InformAction Forums

The "feature's" section of Grigorio's website is very poorly written, overly technical in many cases, and does not explain at all most of what the user needs to do. The add-on itself is in fact overly complicated, in that there are over 10 different status icons which one must memorize, many of which serve no useful purpose (for instance, the 'S' going from blue to white w/ different meanings). The add-on has the additional annoyance that the menus shown by the toolbar do not include most of the functions that one would need to edit per-site with one click, hence the purpose of the toolbar. Yet we are forced to use this anyway if we want it's functionality. The previous three sentences were included in hopes that the developers will see this and fix it.

The purpose of the first sentence, which led to the second+, was to note that I still need to ask many questions, since neither the so-called "FAQ" nor the so-called "feature list" actually lists all menu options and tells you what they you like one would expect. So can somebody please tell me what the following menu options do?

"Block every object coming from a site marked as untrusted". One would assume that if a site is marked as untrusted, rather then merely not being marked as trusted, all scripts would always be blocked. If that's not the case, then what is the purpose of the existence of an "untrusted" list, if sites that are neither "trusted" nor "untrusted" behave in the exact same way as those marked "untrusted"?
One would also assume that this option blocks all scripts on sites that are untrusted, as it says. However, many of the options on NoScript make no sense in relation to their actual functionality, or do something other then what the option says they do, and the designer of the add-on (as I have seen ion some of his forum posts at Mozilla while looking for answers to these problems) is Italian and does not speak PERFECT English (good, no problems, but not PERFECT).
Specifically I am wondering if this option then applies only to untrusted says, like it says it does, or if it applies to all sites that are not whitelisted. However this is not my only question. I also want to know what, specifically, it does, since logic dictates it can't possibly do what exactly what it says it does.
In addition the use of the phrase "coming from" may be an attempt to indicate something specific, as it was used that way in the explanation of other options on the "features" page.
Opaque embedded objects on pages. This option REALLY makes no sense in a direct interpretation (i.e. the option actually does what it says it does). It has also been reported to (in a non-reported/non-specific way) cause problems with Gmail, which obviously would not happen if it made embedded objects on pages opaque. It also doesn't make much sense to "opaque" embedded objects, since any objects that are not blocked are objects you want to see (if your lists are perfected), and any objects that are blocked are already blocked. So, since this option either does not make embedded objects opaque, or has no purpose whatsoever nor any relation to NoScript's general idea, can someone please tell me what this does do.
Notifications -> ABE The term "ABE" is not even mentioned on any page on either of these two sites that I have come across.
Forbid bookmarklets . The word "bookmarklets" is frequently mentioned on these two sites, but never even remotely explained.
Allow/Forbid <a ping...>. Obviously I know what a ping is. But I do not know what an "a ping" is, nor do I know why I would want to forbid a ping from a website, considering that if I am browsing the website it is pretty obvious that I am online, and that the owner of the website will already be able to see my I.P. (most likely) and related information. For that matter, why are both options available? If it is "forbidden" by untrusted sites, that must mean the default is "allow". Yet if it can be "allowed" for trusted sites, that must mean the default is to forbid...
Forbid XSLT. Again the acronym "XSLT" is not even mentioned on the features page.
Allow the <NOSCRIPT> element which follows a blocked script. Uh, why is this only allowed for trusted sites.......? Obviously, if we are browsing a site with Flash/etc. turned off, we would want to see any text that is put there instead....
XSS Sanitize cross-site "suspicious" requests. The site does not tell you what a "suspicious" character is, but makes it sound like pretty much anything that contains information in what a non-programmer (i.e. me) might refer to as an "encoded URL", which is used extremely frequently and obviously cannot reasonably be disabled (for example, when playing Zynga games (Mafia Wars/pseudo-RPGs/etc.) on Facebook... ( yes I know it's retarded but I'm trying to do stuff for someone I care about). That is, URLs which contain hash codes. So by "suspicious," does it mean certain strings which could be randomly generated and I need to leave this unchecked if I want to browse the web? Or does it mean any has code at all? Or does it mean odd characters, such as ж, ئ and Ϋ, which I'm pretty sure is actually impossible?
Block JAR remote resources being loaded as documents. Yeah it doesn't at all explain what this is. It would be stupid to block the ability to view documents, and that's about the max amount of information one can get out of the "features" page.
Advanced -> ABE. Again the term "ABE" is not even mentioned on any page on either of these two sites that I have come across.

