InformAction Forums

When i try to log in in a site, i can' t because the site requires javascript.
So how could i get this?
Allowing the site temporanley i am exposed to java, xxs and other attaks like these?
And what are ''object''? Why they are blocked?
Basically noscript must be disabled if you want to log in a site for example. So when you temporanley disable it, are you vulnerable for this attaks?

finas wrote:When i try to log in in a site, i can' t because the site requires javascript.
So how could i get this?

Try allow or temporarily allow the site's Javascript (plus whatever other sites are required, if any) via the NS menu. Does it then work to log in?

finas wrote:Allowing the site temporanley i am exposed to java, xxs and other attaks like these?

What's a 'java' type of attack?

You are not so vulnerable to XSS as you seem to think - NoScript sanitises requests that look like XSS, and it's stricter in doing so from a non-allowed site to an allowed site.

What other attacks?

finas wrote:And what are ''object''? Why they are blocked?

Object, to NoScript, is anything listed in NoScript Options > Embeddings
It's blocked because it's not necessarily safe, and should only be allowed from trusted origins.

finas wrote:Basically noscript must be disabled if you want to log in a site for example.

No. That is a ludicrous concept - seeing that NoScript requires browser restart to be disabled/enabled, if this were required just to do something as basic and universal as log into a site, NoScript would seriously suck in terms of usability, and certainly wouldn't be a top add-on in AMO (currently it's #4).

What feature specifically is getting in your way? If you can be more specific maybe we can help you find an actual solution.

finas wrote: So when you temporanley disable it, are you vulnerable for this attaks?

Yes.

Thank you for the reply. I wanted only log in to a site, without temporanley disable noscript.
For example in the noscript menu i see ''allowgoogle.api'', ''allow x'' and maybe allowing only some of these scripts shown in the drop down menu, i colud be able to log in without temporanley enable all the scritp that is boring.
Also noscript protect against WRTC? I saw in firefox one option in about:config to disable it ("media.peerconnection.enabled", false). If i run noscript should i have to disable webrtc also in the about:config?
The same thing with ''webgl.disabled'' In about:config there is an option to disable it. But i red that noscript protect against webgl. So should it be disabled in about:config too or running noscript is already sufficient to disble it?

finas wrote:Thank you for the reply. I wanted only log in to a site, without temporanley disable noscript.
For example in the noscript menu i see ''allowgoogle.api'', ''allow x'' and maybe allowing only some of these scripts shown in the drop down menu, i colud be able to log in without temporanley enable all the scritp that is boring.

googleapis is likely required for the login. I'd start with enabling just that and the site, see if works...

If you want more information than that, please provide a link to this site.

Oh, and in case I didn't make it clear before, allowing all scripts is *not* equivalent to disabling NoScript.

finas wrote:Also noscript protect against WRTC? I saw in firefox one option in about:config to disable it ("media.peerconnection.enabled", false). If i run noscript should i have to disable webrtc also in the about:config?

NoScript doesn't do anything re: WebRTC, so yes it's needed to disable it in about:config.

finas wrote:The same thing with ''webgl.disabled'' In about:config there is an option to disable it. But i red that noscript protect against webgl. So should it be disabled in about:config too or running noscript is already sufficient to disble it?

NoScript can protect against WebGL, but IIRC that feature is not enabled by default. You probably need to go to NoScript Options > Embeddings and turn it on.
If you entirely disable WebGL in about:config then NoScript will have no way to allow WebGL when you ask it to, so leave WebGL enabled in about:config if you want NoScript to manage it.

i try to log in in a site

URL?

barbaz wrote:NoScript can protect against WebGL, but IIRC that feature is not enabled by default. You probably need to go to NoScript Options > Embeddings and turn it on.

Yes and no. WebGL requires JavaScript. So it's automatically blocked on sites that aren't trusted. You can choose to disable it on trusted sites as well, if you want, like other embeddings.