InformAction Forums

Hi,

Using Brave, and noticed a permissions change for NoScript came up:

Permissions
Access the page debugger backend
Read and change all your data on all websites ←

Why this change?

Thanks!

Quoting the mandatory permission justification note I provided to the Chrome Store editors on submission:

Using the debugger API is the only way to reliably inject scripts into workers, especially service workers, on Chrome: https://github.com/hackademix/nscl/blob ... Workers.js

On Firefox browser.webRequest.filterResponseData() is used instead, but it's not available elsewhere.

A specific API proposal for MV3 has been made 7 months ago (https://github.com/w3c/webextensions/issues/538) but atm position is neutral for Safari and Firefox, none for Google.

11.4.38rc2 from the Get it! link for Chromium based browsers unzips to a manifest with "version": "11.4.37.9002" A rose by any other name?

But it looks like debugging won't be possible because I'm guessing that the sequence of error messages when loading this in Dev Mode
relates to the problem in this thread.

Apologies for missing info: this NS is running in Vivaldi latest stable.

@NSChromium: Could you please clarify how this relates to NoScript changing required permissions and what is your question?

NSChromium wrote: ↑Mon Sep 16, 2024 8:49 pm 11.4.38rc2 from the Get it! link for Chromium based browsers unzips to a manifest with "version": "11.4.37.9002" A rose by any other name?

Yes. Chromium doesn't support non-numeric versions, so this .900X internal version is how NoScript dev builds have their version compare "newer" than current stable release and "older" than the upcoming stable release version.

barbaz wrote: ↑Mon Sep 16, 2024 10:39 pm clarify how this relates to NoScript changing required permissions and what is your question?

Thanks for the numbering advice.
I'm clearly out of my depth trying to be a tester so I shall return to running the stable version.
Feel free to delete my post above.

The most worrisome part for me - since I already consider NoScript to be trustworthy and I'm not worried about the additional permissions - is that Vivaldi DISABLED NoScript WITHOUT NOTICE after the new version requested new permissions.

Is this what happens on other Chromium-based browsers when new permissions are requested?

Giorgio Maone wrote: ↑Fri Sep 13, 2024 2:29 pm Quoting the mandatory permission justification note I provided to the Chrome Store editors on submission:

Using the debugger API is the only way to reliably inject scripts into workers, especially service workers, on Chrome: https://github.com/hackademix/nscl/blob ... Workers.js

On Firefox browser.webRequest.filterResponseData() is used instead, but it's not available elsewhere.

A specific API proposal for MV3 has been made 7 months ago (https://github.com/w3c/webextensions/issues/538) but atm position is neutral for Safari and Firefox, none for Google.

Hi
Unfortunately, I didn't understand a word of this. Could you please tell us in NORMAL words why the extensions needs access to EVERYTHING we do on a website? I want to know. I have been using the extension for years, but reading something like "Read and change all your data on all websites" really scares me.
How do I know you will not collect everything I do on a website including my password? I wish there would be information about this so I can trust this extension in the future.

herdsfgdgf wrote: ↑Sun Sep 29, 2024 8:32 am Could you please tell us in NORMAL words why the extensions needs access to EVERYTHING we do on a website?

If NoScript does not know about everything your browser tries to load for a website, it can't know about and block the stuff you want it to block.

See also viewtopic.php?p=91670#p91670

herdsfgdgf wrote: ↑Sun Sep 29, 2024 8:32 am How do I know you will not collect everything I do on a website including my password?

1) See NoScript's privacy policy: https://addons.mozilla.org/firefox/addo ... t/privacy/

2) Quoting from Giorgio's blog -

https://hackademix.net/2017/12/11/noscript-and-the-downloads-permission/ wrote:NoScript, a component of the Tor Browser (one of the most scrutinized software pieces on the planet by security experts all over the world),

herdsfgdgf wrote: ↑Sun Sep 29, 2024 8:32 am Could you please tell us in NORMAL words why the extensions needs access to EVERYTHING we do on a website?

NoScript does not "access" ANYTHING you do on a website, but in order to patch the execution environment and prevent the webpage (which most of the time WANTS DESPERATELY to spy on EVERYTHING you do on the site and beyond) from abusing the various powers accessible from JavaScript it needs to execute its own code on each and every webpage you load, and therefore could potentially abuse this power as well.

herdsfgdgf wrote: ↑Sun Sep 29, 2024 8:32 am I want to know. I have been using the extension for years, but reading something like "Read and change all your data on all websites" really scares me.

It's always been this way for almost 20 years since NoScript 1.0, and the same for any privacy/security extension, but you've noticed it right now because Chrome's limitations (not having a powerful enough webRequest API) require NoScript to leverage the debug API in order to patch web workers, which are invisible scripts detached from the webpage which run in their own process and could be used to work around NoScript-provided protection.

By the way,NoScript is currently the only security extension capable of protecting users against web workers abuse.

herdsfgdgf wrote: ↑Sun Sep 29, 2024 8:32 am How do I know you will not collect everything I do on a website including my password? I wish there would be information about this so I can trust this extension in the future.

How? You can

• check the source code, or if you can't
• ask a friend you trust who can do it
• trust Mozilla and Google editors who read the code and approved the extension, whose privacy policy states "zero data collection"
• trust the Tor Project which has been shipping NoScript inside the Tor Browser for more than a decade now

... or just uninstall it and trust all the random web pages you'll surf naked.

@Giorgio Maone
Thank you for clarifying! I'm glad you answered my questions.