There's no edit link. The turing number explanation text is incorrect. The code is case-sensitive and accepts only small letters.

Here's a tip for a new user:
If you don't understand the finer points of the configuration of NS, simply accept the default configuration; it's been set by the author with the novice user in mind, and covers everything that could put most people at risk from active content on the web. Tweaking the full range of options, as useful as such tweaks are to many users, is hardly ever needed by most of us.

When/if you find that a page/site doesn't work the way you expect, then return here and seek specific help. Most users seem to get along ok while "training" and getting used to NS and there really is no need to go into every single option unless a user has specific needs.
The FAQ and features are remarkably well written, I have to oppose the original poster's opinion in this, but have most relevance only to the more geek, and to the more experienced NS users. The genius of NS is that a novice can start using NS without reading a word of the instructions and still have a good web experience.

There may be some extra points in the original post that want addressing with regard to specifics but I can't make much sense of them - the writing style is a little disjointed.

Raven wrote:"Block every object coming from a site marked as untrusted". One would assume that if a site is marked as untrusted, rather then merely not being marked as trusted, all scripts would always be blocked.

In fact, this is the default behavior. "A site marked as untrusted" is one you used the "Mark xyz.com as untrusted" command on.
By default, you won't get anything (either scripts or embedded objects) from a site marked as untrusted, under no circumstance, even if you "Allow scripts globally", no matter if you decided to relax these restrictions for "unknown" (not allowed) web sites.
However, since you may want to relax this rule as well, e.g. for diagnostic purposes, this option is given.

Raven wrote: Opaque embedded objects on pages. This option REALLY makes no sense in a direct interpretation (i.e. the option actually does what it says it does). It has also been reported to (in a non-reported/non-specific way) cause problems with Gmail, which obviously would not happen if it made embedded objects on pages opaque.

It does what it says: it makes embedded objects opaque (i.e. non-transparent/translucent) on pages which are untrusted (default), trusted or both.
I'm not sure what those GMail reports are about exactly, but they may be 1) very old (dating to when this option was enabled on trusted pages as well) and/or 2) related to some implementation detail/bug which is gone. Could you point me to some detailed reference?

Raven wrote:It also doesn't make much sense to "opaque" embedded objects, since any objects that are not blocked are objects you want to see (if your lists are perfected), and any objects that are blocked are already blocked. So, since this option either does not make embedded objects opaque, or has no purpose whatsoever nor any relation to NoScript's general idea, can someone please tell me what this does do.

As I said, "opaque" here means not transparent or translucent. This is an early anti-Clickjacking countermeasure which predates ClearClick, and could be actually disabled now since ClearClick is apparently effective enough, but layered security is always better.

Raven wrote: Notifications -> ABE The term "ABE" is not even mentioned on any page on either of these two sites that I have come across.

It does have a dedicate ABE FAQ section in NoScript's FAQ, actually.

Raven wrote: Forbid bookmarklets . The word "bookmarklets" is frequently mentioned on these two sites, but never even remotely explained.

From http://noscript.net/features#options (the inline Wikipedia link has always been there):

NoScript's features page, options section wrote: Forbid bookmarklets, disabled by default, prevents JavaScript bookmarks
(also known as bookmarklets) from working on untrusted sites.

Raven wrote: Allow/Forbid <a ping...>. Obviously I know what a ping is. But I do not know what an "a ping" is, nor do I know why I would want to forbid a ping from a website, considering that if I am browsing the website it is pretty obvious that I am online, and that the owner of the website will already be able to see my I.P. (most likely) and related information.

Again from http://noscript.net/features#options (and again, the explanatory links have always been there):

NoScript's features page, options section wrote: Forbid <a ping...> (enabled by default), controls the controversial "ping" feature on untrusted sites.
[...]
Allow <a ping...> (disabled by default), controls the controversial "ping" feature on trusted sites.

Raven wrote:For that matter, why are both options available? If it is "forbidden" by untrusted sites, that must mean the default is "allow". Yet if it can be "allowed" for trusted sites, that must mean the default is to forbid...

As you can see, by default "Forbid on untrusted" is disabled and "Allow on trusted" is enabled, therefore the "controversial feature" (linked twice above) is disabled by default everywhere.
Then both options are given to allow you fine tuning according to your privacy preferences.

Raven wrote: Forbid XSLT. Again the acronym "XSLT" is not even mentioned on the features page.

