InformAction Forums

Is it possible to simultaneously do the following with NoScript? I couldn't find a solution in the FAQ or forum. Basically, I want to use NoScript purely as a plug-in blocker with a whitelist.

1) Allow scripts globally
2) Block plug-ins (click to enable) for all sites except whitelisted sites

When I enable "scripts globally allowed" but disable "apply [plug-in] restrictions to whitelisted sites too", plug-ins play on all sites (including those not whitelisted). If I enable "apply [plug-in] restrictions to whitelisted sites too", the plug-ins are disabled on all sites (including those whitelisted).

See the long-running thread, Site-Specific Permissions, a feature of the next-generation NoScript that is being eagerly awaited.

With regard to reconsidering allowing scripting globally, please consider the points made in this thread: Is default-deny for JavaScript necessary for good security?. Cheers.

Tom T. wrote:See the long-running thread, Site-Specific Permissions, a feature of the next-generation NoScript that is being eagerly awaited.

I'm not sure if site-specific permissions is the thing I'm looking for. I just want plug-ins blocked for all sites except those on the whitelist. My current understanding of the way the options are worded is that this should be possible, but doesn't work. Perhaps I misunderstand the way NoScript works. Here is how I interpret the options:

1) "Scripts globally allowed" = run (Java)Script on all sites, even if not trusted (if not in the whitelist)
2) "Additional restrictions for untrusted sites..." = block plug-ins and certain web features for untrusted sites (those not in the whitelist)
3) "Apply these restrictions to whitelisted sites too" = block plug-ins and certain web features for trusted sites too (those in the whitelist)

Logically, if I enable 1, enable 2, and disable 3, I should be able to run JavaScript on all sites, block plug-ins on untrusted sites, and allow plug-ins on trusted (whitelisted) sites. Instead, NoScript allows plug-ins on all sites, including those not on the whitelist.

Perhaps I don't understand the relationships among "trusted", "untrusted", and "whitelisted". If "trusted" == "whitelisted", I think NoScript should use only one term in its settings/documentation. If there is a third category between "trusted" and "untrusted" (which doesn't make sense to me), I think this should be better documented with consistent terminology.

Tom T. wrote:With regard to reconsidering allowing scripting globally, please consider the points made in this thread: Is default-deny for JavaScript necessary for good security?. Cheers.

I understand and appreciate the security benefits of NoScript, but I really only want to use it as a plug-in blocker. I would use another plug-in blocker, but NoScript is the only one (as far as I know) that blocks virtually all plug-ins from even starting to load until I click to play.

In any case, thanks for your response (and thanks to Giorgio for his excellent software).

I just want plug-ins blocked for all sites except those on the whitelist.

See if this works for you.

Perhaps I don't understand the relationships among "trusted", "untrusted", and "whitelisted". If "trusted" == "whitelisted", I think NoScript should use only one term in its settings/documentation. If there is a third category between "trusted" and "untrusted" (which doesn't make sense to me), I think this should be better documented with consistent terminology

This point has come up before, and has validity. Yes, there are really three categories:

1) "trusted" (whitelisted);

2) "untrusted" ("don't even ask"), i. e., these sites won't appear in the menu as being blocked by NoScript, and so won't annoy you if you use the audible and/or pop-up notifications. Some people use one or the other, or both; some disable both notifications and rely on the logo color. If "untrusted" scripts are the *only* ones being blocked on that page, the NS logo will remain solid blue, as though nothing were being blocked. These sites will show only if you open the menu and point to "untrusted" (in case you find that a site won't work without one of your "untrusted" scripts). .... I think a better term might be "blacklisted". See below.

3) "default" = everything else. NoScript blocks all JavaScript by default, unless/until you either Temporarily Allow it, or permanently allow it (whitelist). So the whole world falls into this category until you put it into a different one. Whenever any script in this universe attempts to run, the NoScript logo turns partly or fully red, depending on whether you've allowed some or none of the list.

Since we have a "whitelist", it would be grammatically logical to have a "blacklist", which makes it more clear that NoScript trusts *nothing* by default, but gives them a chance to ask you. The ones you blacklist don't even get to ask you - you have to seek them out. Is this more clear?

As far as why this hasn't been implemented yet: It would be complicated under the present UI, but the UI will be receiving a complete re-design in the next generation anyway, which should make all of this much more clear. It will also allow the specific permissions at specific sites. E. g., I wish to allow Java at hushmail.com and nowhere else.... So given the demands on developer Giorgio Maone's time, it is a higher priority to continue the development of NS 2.x than to re-work the UI of the present generation. Can you bear with us a little longer on that?

