I give up

[Jivabill]

Well, I have been running Noscript for a month or so. It does take some keeping after it because it keeps making me OK sites that I use. I was not quick to mark them "allow" because I did not and still do not entirely understand what will run on an allowed site. So I took the "temporary" route and that takes fooling around. Not too bad, kind of annoying after awhile.

BUT

Tonight I reached the end of my rope. I tried to sign up and pay a fee at Ebid's ecommerce page, Netbanx. Every time I tried to send the transaction Noscript jumped in and called it a cross scripting attack. I marked it allowed, same thing. I put it on the whitelist as OK. Still same thing. Finally, to run the transaction I had to disable Noscript in my Firefox.

And that's where I will leave it. A very nice idea BUT the details of using it are stuff about scripting that I don't understand and I am not a neophyte, Sr. Systems Analyst and DP Manager for 25 years in Main Frames. Had an ecommerce operation on the web since 2000. Use both Winblows and Linux. However, I am not a geek-programmer. I passed by that level into management long years back. I hired programmers when I needed that service.

And, now I have no desire to spend a lot of time learning to understand all the language and technical programmer geek stuff about scripts, script attacks, click jacking, cross scripting etc etc. Just too complicated. I just want to get my work done.

So that's my report. A good product in that it does a good job. Just beyond my expertise to drive it. Kind of like putting me in an F1 Ferrari and expecting me to turn in a high end lap time without killing myself.

Thanks for reading.

[Grumpy Old Lady]

Sympathies, Jivabill.
If you'd ever like to reconsider using NS, this forum has some of the best power users in the Fx community volunteering to help, plus the developer checks in at least daily.

For your particular XSS case, would you like to have another shot at it? If the details of the login are sensitive, you can PM the developer, username is Giorgio Maone, with them.
I know he will help.

PS, I'm completely non-coder and non-geek and I've been running with Temporary Allow on-the-fly since I installed NS more than 3 years ago. The key combos CTRL SHFT S and CRTL SHFT backslash are a nice natural set to get used to.
And yes, I did a lot of reading and researching of sites for the first few months of using NS. It sort of goes with taking the extra security on. I can of course understand that a person decides that the benefits aren't worth the work needed :-)

[Giorgio Maone]

@jivabill:
please, if you're willing to go for a last NoScript ride and help us to improve it, could you show me the [NoScript XSS] line(s) appearing in Tools|Error Console when your issue happens?
Also, just clicking "Options" on the XSS warning and use "Unsafe reload" should suffice to work around a likely false positive like that.

[Alan Baxter]

Thank you for sharing your experience.

It does take some keeping after it because it keeps making me OK sites that I use. I was not quick to mark them "allow" because I did not and still do not entirely understand what will run on an allowed site. So I took the "temporary" route and that takes fooling around. Not too bad, kind of annoying after awhile.

Sounds like you'd be better off permanently Allowing any trusted sites you'll use more than once. NoScript is safe to use that way, by design. That's what I do.

[Jivabill]

Thanks for all the input folks. Some good suggestions there.

Giorgio about clicking an option to reload in the XSS Warning, I found that the XSS warning pop up across the top of the window only stayed up for about 3 seconds. Not long enough to do anything with it. And in the regular Options popup I don't see a reload.

What I found is that almost every ecommerce site (shopping cart) that I try to make a purchase on scripts get blocked secretly. No notification, things just don't work. For example, removing an item from a shopping cart won't work on Vitamin Shoppe because the item in question does not show (it is blocked). And on their site I could not edit my Billing Address as long as Noscript was enabled. And I never was able to complete a purchase with Noscript enabled.

So what is happening is that sometimes and XSS warning displays quickly and disappears. Other times various features on a site shopping cart or in the purchase and payment process are just blocked with no comment. EVEN if the site is marked Allow All and Allow the domain.

So where I have come to is on this machine, my main work machine, runs XP Pro (not because I wanted to, because it was easier at the moment) I don't enable Noscript. I have left it enabled on my Compaq Ubuntu machine and my HP Laptop running Ubuntu because they are just occasional use systems and Noscript's foibles are not as much of a problem.

thanks for reading

[Alan Baxter]

What I found is that almost every ecommerce site (shopping cart) that I try to make a purchase on scripts get blocked secretly. No notification, things just don't work. For example, removing an item from a shopping cart won't work on Vitamin Shoppe because the item in question does not show (it is blocked). And on their site I could not edit my Billing Address as long as Noscript was enabled. And I never was able to complete a purchase with Noscript enabled.

How frustrating that sounds! That's intolerable. I don't recall ever having a problem like that on any ecommerce site. I went to http://www.vitaminshoppe.com and did a shopping run after adding vitaminshoppe.com to the defaults. I'm able to add and remove items without getting any XSS warning. I did not try to create an account. Setup:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Default theme
NoScript 1.9.8, default settings and no other extensions

I don't know why you're having such problems, unless it's something like an extension conflict. Are you using any Firefox extensions besides NoScript when you have these problems?