InformAction Forums

I have to use "Temporarily allow all" on just about every web page I visit these days. That's frustrating enough. But what's even more frustrating is having to click that button 2,3,4 times per page, as is all too common now. I understand why this is -- each page image might grab a script from a different domain, so that domain needs to be allowed. I get that. (I was reading a Washington Post article today. I had to allow-all four times to get all functionality because there were scripts from 22 -- yes, 22 -- domains.)

What I propose is a button that will keep refreshing a page until every script across every domain on the page is enabled. Any thoughts?

Keep in mind that what you are suggesting is nothing more than just "allow scripts globally" until you are done with that site and then revoking it. Because aimlessly and without any preview (by the user) and intentional choice, just allowing EVERY script on a site, you might as well run without any protection and script enabled. You still get some behind the scene protection from NS but you will be MUCH more vulnerable as you have allowed those scripts to do and deliver their payloads. I visit numerous news sites regularly that require as you said a CRAP load of scripts, but NOT ALL, in fact very minimal amount are needed to get the function without just handing over your will and saying, I give up.

GµårÐïåñ wrote:Keep in mind that what you are suggesting is nothing more than just "allow scripts globally" until you are done with that site and then revoking it.

No, it isn't the same thing. My way would allow globally only for that URL, not Firefox in general.

Because aimlessly and without any preview (by the user) and intentional choice, just allowing EVERY script on a site, you might as well run without any protection and script enabled. You still get some behind the scene protection from NS but you will be MUCH more vulnerable as you have allowed those scripts to do and deliver their payloads. I visit numerous news sites regularly that require as you said a CRAP load of scripts, but NOT ALL, in fact very minimal amount are needed to get the function without just handing over your will and saying, I give up.

Many times I *do* give up. The problem is that I don't know which domains have harmful payload. So I'm back to square one. I'm faced with a page that isn't functioning correctly because NoScript is blocking necessary, non-malicious javascript. So I click "Temporarily Allow All." Page still doesn't work. Click it again. Still no good. Again. And so on. So how exactly is NoScript helping me in this situation? By the time the page actually works, all domains and all scripts are fully enabled anyway!!

And I disagree that it's tantamount to running without any protection. Some malware comes thru Flash-based ads. AdBlockPlus blocks those by itself without NoScript. That's probably good enough for many cases, especially on trusted root domains.

I'm saying that there is a third way here. I think my suggestion is a good compromise between no protection and too much protection.

As long as you have reload other tabs off, you will globally allow, it will open it up for that tab, reload it and you get to do what you need and then you can revoke it before moving on. In the meantime, any other tab you have open are still protected and won't be affected. Although anything new you open in the meantime, will be affected and open. For the time being, this is the best compromise for reasons discussed in quite a bit of detail over the years.

No one magically knows what scripts are good or bad and what to allow and not, that's why the more proactive you are in allowing one by one to see what they actually do and get familiar with the process, the better. Rather than just saying allow it all and give up. This is what most sites want and you are giving it to them based on the most common of human flaws, lack of patience and taking the path of least resistance when overwhelmed.

Trust me, I am not digging at you or anything, just stating the fact that it can be frustrating and most people just give up. So it comes down to the will and effort of the individual to decide, do I care enough to do what it takes, or do I want to just throw my hands up and run naked (thank you therube for getting this term stuck in my head ). Ultimately an individual's call. The temporarily allow all was designed to give the person just that option to give up but the cascade effect is out of our technical control.

Globe199 wrote:The problem is that I don't know which domains have harmful payload. So I'm back to square one. I'm faced with a page that isn't functioning correctly because NoScript is blocking necessary, non-malicious javascript.

If you KNOW that its necessary and non-malicious, then just add it to your whitelist and NS won't block it again. You are contradicting yourself by saying you don't KNOW what to allow, so which is it? You don't know and giving up or NS is blocking legitimate scripts that YOU KNOW and want?

So I click "Temporarily Allow All." Page still doesn't work. Click it again. Still no good. Again. And so on. So how exactly is NoScript helping me in this situation? By the time the page actually works, all domains and all scripts are fully enabled anyway!!

First, it is providing protections behind the scene that are not visible to you. Second, you are giving up when you choose that option and so it is rightfully not helping you anymore, because you made your choice. Free will. You have the choice to make informed choices, or give up, you are the one making that decision, NS is simply giving you a way to do it.