FWIW, at the beginning of the year, I believe Giorgio had hoped to have 2.0 out by late this year. However, there were some major enhancements to the present version, one being ABE (read more: ABE FAQ), which was partially grant-funded by a Netherlands security group (this is all freeware, remember!) and another being Strict Transport Security, something of an urgent response to vulnerabilities found in the SSL/TLS security (https, padlock thing) in PayPal and other sites. There was also one other emergency, and, as you can see, numerous minor enhancements, bug fixes, adaptations to new systems (Windows 7, e. g.) -- plus trying to earn a living. It keeps Giorgio off the streets and out of trouble.

I hope this helps you achieve your goals, and also to understand why these things constitute a large load on what is essentially a one-man, volunteer project.
Cheers.

Would it help if the menu items that currently read, "Forbid badsite.com", or "Mark badsite.com as Untrusted" were both changed to:

"Add badsite.com to Blacklist"?

... with *no* other change in the *operation*. It seems this would be an easy terminology change without having to make big changes in the underlying code. Some NoScript FAQ would have to be edited slightly, (all scripts are untrusted by default, but you can Blacklist certain ones, etc.) but not major, and I'm sure the support team could help out there.

User comments?
Mod comments?

Giorgio?

The final "2.0" terminology will most likely be "TRUSTED", "UNTRUSTED" and "UNKNOWN".
All the internet will be "UNKNOWN" by default, and you will be able to mark specific sites either as "TRUSTED" or "UNTRUSTED".
There will be 3 identical panels (tabs) where you can set the default permissions for each group, and you will be optionally able to override some permissions for specific TRUSTED/UNTRUSTED sites.
No whitelist/blacklist anymore, but 3 "groups" and optionally some special sites in those groups.

Well that setup would be pretty good, can't wait to see it. If you need helping testing the Alpha/Beta/or whatever version of 2.0 before its open to the public, I can help. The feedback and perspective might be helpful.

Giorgio Maone wrote:The final "2.0" terminology will most likely be "TRUSTED", "UNTRUSTED" and "UNKNOWN".
All the internet will be "UNKNOWN" by default, and you will be able to mark specific sites either as "TRUSTED" or "UNTRUSTED".
<snip>.
No whitelist/blacklist anymore, but 3 "groups" and optionally some special sites in those groups.

Sounds *excellent*, and should make the terminology very intuitive, even to the non-tech user.

Add me to the list of volunteers to test the pre-release versions.

Tom T. wrote:See if this works for you.

Nope, it does the same thing as before. Based on my new understanding of the terminology, it is currently impossible to do what I would like. I can block plug-ins for "untrusted" sites, but that leaves them enabled for "unknown" sites. If I apply the restrictions to whitelisted (trusted) sites too, it blocks plug-ins for "unknown" sites, but it also blocks them for "trusted" sites. I want to have plug-ins blocked for "untrusted" and "unknown" sites but enabled for "trusted" sites.

On a related matter, does "Scripts Globally Allowed" override all of the "Temporarily allow top-level sites by default" options? If so, those options could be grouped together and made mutually exclusive to reduce confusion. For example, a 3-way drop-down menu entitled "Scripting permissions for unknown sites" with the options "Don't allow", "Allow top-level sites", and "Allow all sites" (i.e. scripts globally enabled).

Tom T. wrote: 2) "untrusted" ("don't even ask")
<Snip!>
3) "default" = everything else.

So "untrusted" and "unknown" (default) sites are restricted the same unless I allow the "unknown" site, right? I guess I was confused because I expected any site not explicitly marked as "trusted" to be "untrusted". "Unknown" sites are really "untrusted with notifications and the ability to allow".

Giorgio Maone wrote:The final "2.0" terminology will most likely be "TRUSTED", "UNTRUSTED" and "UNKNOWN".
All the internet will be "UNKNOWN" by default, and you will be able to mark specific sites either as "TRUSTED" or "UNTRUSTED".
There will be 3 identical panels (tabs) where you can set the default permissions for each group, and you will be optionally able to override some permissions for specific TRUSTED/UNTRUSTED sites.
No whitelist/blacklist anymore, but 3 "groups" and optionally some special sites in those groups.

Sounds great. Thanks for your hard work!

AC wrote:I guess I was confused because I expected any site not explicitly marked as "trusted" to be "untrusted".

Very understandable, since in fact NoScript by default does not trust any script that has not been marked by the user as Trusted. The new terminology described above by Giorgio should alleviate this common confusion.

"Unknown" sites are really "untrusted with notifications and the ability to allow".

