I "exported" my whitelist and re-"Imported" it after "resetting".) I do notice that I had checked the following boxes under "Options", "Advanced", "Untrusted" that are not checked now that I have "reset" (because of advice I found elsewhere): "Forbid bookmarklets" and "Forbid META redirections inside <NOSCRIPT> elements". Otherwise, I think I have been running with "factory default" Options.

Thanks,

Ned

nkennington wrote:I have not been clear previously that about half of the sites I visit are blocked from even an initial display of any kind by NoScript. I think I am doing fairly typical Internet surfing. I am not trying to do anything fancy, just not get hacked.

This is expected in default configuration; you were being perfectly clear.
NoScript should protect you when you are dealing with prevously "unknown" (to you) sites - that is when you need NoScript's protection the most, because all it takes is one chance for an attacker to get in, and.. well, they are in and that's that.
Even "fairly typical Internet surfing" is enough to get hacked. On a computer without NoScript, I was doing "fairly typical Internet surfing", and it took only 5 hours of that before that computer was infected with malware. My computer is still malware-free despite going to those same sites repeatedly, and it's not coincidence or luck.

nkennington wrote:I do notice that I had checked the following boxes under "Options", "Advanced", "Untrusted" that are not checked now that I have "reset" (because of advice I found elsewhere): "Forbid bookmarklets"

Who gave you that advice?
That option should generally be left alone...

Hi Barbaz,

Sorry, I forget where I got the advice to check "Forbid bookmarklets" under "Options", "Advanced", "Untrusted".

Ned

Forbidding meta refresh makes more sense, because it's a technique often used to send you to a page saying, "You blocked our ads! Go away!"