And I disagree that it's tantamount to running without any protection. Some malware comes thru Flash-based ads. AdBlockPlus blocks those by itself without NoScript. That's probably good enough for many cases, especially on trusted root domains.

I am not sure who gave you that load of crap but the fact is that MALWARE is often distributed through scripting, although other vectors too. So ABP is blocking only ads and some tracking elements (among which may be some path to scripts .js files), but NOT protecting you against scripting and/or malwares. When you have flash enabled to view the video, you have already given it the necessary permission to do WHATEVER it wants, so ABP taking the annoying ad out of it, isn't the same as removing the sinister or malware element. You are grossly mistaken if you think it does.

Sorry to have awaken the sleeping beast.

So tell us what you do when a page doesn't work because any of 22 domains are being blocked. Do you do what I do? Click TAA several times?

There are some pages that are a true PITA, just as you describe.
And yes it is becoming far more common.

Of late, http://www.staples.com has gotten that way. Their website (overall) design has gone from decent to horrible. And now they are starting to use all kinds of foreign domains which only makes things worse. What it will do for me, is that at some point I will be fed up enough, & I will say, SCREW STAPLES, & stop dealing with them. (I haven't put that in my tag-line yet, but give me time.)

(I don't do it often ) but in this case, I fully agree with what GµårÐïåñ posted.

I, like you, get frustrated, & my solution is as he describes above.

If these where pages that I frequent regularly (which is generally not the case for me), I would attempt to find the minimal set of domains that I could Allow, such that I would then whitelist them & be done with it. But that too can be a PITA.

Doing as you describe, recursively refreshing the page, no telling what could turn up, or when it would stop.


Perhaps if there were a feature, Allow Globally ONLY this PITA page, which could Allow Globally, perform a single refresh, but limit it's scope to ONLY the single page (tab) that you happen to be in. IOW, NO other pages (tabs), regardless of using the same domains or not, would be affected by this setting at all. (What about child pages opened from the original page?)

Globe199 wrote: So tell us what you do when a page doesn't work because any of 22 domains are being blocked. Do you do what I do? Click TAA several times?

I either don't bother with it at all or else I open it in a sandboxed browser and allow scripts globally.

Globe199 wrote:Sorry to have awaken the sleeping beast.

Facts are facts and we are discussing things as adults I presume, being glib or sarcastic or pouting is not constructive. So you can roll your eyes all you want, you have a better solution, let's hear it, otherwise, you are just being immature. That being said, let's answer your other question.

So tell us what you do when a page doesn't work because any of 22 domains are being blocked. Do you do what I do? Click TAA several times?

No I do not. In fact I have that option completely removed from my menu from within the NS options GUI. I would rather be shot than to just say ok rape me, I give up. I use judgement on what I feel is the hold up and begin temp allowing what I consider most likely needed, to least likely needed, ONE BY ONE, and see if I get the desired effect or not. With a NEW site, meaning first time there, it has never taken me more than 10 minutes of thorough evaluation to get it functional, up and running without giving into their will.

As I have ALWAYS said, security is a PROACTIVE process, not a passive one. Anytime you go passive, you are giving up your freedom and will, therefore opening yourself up to whatever will the entity imposes on you. Some run that way, I and many don't, to each their own but EVERYONE is responsible for the outcome based on their OWN decision. A good rule of thumb, if the site is making it difficult to use it without giving up your security, freedom and choice, then its not worth using or has a hidden agenda, so I am MORE careful if anything, not less.

Here is how I stack my security (you can check the full list through my security pack link in the signature) but basically I have NoScript as my first line of defense used in conjunction with RequestPolicy to allow me to see what sites are connecting to what, what scripts are needed and so on. I use JSView at times to look inside the script before allowing it to see what it actually does, 99% of the time, I can rule them out by sight but this helps for the rest. Already I have 99% of my web interactions under control. Now there are fringe cases which benefit from having Adblock installed (mostly for aesthetics) where I put custom filters and also double-check my choices by checking the blockable elements list (so if something made it through, I can nab it there). At this point I am running 99.9% secure and need nothing else. But just to beat a dead horse, I have Ghostery and Abine (TACO) installed to block cookies and tracking stuff that might slip through or are inline codeded. I verify my SSL status using local encrypted file and double-check it by customizing Perspectives to give me second opinion. I have ServerSpy so I know what web server they are running, so I know if there are vulnerabilities there that might allow for malicious injection and so I am extra diligent and Flagfox to verify where the servers are located, their registry information, etc, so I can further vet them - mitigating some man-in-the-middle attacks. I then wrap it up by running in Private Mode ALL THE TIME, with NO HISTORY saved, "awesomebar" -aka- asininebar disabled, plugins kept to a minimum, and BetterPrivacy to notify me when LSO are stored, and to dump them each session's end. I also have GreaseMonkey for scripting things that give me some benefit as far as improving my web experience or expediting it or automating some things.

