InformAction Forums

NoScript 2.3.6 on Firefox 11.0 on OS X 10.7.3 (all current versions). NoScript is disabled on youtube.com and ytimg.com (these are in the whitelist). Normally there would be an NoScript icon where the video should be, I would click the icon and the video would start downloading. Sometimes however, I would click on the icon, the page would reload, but the NoScript icon would still be there and the video won't start loading. Repeating this doesn't fix it, the page still reloads and there is still NoScript icon there.

What I figured out is the following:
if the video is at http://s.ytimg.com/yt/swfbin/watch_something... everything is fine.
if the video is at something like http://o-o.preferred.myISP_name-xxxX.vY ... outube.com (myISP_name is the actual name of my ISP, X, Y, Z are numbers), the issue happens. I can fix it by right clicking the NoScript icon, going to Blocked Objects and then Temporary Allow o-o.preferred....

I can't add that o-o.preferred.myISP_name-xxxX.vY.lscacheZ.c.youtube.com or o-o-preferred* to the whitelist. Any workaround so that I don't have to "Temporary Allow" always these domains?

YouTube conversion from Flash to HTML5

Will still have to TA the HTML5 video-ogg object, because each instance (of the same video) has a unique signature.

But YOUR ISP'S NAME is in the Blocked Object? They must be caching it... Let me see if mine does that.

Any workaround so that I don't have to "Temporary Allow" always these domains?

You could uncheck "Apply these restrictions to whitelisted sites". Then, since YouTube is whitelisted, the default-deny of Flash and audio/video is not applied.
But you're allowing *all* videos on the entire YouTube domain, including whatever is featured or sampled when you land there.... your choice.

btw, please don't take this as nit-picking, but "disabled" has a very specific meaning here: that the NoScript add-on has been *disabled in Firefox*. It's as if it weren't installed. This is very different from saying that "Youtube is whitelisted - trusted - in the whitelist -- etc." The difference is significant: NoScript's many other protections, such as Clickjacking (ClearClick) and XSS, apply to all sites, *even if scripting is globally allowed (dangerous)*. But if NS is "disabled", those protections too disappear.

No, it doesn't. (I opened Fx 11 for the test.) The closest thing was the letters "dfw1" on the address, which could be the Dallas-Fort Worth area of Texas, USA (also the airport ID, or KDFW internationally). Traceroutes often go through Dallas, even though I don't live near there, so clearly there's a major US Internet pipeline router there. Coincidence? I don't know.

My ISP was nowhere to be found, unless heavily obscured in the long alpha strings, or unless there's some secret code for various ISPs.

Maybe your ISP is trying to save you some lookup time and/or download time by caching these. You could ask them about it, and also let them know whether you're for or against it.
I suppose that it's not really a privacy issue, since YouTube, like every other site (including this one) needs to know your IP address so that they know where to send the page. And could know which ISP owns that block of addresses, easily.

Do you care to PM me the link, in strictest confidence? IIRC, you'd have to register, as only registered users can send PMs (anti-spam measure). If not, no worries.

Tom T. wrote:YouTube conversion from Flash to HTML5

Will still have to TA the HTML5 video-ogg object, because each instance (of the same video) has a unique signature.

Yes, after looking at that, I noticed that it happens for ogg@... videos.

Tom T. wrote: But YOUR ISP'S NAME is in the Blocked Object? They must be caching it... Let me see if mine does that.

Any workaround so that I don't have to "Temporary Allow" always these domains?

You could uncheck "Apply these restrictions to whitelisted sites". Then, since YouTube is whitelisted, the default-deny of Flash and audio/video is not applied.
But you're allowing *all* videos on the entire YouTube domain, including whatever is featured or sampled when you land there.... your choice.

That's the problem, I don't want to allow any and all of youtube videos. I guess I would have to temporarily allow the videos as you suggested.

Tom T. wrote: btw, please don't take this as nit-picking, but "disabled" has a very specific meaning here: that the NoScript add-on has been *disabled in Firefox*. It's as if it weren't installed. This is very different from saying that "Youtube is whitelisted - trusted - in the whitelist -- etc." The difference is significant: NoScript's many other protections, such as Clickjacking (ClearClick) and XSS, apply to all sites, *even if scripting is globally allowed (dangerous)*. But if NS is "disabled", those protections too disappear.

Sorry for that, I should've chosen the terms better.

andyl wrote:That's the problem, I don't want to allow any and all of youtube videos. I guess I would have to temporarily allow the videos as you suggested.

For now, yes.

NoScript 3.x for the desktop, to be released when (unsure ATM), will completely revamp site-specific permisssions, and Firefox is working on a click-to-play feature, although it still seems that because each instance of each YT vid has a unique signature, one must either give the permission to all video at YT, or do the one click.

But at least it's only one click. Will mark this as resolved for now, as I think we've covered the current state-of-the-art.
But please feel free to post back if any more questions or issues.

Tom T. wrote:and Firefox is working on a click-to-play feature,

Only for plugins, so playback using the HTML5 video element be click-to-play.

dhouwn wrote:

Tom T. wrote:and Firefox is working on a click-to-play feature,

Only for plugins, so playback using the HTML5 video element be click-to-play.

What if I have "Forbid <AUDIO>/VIDEO>" (and apply to w/l sites) checked in NS Embeddings?

Wait, you said CTP is only for plugins. Did you mean that HTML5 *won't* be click-to-play? ... sorry, the wording of your sentence isn't totally clear.

Per private conversation with OP, it does appear that the ISP showing in the name of the object that must be allowed indeed indicates that the ISP is caching these objects.

This could be a service to users, to get faster downloads; a savings to ISPs in bandwidth; and/or in countries outside the US, the cost to the ISP of international or trans-oceanic traffic may be greater than the cost of caching the videos themselves.

Thanks to andyl for an interesting discussion. One can learn something new every day.

Just to add, I recently enabled "Automatically reload affected pages when permissions change" and I don't have to Temporary Allow these videos anymore.

However, for ogg videos the play/pause button in Youtube doesn't work if "Automatically reload affected pages when permissions change" is enabled. The button works if that option is disabled. That is for ogg videos only, the button works fine for sfw one regardless of whether that option is enabled or disabled.

That is for NS 2.3.7 on Firefox 11.0 on OS X Lion 10.7.3.

andyl wrote:Just to add, I recently enabled "Automatically reload affected pages when permissions change" and I don't have to Temporary Allow these videos anymore.

However, for ogg videos the play/pause button in Youtube doesn't work if "Automatically reload affected pages when permissions change" is enabled. The button works if that option is disabled. That is for ogg videos only, the button works fine for sfw one regardless of whether that option is enabled or disabled.

That is for NS 2.3.7 on Firefox 11.0 on OS X Lion 10.7.3.

Please try latest development build. Current version is 2.3.8.rc2, but the fix for that issue was in 2.3.8.rc1:

v 2.3.8rc1
<snip>
+ Improved active content identity tracking, to avoid redundant blocking steps across reloads

I just tested this at an ogg video at YouTube, http://www.youtube.com/watch?v=VQlRmSP8bbo, and all controls work fine through multiple page reloads and/or changes of permission with auto-reload.