Sorry it's not, you're right about this one. However, if you don't know what it means and you can't even google it, you'd probably better not touch the default value for that option.

Raven wrote: Allow the <NOSCRIPT> element which follows a blocked script. Uh, why is this only allowed for trusted sites.......? Obviously, if we are browsing a site with Flash/etc. turned off, we would want to see any text that is put there instead....

The option says "Show", not "Allow", and it's an "Additional permission for trusted site" because normally your browser won't show any <NOSCRIPT> element on pages which are allowed to run JavaScript.
In facts, it's an usability aid and, as you can see, is enabled by default.

Raven wrote: XSS Sanitize cross-site "suspicious" requests. The site does not tell you what a "suspicious" character is, but makes it sound like pretty much anything that contains information in what a non-programmer (i.e. me) might refer to as an "encoded URL", which is used extremely frequently and obviously cannot reasonably be disabled (for example, when playing Zynga games (Mafia Wars/pseudo-RPGs/etc.) on Facebook... ( yes I know it's retarded but I'm trying to do stuff for someone I care about). That is, URLs which contain hash codes. So by "suspicious," does it mean certain strings which could be randomly generated and I need to leave this unchecked if I want to browse the web? Or does it mean any has code at all? Or does it mean odd characters, such as ж, ئ and Ϋ, which I'm pretty sure is actually impossible?

NoScript's InjectionChecker doesn't look at "characters", but it looks at syntactically valid JavaScript statements embedded in cross-site requests.
As such, its false positive reate is quite low. However the example you made (Facebook applications) could trigger it because they actually send chunks of JavaScript to a special Facebook endpoint, which accepts them on purpose and executes them after filtering. For this reason, NoScript applies a special exception to Facebook application, provided that the site originating the special request is already trusted.

Raven wrote: Block JAR remote resources being loaded as documents. Yeah it doesn't at all explain what this is. It would be stupid to block the ability to view documents, and that's about the max amount of information one can get out of the "features" page.

Strange, this FAQ is linked from that very panel...

Raven wrote: Advanced -> ABE. Again the term "ABE" is not even mentioned on any page on either of these two sites that I have come across.

Sorry for sounding repetitive, but there's a whole FAQ section about ABE...

Raven wrote:There's no edit link. The turing number explanation text is incorrect. The code is case-sensitive and accepts only small letters.

Please feel free to complain with phpBB.

First of all, I am a geek, but if I was not, it would not be relevant. How can an "info page" for any script be "remarkably well-written" when various options in the script's options menu are not even mentioned, more or less explained? And it is overly technical, because anyone who can't understand how to install an extension in FireFox without help (bolded help at that!) is certainly not someone who understands XSS or any other programming language.

Any PROGRAM (or, in this case, extension), which includes options such as "Opaque embedded objects on pages" that cannot possibly do what they say they do, obviously is highly unlikely to have well-written documentation of said program (or script or extension). Another infamous example of a company that had nonsensical options and hard-to-read interpretations of them: Microsoft. (However, Microsoft ACTUALLY MENTIONS every option you could think of at some place in their FAQ (along with some that AREN'T options, such as cmd commands.)... unlike the NoScript designer, who completely skips over some of them for no discernible reason).

Your opinions of what I choose to do with my software are irrelevant. It is also extremely rude and irrelevant of you to suggest that someone should not unclog useless context menu items, or request that some useful items be added to toolbar menus, merely because they can't write programming code. Whether or not I choose to have the websites I use continue to work while using an extension is not an appropriate topic for you to discuss. My question was not, "Should I break all functionality of the internet on the small chance that an exploit will be used on this computer?", nor was it, "Do you think I have a right to set up my computer the way I like?". The question was, "What do the following options do?". If you cannot answer at least one of those questions and have nothing relevant to say, you should not be posting in this topic. The only time it is relevant, appropriate, and oh yeah IN ANY WAY REMOTELY SMART of a user to "accept the default configuration" of something is when they have no interest in usability, no interest in UI, AND when the program is designed to do only one very specific action, in some cases no interest in ever seeing any of the notices generated by the program (for example when extensions default their configurable script icon, of a script in which options need to be changed sometimes, to the status bar or menu instead of to the toolbar), or in some cases when the users are uninterested in being able to use FireFox's default text input boxes (when programmers default their extension icon to someplace above the toolbar, other then the menu).

