Page 1 of 1

noscript.temp value + private browsing

Posted: Wed Jun 02, 2010 6:40 pm
by viadrun
Hi, is it possible to disable writing the noscript.temp to disk while in private browsing session? Personally I would prefer for Noscript to automatically refrain from doing so as it leaks information about the browsing session.




A little bonus question, can we somehow shorten the "Untrusted" and "Whitelist"? They make the biggest part of my prefs.js. Make

Code: Select all

https://somesite.com/ somesite.com/ http://somesite.com/
to just ".somesite.com/ for example. Or use the ABP syntax: "||somesite.com/".


Thank you.

Re: noscript.temp value + private browsing

Posted: Wed Jun 02, 2010 7:21 pm
by Giorgio Maone
NoScript uses CAPS internally, because this is the most reliable and effective way to do script blocking in Mozilla.

This means that whitelists must be stored as preferences and must use that verbose format, which I did not invent.

When in Private Browsing mode, NoScript tries hard to prevent preferences containing sites lists from being persisted, but if some other Mozilla component/add-on flushes preferences to disk there's no way to "filter out" some.
Anyway NoScript ensures that temporary permissions and other sensitive settings are reverted as soon as the private session ends.

Re: noscript.temp value + private browsing

Posted: Mon Jun 07, 2010 9:32 pm
by viadrun
How does Noscript try to prevent the noscript.temp data from being flushed to disk, I am no developer and I am trying to understand the need of that config entry. I have tested this with only NoScript as the only addon and the config is being written to immediately after temporarily allowing a site. Could NoScript not hold these sites in memory only while in private browsing? This behavior obsoletes the attempts of Firefox to not write anything to disk imo. If Firefox can hold the cache, tab history and cookies in memory, can NoScript not do the same?

I am sorry for nitpicking - if you know another way of avoiding this quasi leak (aside from the permanent Whitelist) of browsing history please tell me.


Thanks for informing me about the CAPS, seems like NoScript should stick to it like you say.

Re: noscript.temp value + private browsing

Posted: Tue Jun 08, 2010 9:17 am
by Giorgio Maone
viadrun wrote:If Firefox can hold the cache, tab history and cookies in memory, can NoScript not do the same?
Because those features are implemented using different means than preferences, and their implementation controls their storage directly.
As I said, NoScript depends on permissions being stored in preferences because it is mandated by CAPS, and preferences flushing can be done by any component of the browser at any time (NoScript can't control it). What NoScript tries to do is not being itself the trigger.