InformAction Forums

Hi guys,

is it possible to use NoScript just for blocking plugins? I want to allow JavaScript on every page but allow the plugins like flash, java, pdf only on "trusted" sites. Can you give me a hint how to change the settings?

Thanks,
agrajag

agrajag wrote:is it possible to use NoScript just for blocking plugins? I want to allow JavaScript on every page but allow the plugins like flash, java, pdf only on "trusted" sites. Can you give me a hint how to change the settings?

NoScript menu > Options > General, and check "Scripts globally allowed (dangerous)" -- and that's not a joke, but ...

You'll still get a placeholder to click on, unless in Options > Embeddings tab, you uncheck (if checked) "Apply these restrictions to whitelisted sites".

The problem is, you've just declared the entire universe of sites to be "whitelisted" (allowing scripts = trust; you've trusted, or whitelisted, all sites.)

You coud read Site-Specific-Permission Questions? PLEASE READ THIS FIRST! to tighten this back up somewhat. If the above options don't appeal to you, and if you want to pursue further, please read this linked sticky post and the linked FAQ inside it. Then you may be able to selectively allow Flash, etc. at some sites.

RequestPolicy also can help to block requests to embed Flash, etc. at third-party sites that you don't whitelist or temp-allow in RP.

Tom T. wrote:

agrajag wrote:is it possible to use NoScript just for blocking plugins? I want to allow JavaScript on every page but allow the plugins like flash, java, pdf only on "trusted" sites. Can you give me a hint how to change the settings?

...
The problem is, you've just declared the entire universe of sites to be "whitelisted" (allowing scripts = trust; you've trusted, or whitelisted, all sites.)

This is indeed a very common need.
I also want to allow JS on every site, but Java/Flash only on whitelisted ones.
Couldn't we have an option for this?

thanks

bd wrote:I also want to allow JS on every site, but Java/Flash only on whitelisted ones.

I'm sorry that I haven't been able to make this clear. Allowing JS on every site WHITELISTS every site. So they're all whitelisted.

You can manually blacklist (mark as untrusted) the sites that you do *not* want to run script and Java/Flash, but that may be an awful lot of sites.

Or you can consider the suggestion to use ABE to restrict Java/Flash permissions. See this thread.

Or wait for the release of NoScript 3.x for the desktop, which will have built-in site-specific permissions from the NoScript GUI.

I can think of 3 ways to do this actually:

1. Simply disable your plugins until you need them on a site. Then tell Noscript to Allow Scripts globally. To make this more convenient: Put the Addons button on your toolbar. There are also individual content and plugin buttons available with the "Toolbar Buttons" extension. Noscript will still protect against XSS and such. It will block Embeddings for specifically blacklisted sites if you tick Block every object coming from sites marked as Untrusted.

2. Enable all of your Firefox plugins. Allow scripts globally in Noscript. Make sure Temporarily allow "Base 2nd level Domains" is checked. Then, under the Embeddings tab again, keep Forbid Java, Flash, Silverlight, and "Other plugins" checked. Also check Apply to Whitelisted sites too. Uncheck No place holders..., and uncheck Block every object coming from sites marked as Untrusted (optional if you want to block Javascript on a select few sites.)
[*]Edit: I'm thinking "global" sites are temporarily Whitelisted, so plugin blocks apply???)

3. Get another extension called Flashblock. And, again, the "Toolbar Buttons" extension. The latter has buttons for all embedded elements you can add to your toolbar. Adding Flashblock allows you to individually click the Flash object you want to play once you've unblocked all Flash in the browser. You won't have Noscript's protection for other stuff though.

Even though I do block javascript with Noscript, I also use Flashblock so that Whitelisted sites can't blast me with video until I'm ready to watch it. Tabs in the background also can't play stuff until I tell them to.

I generally do the opposite of the discussion here though. I block all javascript for untrusted sites. I keep my plugins disabled in Firefox except for Flash (Flashbock handles it,) and I ALLOW all plugins in Noscript. This way Firefox will give me a "missing plugin" notification when I need to enable a plugin temporarily. Otherwise I've found that Noscript doesn't give me a clear indication that it blocked a plugin.

Regarding my option #2 above: A simple Forbid Javascipt checkbox under Embeddings would make this really simple.

gggirlgeek wrote:1. Simply disable your plugins until you need them on a site. Then tell Noscript to Allow Scripts globally. ... It will block Embeddings for specifically blacklisted sites if you tick Block every object coming from sites marked as Untrusted.