Since NoScript has more then two options and almost all of them are extremely important, and since it also places extra items in your context menu by default, it is extremely stupid of you to suggest anyone should use the default configuration (unless of course they've gone through all the options and find that they would have changed the default options to be the exact same way they currently are if they had been different from the beginning).

Giorgio Maone wrote:It does what it says: it makes embedded objects opaque (i.e. non-transparent/translucent) on pages which are untrusted (default), trusted or both.
I'm not sure what those GMail reports are about exactly, but they may be 1) very old (dating to when this option was enabled on trusted pages as well) and/or 2) related to some implementation detail/bug which is gone. Could you point me to some detailed reference?

It was in the Mozilla forums, which had one 200+ page support topic for NoScript. You posted in the topic, in the same area where this issue was reported. I don't use Gmail so I don't know what exactly it is doing.

I wasn't aware that videos and flash could be "translucent". It seems kind of stupid for anyone to do that. In the case of images, wouldn't that still make it difficult to see what's underneath?

Better wording for this option in my opinion would be, "Show all files/file parts with the"transparent" attribute ("file parts" referring to transparent backgrounds), or "Show transparent objects/images".


You say layered security is better but I'm not sure what is being layered? Aren't they both doing the exact same job, in different formats? (As opposed to, say, disabling both A and B on a site where A is the possibly-malicious code, but is caused by B, which is not usually malicious.)?

Giorgio Maone wrote:It does have a dedicate ABE FAQ section in NoScript's FAQ, actually.

Every question on that list contains code. I haven't read it while yet while writing this message, obviously, but it doesn't look like it tells you anything as it seems to be all about showing various codes - the answers are very short besides the code (although that is also short, that's not relevant).

Also, that is on the detailed FAQ page. You have a page called "features", which is not a normal "features" page but goes ahead and psuedo explains all the options... that is, "all", but as I said does not even mention the acronym "ABE", and there are various other menu options left completely out of this "guide" as well.

Giorgio Maone wrote: From http://noscript.net/features#options (the inline Wikipedia link has always been there):

It is unreasonable to expect users of your script to read an entire Wikipedia article (which, on technical articles, is generally horribly unreadable) just to decide whether to check off an option or not. Possibly more importantly, the Wikipedia article is not necessarily going to explain why a bookmarklet would cause a problem or why you have included this option in your software. Whether or not it includes such a section at this moment is irrelevant due to the nature of Wikipedia.

Giorgio Maone wrote:Forbid bookmarklets, disabled by default, prevents JavaScript bookmarks
(also known as bookmarklets) from working on untrusted sites.

This DEFINITELY doesn't tell the user anything, since JavaScript is already going to be disabled on untrusted sites (else it would be pretty much pointless for the user who disabled this to be using your extension - in fact, is allowing JavaScript on untrusted sites even possible?). Is this a redundant option? Since the entire purpose of this extension was to disable JavaScript, I can guess it had this functionality in it's first incarnation... which means the bookmarklet option makes no sense.

Giorgio Maone wrote:Again from http://noscript.net/features#options (and again, the explanatory links have always been there):

It's interesting how you keep linking to the features page. which I've already read in full (and noted that I have done so), which is why I came to this board (after some additional Googling in order to attempt to find out about some of the things you didn't explain).

[quote=""Features" Page"]Forbid <a ping...> (enabled by default), controls the controversial "ping" feature on untrusted sites.[/quote]

This is redundant and non-explanatory. Dictionary entries such as "choosier: More choosy." are frequently complained about when the word is one with a less-recognizable meaning. The link merely describes, from what I can discern, a link-tracker, which is
1) More common in cookies to the best of my knowledge, pretty much a standard practice of advertising sites as well as sites that pay you for things and
2) Not really a security issue the above description is correct. Link trackers do not crash computers or exploit them to my knowledge, and are marked as "extremely minor" by all virus/adware/etc. scanners. So although some people might like to do this, it is either
a) unrelated to security, making it a confusing feature to include in your extension since you specifically mention multiple times that "this extension's focus is security, which by accident may also block annoyances/speed up internet, but if your goal is to do those things you should download X extension..."
or
b) Not explained even by the link you give, since according to that link's explanation it is merely a regular ping and a link tracker.

Giorgio Maone wrote:

Raven wrote:For that matter, why are both options available? If it is "forbidden" by untrusted sites, that must mean the default is "allow". Yet if it can be "allowed" for trusted sites, that must mean the default is to forbid...