Now this may seem like alot but guess what, I browse the web with as much fun and openness as anyone else, don't sacrifice any feature or benefit and yet at the same time compromise on NOTHING relating to my privacy and security - meaning I am 100% secure and protected and no one knows squat about me (meaning no tracking) and within Fx, I further have items under about:config that tighten the reins on the browser itself, so it doesn't leak out what I don't want it. This is my daily profile, which means I do EVERYTHING on this and have COMPLETE confidence that I am safe. I read news on 10 agencies, foreign and domestic, I browse music/video/social websites for myself or for work/support. For supporting users on this site, I even go to malware sites and porn sites as needed without fearing my "production" or personal machine's security. For banking, although I often do within this profile, I have a specially tightened profile created that has even MORE restrictions and tons of surrogate scripts to make sure there is a ZERO attack surface environment for me to do my thing without worry. Hopefully this detailed answer shows you that when I say something, I back it up and do what I preach. Although why any reasonable person would need preaching in order to want this, and not already be on board is beyond me. Hope you at least learned something or got some ideas out of all this discussion to help you in the future.

If you have a specific site you need help with, send me a PM or post it here and I (we) will get back to you with what to allow and not and get you going, but otherwise, just try and learn. Practice makes perfect and you can develop the same level of comfort as me and other security minded people here with time and effort. Its not this mysterious thing that is exclusive to anyone, just takes some motivation. Good luck to you.

Alan Baxter wrote:I either don't bother with it at all or else I open it in a sandboxed browser and allow scripts globally.

Thanks to Alan, I just remembered something I forgot to mention in my post. If I am not going to be going back to this site, its a one time deal, then I don't waste my time at all (unless I am doing it as part of support, in which case I do take the time) and just open it up in a sandboxed dragon instance (which basically runs naked) and do what I need to do and then close the session dumping the whole thing and I am done. Thanks Alan for reminding me, its something I do so infrequently that I totally forgot to mention it because usually I don't find myself having to resort to this to get it done, my regular profile as described works just fine.

This is a bit off topic, but in reading this thread I just want say thank you to Guardian, Alan, and therube and Giorgio for all the help you give here. I have no courage to post anywhere any longer on the internet, but I find this site safe and while I have only the slightest knowledge of what I'm doing with noscript, I just am thankful and appreciate seeing how you all work to help us all and as well how you handle the occasional not so nice remarks people might make. I enjoy reading here. Thank you so much Giorgio for noscript!

Guest wrote:This is a bit off topic, but in reading this thread I just want say thank you to Guardian, Alan, and therube and Giorgio for all the help you give here. I have no courage to post anywhere any longer on the internet, but I find this site safe and while I have only the slightest knowledge of what I'm doing with noscript, I just am thankful and appreciate seeing how you all work to help us all and as well how you handle the occasional not so nice remarks people might make. I enjoy reading here. Thank you so much Giorgio for noscript!

You are welcome. We try to provide not only support for our own products here but also provide an environment where more topics are discussed and discussions provide perspective. Glad you feel able to benefit from it and safe enough to partake. Sometimes people have preconceptions, misunderstandings, or misinformation and it can make things a bit hard to discuss because you have to break through that barrier, but we put it all out there and hope for the best that it makes an impact. I am sure we are all happy that its appreciated. Thank you for letting us know.

Here's a good example for you:

http://www.wired.com/underwire/2012/06/ ... -pavement/

Try loading this page. I clicked TAA three or four times. The video *still* does not appear. Open Chrome and go to the URL. Video works fine.

It works fine in Chrome because it doesn't block anything, DUH! it works fine. Even in Firefox without any addons, it will work fine too and/or if you were to disable or allow globally, it would work fine too. I don't see how your post is supposed to contribute anything new in terms of perspective?

BTW, as for the link you provided http://www.wired.com/underwire/2012/06/ ... -pavement/

Assuming, you have no other security addon like (ABP, Ghostery, RP, Abine) and only NoScript, I temporarily allowed wired.com and brightcove.com and the video popped up. It was so easy and no brainer that I am wondering what you are so overwhelmed about?