Strictly speaking, sites marked as "Untrusted" also have the ability to be alllowed at any time, but you have to dig deeper into the menu (point at "Untrusted", then choose from sub-menu), and they don't annoy you with audio/visual warnings (if warnings are enabled.) Otherwise, you have the right idea now.

...but NoScript is the only one (as far as I know) that blocks virtually all plug-ins from even starting to load until I click to play....

FWIW: I use NS in its strictest mode, blocking plug-ins even at trusted sites. For example, YouTube obviously requires Flash. YouTube is in my Trusted list, but Flash is forbidden everywhere. "Apply these restrictions to whitelisted sites too" is checked. The reason is that if I go to YouTube to watch a particular video, I don't want to allow whatever random videos happen to be playing when I arrive there, nor do I want to allow their entire universe. This requires a whopping "one" extra click on the placeholder of the video I actually want to watch (and an "OK" click or enter if you have confirmations enabled; you could disable confirmations if that "enter" is too bothersome). In return, the other million videos remain blocked. Saves bandwidth and time from the ones randomly running, as you say; they don't even load.

So to get back to your original request, this uses NoScript as a very effective and efficient plug-in blocker, minus the whitelist. Safe, fast, and only an extra click here and there. Maybe that is a better compromise until the next generation NoScript arrives?

As far as the drop-down menu on Global Allow and Top-Level Sites, as before, I don't expect major changes to the current UI until v2.0 arrives, and IMHO, I'd prefer that Giorgio spend his time bringing that major upgrade as soon as possible rather than continuing to tweak the current UI. Also, it's often the least tech-savvy users who Globally Allow, and they need (and requested) a simple check-box on the Options home tab (General). Cheers.

Tom T. wrote:So to get back to your original request, this uses NoScript as a very effective and efficient plug-in blocker, minus the whitelist. Safe, fast, and only an extra click here and there. Maybe that is a better compromise until the next generation NoScript arrives?

Yes, I use NoScript as you suggest. There are only a few sites with multiple important or hard-to-find SWFs that I would like to whitelist. I can live with the compromise, although some less tech-savvy friends of mine may not. The eternal struggle between security and convenience continues.

Tom T. wrote:As far as the drop-down menu on Global Allow and Top-Level Sites, as before, I don't expect major changes to the current UI until v2.0 arrives, and IMHO, I'd prefer that Giorgio spend his time bringing that major upgrade as soon as possible rather than continuing to tweak the current UI. Also, it's often the least tech-savvy users who Globally Allow, and they need (and requested) a simple check-box on the Options home tab (General). Cheers.

Yeah, Giorgio doesn't need to waste his time if it's just going to be replaced (hopefully in the not too distant future).
Cheers!

AC wrote:Yes, I use NoScript as you suggest. There are only a few sites with multiple important or hard-to-find SWFs that I would like to whitelist.

Could you provide some URLs of these? It shouldn't be hard to find a SWF object in the NS menu. Look for the green logo in the Menu, point to it, and you'll see SWFs that are blocked.

And if you'll go to NS Options > Appearance, and check "Show ... Blocked Objects", you should get a placeholder (red NS block-logo) for *all* of these SWFs at your whitelisted sites, or even default/unknown sites (sites not specifically marked as Untrusted). Also on "Embeddings" tab, check "Show placeholder icon". Then it's your choice whether to check "No placeholder for objects coming from sites marked as Untrusted". I do, because if it's coming from some place I don't trust, I'm certainly not going to allow it, so why even see it or have it annoy me?

Anyway, with this configuration, all of your SWFs at not-Untrusted sites should show a logo that you can click to allow without even opening the NS Menu. So I'd like to investigate a site where they are "hard to find", if you don't mind.

You might also find in the Blocked Objects wildcards that will allow all objects at once. For example, at mail.yahoo.com, I don't allow the "userstatus...swf". But in addition to the choice to allow that, there is also "Temporarily allow *@http.mail.yimg.com" and "Temporarily allow shockwave-flash@ http.mail.yimg.com" (links broken deliberately). So this type of wild-card TA may help at those sites with many SWFs that you wish to allow with only one click.

I can live with the compromise, although some less tech-savvy friends of mine may not.

Hopefully, a few minutes going over how to use the placeholder-clicking will help them out, while still keeping them safe. Low-tech users don't need to know why something works or what's under the hood; they only need to know what to do to allow the needed and trusted objects while still getting the safety benefits of NS. If you can't get them to understand, please let them know that they're welcome to post here, and that we welcome users of all tech levels. (Have they read NoScript Quick Start Guide?

The eternal struggle between security and convenience continues.

They're inherently opposite, unfortunately. And users want greater and greater convenience... Makes our job rough.

Let us know if we can help you or any of your friends at any time.