As you can see, by default "Forbid on untrusted" is disabled and "Allow on trusted" is enabled, therefore the "controversial feature" (linked twice above) is disabled by default everywhere.
Then both options are given to allow you fine tuning according to your privacy preferences.

What you just said has nothing to do with what you quoted. If the option is ALLOW by default, this would mean that "allowing for trusted sites" has no effect. If the option is DISALLOW by default, this would mean that "disable for untrusted sites" has no effect. There is NO OPTION to choose whether or not to allow this behavior BY DEFAULT, meaning that it must be either ALLOWED or DISALLOWED by default. Even if there were an option to allow or disallow this by default, it would make very little sense to have three separate checkboxes in three separate pages to do this, rather then just a dropdown box with "Allow for trusted sites only," "Allow all," "Disable for untrusted sites only," or "Disable all" (I think I've covered every possible option there). However, there is NO possible option on this issue for the default besides "allow" or "disable". If both checkboxes are checked, then one of the two is unnecessary because it would be happening whether the site was on the (un)trusted list or not.

Giorgio Maone wrote:Sorry it's not, you're right about this one. However, if you don't know what it means and you can't even google it, you'd probably better not touch the default value for that option.

The default value is disabled if I remember correctly. The fact that the option exists implies that it is not disabled by default by FireFox. This means that if a user doesn't know what it is, they should make sure it is not disabled, because when the website doesn't work, they will have no idea why (especially if they have notifications off, but if they have them on they may still not know why due to the likelihood that if one notification is on, most or all of them are, and that notifications aren't obvious to everyone).

The first three pages of Google which, predictably, tell you things like
-how to work with XSLT
-how to write code in XSLT
-why your XSLT code isn't working properly
-etc.

Which is exactly what a random user who decided to search for "XSLT" with no modifiers would probably be looking for, are not relevant to whether or not to disable XSLT on your browser.

Giorgio Maone wrote:

Raven wrote:Allow the <NOSCRIPT> element which follows a blocked script. Uh, why is this only allowed for trusted sites.......? Obviously, if we are browsing a site with Flash/etc. turned off, we would want to see any text that is put there instead....

The option says "Show", not "Allow", and it's an "Additional permission for trusted site" because normally your browser won't show any <NOSCRIPT> element on pages which are allowed to run JavaScript.
In facts, it's an usability aid and, as you can see, is enabled by default.

This answer is again non-explanatory. I was just able to figure it out through extra logic processing that would not be required if you had explained the answer to the question, which is, properly, "That's for the trusted sites, since the fact that the site is trusted will normally prevent the alternate content from loading even if the JavaScript for that object is disabled - the browser doesn't know how to differentiate." Or something of that nature.

It doesn't, however, answer the question of why anyone would want it blocked (which I admittedly didn't ask). Sure it may be possible to use other frequently-exploited codes as the alternate content (I don't know if this is possible or not), but if the site is using those technologies and the user doesn't want them to be used, they will have those technologies set to "block" separately.

Giorgio Maone wrote:NoScript's InjectionChecker doesn't look at "characters", but it looks at syntactically valid JavaScript statements embedded in cross-site requests.

Your features page says the dangerous elements are "characters".

Hundreds of sites I use use hash codes in their URLs - MySpace, for example, uses it themselves (the coding that everyone including regular, non-programmy geeks hated on MySpace before they changed their site to "interface hell" came from ads and user profiles, not from MySpace itself, although their servers crashed extremely frequently). I can't think less crappy example at the moment, but I know I see hash codes in links a LOT.

Giorgio Maone wrote:Strange, this FAQ is linked from that very panel...

Why are you linking me to a paragraph that tells me nothing about JAR except that is uses documents?

Giorgio Maone wrote:Please feel free to complain with phpBB.

I'm not complaining I'm notifying you that the text is wrong so you can edit it or get a different turing number provider.

---------------------------------------
It is absolutely ridiculous that I had to spend over 2 hours answering a post in response to my questions about a product, that doesn't answer many questions, and in other cases restates exactly what my question says, or links to the page that caused the necessity of the questions in the first place (or at least caused the comments that follow them... it certainly caused the question about "Block every object" since it lists other options that don't do what they say they do). I'm looking for explanations of what the options do (which in this case sometimes refers to the reason they were included instead), not links to pages that don't explain them.

However, I do thank you for the questions you did answer.