InformAction Forums

When a site is known by the user to be safe prior to clicking a link from email or another site, it would be nice to be able to set permission to "Temporarily Allow" from the context menu to save having to reload every new site. I've searched this forum and checked Options, but have not seen a reference to this function.

edindex wrote:When a site is known by the user to be safe prior to clicking a link from email or another site\.

If you're sure it's safe, it could be in your whitelist. Then you never have to TA or reload it.

But aside from the fact that clicking links in e-mail is a bad general practice (as opposed to copy/paste the link, so you can see what it *really* says before clicking Enter, etc.), the problem with pre-allowing a site before going there is that NoScript would have to prefetch the link to see what scripts were trying to run.
I have prefetching disabled in Firefox as a privacy leak, among other reasons. I would not support having NoScript do this.

Thank you for replying, Tom.

I realize that a whitelisted domain will load without further action on my part (or am I missing something?), and agree about links in email, although I do have a few corespondents I trust absolutely.

I confess that I don't understand very much about prefetch and the security issues surrounding it, but how is it not an issue when "Temporarily allow top-level..." or "Allow sites opened through bookmarks" is enabled? I ask only to confirm that my initial post was stated clearly -- I certainly don't expect you to explain prefetching or why NS uses it.

Rob

Neither TA top-level nor Allow through bookmarks are safe (IMO, with the former being more dangerous).

Thinking about it, I can't really foresee a time when I would want to TA a domain prior to actually visiting it - at least from a (web page) link? And if I did, I'd have it whitelisted (Allowed) anyway, I would think. Email, only if SeaMonkey Mail (does NoScript work there?), otherwise there is no connectivity between a third party email client & anything "Mozilla". (Unless you're meaning web mail.)

And then if it was a redirected or otherwise obscured link, what gets TA'd?

Newegg.com - ECS Motherboards

In this case, you'd end up at Newegg, but it would be slickdeals.net that gets TA'd.

But then, maybe I would want that?

I do visit newegg frequently.
I do not keep it Allowed.
I often visit from an email (web mail) link.
The site loads fine without JavaScript, but a products' price will not display without it.

So if I want to go, & I want to see the price (though I may not necessarily want to), a right-click of the link, TA, could be a (slight) time saver.

Though it also sticks an item onto my context-menu that I typically would not use.
If implemented, I'm sure there would be an option to disable it, though if disabled, you couldn't use the feature - unless by hotkey, perhaps, so ...

And then a right-click, TA, followed by a (normal) click is an odd way to do things?
Unless it were a TA+Go! feature. Right-click, TA+Go!, & it TA's the domain, then automatically loads it.


Implement it, quick & dirty, & see how it flies. (Though once in, it is often hard to remove, especially with the vocal minority .)

therube wrote:Neither TA top-level nor Allow through bookmarks are safe (IMO, with the former being more dangerous).

therube said exactly what I would have said, and said it very well.

therube wrote:And then if it was a redirected or otherwise obscured link, what gets TA'd?

My point exactly, or at least, one of my points.

therube wrote:Newegg.com - ECS Motherboards

In this case, you'd end up at Newegg, but it would be slickdeals.net that gets TA'd.

Perfect example, thank you.
And your first post was excellent-- stick with that one.

@ edindex/Rob:
Your post was stated very clearly. No problem.

I won't go into the tech details, but to clarify, it's Firefox itself that presently uses the prefetching, not NoScript. (As said, I've disabled it.)

If we accept my view that prefetching (whatever it is) is undesirable, the issue becomes that in order to implement your feature request, NoScript would have to *start* using prefetching, AFAIK. There may be another way to do it, but one doesn't come to mind immediately.

In any event, the risks pointed out by therube are still there: You wouldn't know what you're allowing until after you're already there, which may be too late.

I hope that makes it more clear.

(If you too want to disable it, open a new tab or window, type about:config in the Address bar, then in the Filter bar, type
prefetch (Enter)

This will bring up two preferences:

network.dns.disablePrefetch The default is false. Double-click it to toggle it to true.
network.prefetch-next The default is true. Double-click it to toggle it to false.

Then close that tab or window.
(This is the same for both Fx 3.6.x and Fx 9.x)

Result: It may take a few extra tenths of a second to load a page when you click on a link to it from another page.
On the other hand, the original page probably loads faster if it has a lot of links, as most do, when it doesn't also have to start loading pages from every site it links to.

And you have the privacy savings that all those sites with links on the page don't know that you've visited the original page.

