InformAction Forums

Sorry to report that https://myepp.dhl.com/gw/premiumweb/public/Login.action is still not working with NS 10.1.3c3 / FF 57.0 (in Win10 and Linux).
Unfortunately this is a private login page — after logging in one has to enter an EPP Code and Post Code and click a button to retrieve customer data.
After that, the page now remains blank and nonfunctional although all scripts were already allowed (a previous setting, only dhl.com is listed). Even after setting
»Scripts Globally Allowed« in NoScript Options. Only after disabling NoScript in Extras|Addons the site is functional again.

The same goes for a private intranet web site using Web Sockets, but apparently only in Linux.

Plus, on my Linux machine, after opening NoScript Options quite often FF hangs and must be closed and restarted.

— Hans

[EDIT: 10.1.2 → 10.1.3c3]

Were you using NoScript 10.1.3rc2? If yes, see https://forums.informaction.com/viewtop ... =7&t=23902

AFAIK I went directly from 10.1.2 to 10.1.3c3 (no rc). But yes, that was it: clicking again on Trusted did show that nothing was allowed except scripts! (Re-)Enabled everything under Trusted — now it works again. Thank you!

BTW, what should sensibly be allowed for Default? For Untrusted, nothing should be allowed, I think, but Default?

IMHO these global things should be moved to the Settings page, not in the button's pop-up-menu — it's too easy to inadvertently change them, especially for laypersons.

— Thanks, Hans

Hansl wrote:AFAIK I went directly from 10.1.2 to 10.1.3c3 (no rc). But yes, that was it: clicking again on Trusted did show that nothing was allowed except scripts! (Re-)Enabled everything under Trusted — now it works again. Thank you!

BTW, what should sensibly be allowed for Default? For Untrusted, nothing should be allowed, I think, but Default?

IMHO these global things should be moved to the Settings page, not in the button's pop-up-menu — it's too easy to inadvertently change them, especially for laypersons.

— Thanks, Hans

Default behaviour is a matter of opinion and how you operate.

If you want to run a whitelist and a blacklist, you might want to have default be more relaxed than untrusted.
some users prefer to default allow frame and fetch for instance, and if the don't want a source to do that, they switch to untrusted.

If you are mainly a "whitelist" guy, untrusted is only there to specifically remind you that something is "no good" and not to change it, or to prevent "temp allow all" to also allow things you KNOW you don't want.
In this case default and untrusted have the same settings of "nothing allowed", because you basically trust nothing, and whitelist things you want/need.

That is basically why you configure the presets now. different users have slightly different expectations of what default untrusted and trusted truly means for them. (someone might still want trusted pages not to run media for instance without them making an active choice for instance)

Hmm… difficult to decide.  We will definitely need a guide with some recommendations and explanations what the dangers of these respective options are.

To clarify:  the settings under Default / Trusted / Untrusted are global settings, the same for all sites.
But what about custom?  Is it just a fourth global setting, or is this one site-specific?

Hansl wrote: the settings under Default / Trusted / Untrusted are global settings, the same for all sites.

Yes.

Hansl wrote: what about custom?  Is it just a fourth global setting, or is this one site-specific?

This one is site-specific.