I could be mistaken, but I thought I had said that -- individually blacklist sites, but that's a lot of sites to blacklist?
The other add-ons, I didn't know about.

gggirlgeek wrote:2. Enable all of your Firefox plugins. Allow scripts globally in Noscript. Make sure Temporarily allow "Base 2nd level Domains" is checked.

Isn't TA Base Domains redundant to allowing all scripts globally?

... Then, under the Embeddings tab again, keep Forbid Java, Flash, Silverlight, and "Other plugins" checked. Also check Apply to Whitelisted sites too. [*]Edit: I'm thinking "global" sites are temporarily Whitelisted, so plugin blocks apply???)

Yes -- actually, they're permanently whitelisted for all practical purposes, unless/until you reverse the choice -- but I thought I said that, too?

Tom T. wrote:NoScript menu > Options > General, and check "Scripts globally allowed (dangerous)" -- and that's not a joke, but ...

You'll still get a placeholder to click on, unless in Options > Embeddings tab, you uncheck (if checked) "Apply these restrictions to whitelisted sites".

IOW, keep "Apply to whitelisted sites" checked, and you will get a placeholder (NoScript block-logo) giving you a chance to click for permission when desired, and block otherwise. OP wants plug-ins auto-allowed at "ultra-whitelisted" sites. ("trusted sites") There is no such thing. Once you whitelist the Universe with "Globally Allow", you've trusted them all, so ABE would be needed if this were to be automated.

gggirlgeek wrote:3. Get another extension called Flashblock.

In the past couple of weeks, I've seen two different threads in which Flashblock caused an extension conflict with NoScript. Redundant, and not recommended.

gggirlgeek wrote:Even though I do block javascript with Noscript, I also use Flashblock so that Whitelisted sites can't blast me with video until I'm ready to watch it.

Check "Apply to whitelisted sites", then they can't do that.

gggirlgeek wrote:I generally do the opposite of the discussion here though. I block all javascript for untrusted sites. I keep my plugins disabled in Firefox

You're using the Firefox Tools > Add-ons > Plugins page, or about:addons, to manually disable plug-ins, then re-enable them when needed?
It seems a lot simpler IMHO to block them in NoScript, and occasionally click a placeholder or two, but everyone's mileage varies...

Otherwise I've found that Noscript doesn't give me a clear indication that it blocked a plugin.

NoScript Options > Embeddings. Check "Show placeholder icon". Also, the NoScript logo will change color when objects are blocked. See the NoScript "Features" Page for a complete table of color-coding of the main NS icon.

On NS Options > Appearance tab, (Show...) check "Blocked Objects".

This should make it very clear when a plug-in is being blocked.

gggirlgeek wrote:Regarding my option #2 above: A simple Forbid Javascipt checkbox under Embeddings would make this really simple.

There's already a checkbox. On NoScript Options > General tab is the "Scripts Globally Allowed (dangerous!)" checkbox. Once you check it, you just uncheck it to reverse back to the "default-deny" of blocking all JS except for the whitelisted or temp-allowed items.

Also, in Globally Allow mode, the NS Menu offers a choice of "Forbid Scripts Globally (advised)", which is even faster and easier.

Cheers,
- Tom

Tom T. wrote:

agrajag wrote:is it possible to use NoScript just for blocking plugins? I want to allow JavaScript on every page but allow the plugins like flash, java, pdf only on "trusted" sites. Can you give me a hint how to change the settings?

NoScript menu > Options > General, and check "Scripts globally allowed (dangerous)" -- and that's not a joke, but ...

You'll still get a placeholder to click on, unless in Options > Embeddings tab, you uncheck (if checked) "Apply these restrictions to whitelisted sites".

The problem is, you've just declared the entire universe of sites to be "whitelisted" (allowing scripts = trust; you've trusted, or whitelisted, all sites.)

I'm with Tom T here - JavaScript by itself is still dangerous - but since NoScript 3 includes click-to-play as one of its presets, clearly people want it...

NB Click-to-play is supposed to be coming to Firefox 14. I guess it can race with NoScript 3.x for the desktop to see which one lands first!

Thrawn wrote:NB Click-to-play is supposed to be coming to Firefox 14. I guess it can race with NoScript 3.x for the desktop to see which one lands first!

You might (or might not) be interested in this thread.