Please note that this is my personal opinion only, not official forum advice. It's a choice for each user to make.

The Wikipedia article on Link Prefetching is rather technical, and not very clear, but I think they state the downsides quite clearly:

# Users and website operators who pay for the amount of bandwidth they use find themselves paying for traffic for pages the user might not actually visit, and advertisers might pay for viewed ads on sites that are never visited.
# Web statistics such as browser usage, search engine referers, and page hits may become less reliable due to registering page hits that were never seen by the user.
# Users may be exposed to more security risks - by downloading more pages, or from un-requested sites (additionally compounded as drive-by downloads become more advanced and diverse).

It's that last one that bothers me the most from a security point of view, although NoScript (without your feature request ) would provide protection against sites not already in your whitelist. But there is still a privacy issue.

Unless it were a TA+Go! feature. Right-click, TA+Go!, & it TA's the domain, then automatically loads it.

Loads it, where?
Same window? New window? Tab in same window? Tab in same window, relative?

Are you talking to yourself again?

You were right the first time -- it's risky. Stay with that.

I am calling fodder on this and definitely a less than well though through idea. Just ignore it as I think we have said enough on why its a bad idea. Not including a few other choice words which I will refrain from given its a user with only 2 posts. Don't want to give a bad impression

On a side note, did they develop ESP in a box that I missed where you can tell a site is trustworthy without having gone there, or ever having it in your whitelist because an email tells you so? Powerful stuff, where do I get mine?

GµårÐïåñ wrote:I am calling fodder on this and definitely a less than well though through idea. Just ignore it as I think we have said enough on why its a bad idea. Not including a few other choice words which I will refrain from given its a user with only 2 posts. Don't want to give a bad impression

On a side note, did they develop ESP in a box that I missed where you can tell a site is trustworthy without having gone there, or ever having it in your whitelist because an email tells you so? Powerful stuff, where do I get mine?

Brother, I think your message is quite clear without any further choice words.

And the bottom line is clear: not a desirable idea. Have marked as WONTFIX.

It wouldn't have been profane choice words for the record but none the less, not nice ones either. I think good call on that status because I cannot see any scenario (that I can think of at least) where this wold be a feasible and legitimate need. Maybe if there was a POC by the OP showing systematically and like professionals how it would/could be a useful tool, then I am a fair person, I would give it a solid college try to grasp but as it stands, makes no sense.

Brother, I don't think we need to disparage the OP. Probably fairly new to NoScript, probably not as tech-savvy as you (that's most of the planet ), came here in good faith and made a suggestion. We just explain why it's not desirable, and thank the user for his/her interest in NoScript.

I don't mind answering RFEs that I deem undesirable. Sometimes, others have disagreed, and made me reconsider.

The only ones that can be a bit tiring are those that have been requested many times, which is why we add FAQs, stickies, links, etc.

If the OP had grasped the implications, I'm sure the suggestion wouldn't have been made. But if everyone grasped everything on their own, we'd be out of our (volunteer) jobs.

@ edindex:

Thank you for your interest in, and support of, NoScript.

@ edindex, GµårÐïåñ, and everyone else participating in or reading this thread:

Cheers!

Tom T. wrote:Have marked as WONTFIX.

Shouldn't that be Giorgio's decision? After all, he is in full control of this project. Now I get that it might be very unlikely in this case, but theoretically you could call WONTFIX on something and Giorgio might still implement it / accept a patch for this.

dhouwn wrote:

Tom T. wrote:Have marked as WONTFIX.

Shouldn't that be Giorgio's decision? After all, he is in full control of this project.

Considering that he hasn't chosen to post at all in this thread since its inception about 9 days ago, it seems a reasonable inference that he's not interested in it.

dhouwn wrote:Now I get that it might be very unlikely in this case, but theoretically you could call WONTFIX on something and Giorgio might still implement it / accept a patch for this.

Indeed. So, what's the problem?

Tom T. wrote:Considering that he hasn't chosen to post at all in this thread since its inception about 9 days ago, it seems a reasonable inference that he's not interested in it.

Maybe, but it's no official rule, is it?

Indeed. So, what's the problem?

That WONTFIX might not really mean WONTFIX, in this case basically just means PROBABLY_WONTFIX_ACCORDING_TO_TOM_T.

OK, enough of my nitpicking,
in the end, it should be Giorgio who should protest if he was not fine with you "officially" declaring RFEs as WONTFIX.