InformAction Forums

As a privacy advocate, I recommend NoScript (and AdBlock) and of course Firefox constantly. However, lately I find many journalism sites include videos from YouTube or other sites require permitting one or more scripts to run. But which are needed utilities, and which are datamining???

Take this example, a local NY political news site carries a story about a candidate for office:

http://www.politicker.com/2012/03/01/be ... ign-video/

The video is not accessible (blacked out). Checking NoScript, I find the following servers want to run scripts on my computer:

politicker.com, chartbeat.com, scorecardresearch.com, facebook.net, quantserve.com, googleadservices.com, twitter.com, disqus.com, static.chartbeat.com, google-analytics.com, and youtube.com

Placing my cursor on the AdBlock tab on the video box shows me the server sending the image is youtube.com/v/lCx6aDUL32k?version=3&hl=en=US

So I "temporarily allow" the site's server, politicker.com, to run scripts. When that fails, I allow youtube.com access via NoScript. Again, no video.

At this point, I try turning on and off a few sites and would normally give up.

Only by disabling AdBlock can I run the Shockwave Flash video. Isn't that a script? I'm in over my head here.

Apparently, the server that finally delivered the video was ytimg.com which was NOT listed in the pop-up list that NoScript provided (above list). A Google search tells me this is a Google product. Do I now have to run all the Google scripts for news video clips? Ugh.


The non-IT gurus across the country, who go as far as I do to keep some walls of privacy up, need a helpful "cheat sheet" of "utility" vs. marketing Javascript, Flash, Java etc wannabee-in-my-pc.

Thoughts? And thanks for caring about privacy.
NY1writer@yahoo.com

For that particular page, nothing at all is needed (as far as NoScript is concerned).

As a test, create a new Profile.
Disable JavaScript in your browser (nothing to do with NoScript).

Load the page, click the video.

It plays.

Re-enable JavaScript (in your browser).
Install NoScript into that Profile.

Try again, & you will see you get the same results.

The placeholder will display, click it, the video "Play" button displays, click it, the video plays.


Other sites can certainly be different.

ny1writer wrote: But which are needed utilities, and which are datamining???

Presently, two posts above yours (although yours may get bumped down) is SOME SITES YOU MIGHT NOT WANT TO ALLOW, with more than 100 of the most common data-mining and ad scripts listed.

It's also a sticky post in NoScript Support and NoScript Development.

Please tell me I didn't go to all that work for nothing.

ny1writer wrote:Thoughts? And thanks for caring about privacy.
NY1writer@yahoo.com

May I suggest that you look into the RequestPolicy add-on? It complements NoScript very nicely, as the developers of each agree.

It will block still images, including so-called "web bugs", that may not be blocked by NoScript, because NS focuses on blocking *exectuable* code.

And you will learn even more about who is trying to pry into your browser.

Also see the article Surrogate Script for information on how NS provides default protection against some data-miners, and Listing of script sources for which surrogates are provided for a plain-English listing of the sources of such scripts.

btw, when I tried to play the video, a link appeared at the top of the video screen. Clicking that took me directly to YouTube, where the video is hosted.
Just hovering the mouse should show the destination of the link, thus tipping you off as to where it's hosted.

At YouTube, you'd see clearly which scripts tried to run. The reason that ytimg didn't ask to be allowed is that it's in the Default Whitelist, along with some others, as a courtesy to help non-tech users use the most popular web sites right out of the box, so to speak.

You can, and should, delete from your whitelist any that you don't use or need.
NoScript > Options > Whitelist.

And yes, there can be a certain amount of detective work involved. The Internet is complex. Navigating safely is like navigating the Los Angeles freeways safely -- it takes a bit of care, attention, and some learning curve.

Thank you all. I learned more than I expected, following the various links. I admit I don't understand the article about user-created surrogate scripts, it's way over my head. Hopefully, since it was dated 2009, NoScript has automated that function so Google-Analytics no longer must be allowed via a user-created script in order to access certain pages. That was what the article from hackademix.net described.

Thanks all. My g/f thinks I am slightly crazy for being concerned about privacy online but it's a matter of principle for my generation, raised in the Nixon era of government intrusion on individual liberties.

ny1writer wrote:Thank you all. I learned more than I expected, following the various links. I admit I don't understand the article about user-created surrogate scripts...

No need for user-created surrogates. The original surrogate for google-analytics.com that Giorgio *built into* NoScript was such a great idea, and so popular, that new surrogates have been added all along, via updates. No user action is required, except to make sure that you don't whitelist or temp-allow the source for which you want the surrogate to run. So long as it's default-denied (or Untrusted), the surrogate runs *automatically*.

If/when users discover a new data-mining script *that breaks pages if prohibited*, they can post here. If verified, Giorgio will write the surrogate and add it to the next release (or latest development build) of NoScript -- for *everyone*. Again, no user action required. So if you find such a situation, just post it in NoScript Development.

No need to write any surrogates yourself.

ny1writer wrote:Thanks all. My g/f thinks I am slightly crazy for being concerned about privacy online but it's a matter of principle for my generation, raised in the Nixon era of government intrusion on individual liberties.

Been there, seen it only get worse over the years -- by *both* parties. Don't want to get into a political diatribe, but Nixon didn't start the erosion of civil liberties in this country, by a long shot. (Try "Harrison 1914", e. g.)

I would be very concerned about your friend's lack of concern for privacy online, and what she may be posting without realizing that anything put there *NEVER* goes away. -- and can be seen by anyone, sooner or later. But our support team can't help you with that.

GL with that, and thanks for the kind words.
Cheers,

Tom

ETA: I re-read the Surrogate Script article. I think this is what was confusing:

.... an alternate user-provided surrogate script gets executed instead,

By "user-provided", he didn't necessarily mean "coded by you". He meant "provided by your browser, from its NoScript add-on" -- as opposed to the script provided by Google to the site involved. "Client-provided", in tech terms.

You can specify as many URL/surrogate mappings as you want, by creating a couple of about:config preference entries under the noscript.surrogate root.
The built-in Google Analytics mapping can be regarded as a reference:

As a brand-new feature, Giorgio was inviting the tech crowd to write their own. But as said, it's long since been the policy for Giorgio to write them and add them to the next build when brought to his attention.

Hope that clears things up.

Every site is different. Even sites of 'trustworthy" web authors often resort to the convenience of services (scripts) from less trustworthy 3rd party sites & providers, often with bad results. I often use the less than perfect service of www.MyWoT.com (Web of Trust) in trying to get a page to run when NS has blocked (sometimes many) 3rd party scripts. I 'temporarily enable' apparently relevant blocked scripts that WoT has 'trusted', 1 or 2 at a time, until my site plays. I avoid any script domains that look either suspicious or irrelevant to my desired purpose for the visit, and try to use only scripts from (WoT) above 90% 'trustworthy' sites. It is a juggling act (while crossing the freeway.)==
I wish WoT were more persuasively valid.
I wish such ratings were more easily visible in the NS menu (like a colored WoT icon or number).
I wish the NS menu were more cleanly structured.
I wish the NS menu were browser tab dependent (not just "Recently Blocked").

NoScribner wrote:I wish the NS menu were browser tab dependent (not just "Recently Blocked").

Well, the thing about that is that NoScript is primarily for security, with privacy benefits being secondary. If a site is safe, then it's safe on every tab, and if it's unsafe, then it's unsafe even on one tab, and even for a few seconds.

You could try the Tab Permissions add-on, though. It allows per-tab control of images, redirects, plugins, scripts, and frames.