Javascript or whatever

I am totally peed of by getting messages that my Javascript is not enabled.

My FF has Javascript enabled, yet many sites come up with a message that it is not.

What exactly is wrong ? What do I need in terms of Javascript, Java or any add-ons so that these massages do not plague my life ?

John

Screenshot of FF panel :-

 

do you also use NoScript addon? Any other security software that can block scripting? Otherwise, maybe post a link where you see it happening

 

Yes Cudni, I do have NoScript. Do I have to make an adjustment to NS so that this Javascript unabled message does not come up with some sites ?

And yes I will get the link whenever the next message comes up and post it on this thread.

It is all a bit annoying since I try and do what is necessary.

Thank you for your comment, I will look out for my next message. it happens quite often. I reckon your comment re. NS has something to do with it. Also I notice the Adobe Flash box is checked - will that be relevant to my Adobe thread ?
But if NoScript reckons these items are a risk, if I unchecked them I am going against a security embargo instituted by somebody who knows better than me.

Screenshot :-

 

To be honest I dont see a need for NoScript in a sandboxed browser in the first place. Id go ahead and disable the Forbid Java. Make sure you change the settings outside the sandbox so it actually changes.

 

NoScript stops scripts running on web pages unless specifically enabled - the site will often report that Javascript is not running because it won't until you allow that page via the NoScript menu.

It blocks everything by default and only runs the elements you specifically permit per site - if you choose for it to not manage certain elements globally it will not block them on any site.

It treats everything as a potential harm and relies on your judgment to select what isn't by either temporarily or permanently whitelisting it.

Personally, I don't think you are gaining anything by running Firefox with this add-on as you don't seem especially clear on why you are using it, plus it's already sandboxed anyways; but in answer to your question, just allow the sites you trust to execute Javascript or the embedded elements you wish to use - there are a lot of nice tutorials online to help you get the best out of this great little add-on.

 

A little extra armor doesn't hurt, though you really are right. I use it for mostly blocking the ad servers/trackers, along with AdBlock Plus. If a bad script runs and something goes boom, I simply terminate all processes in Sandboxie and restart the browser.

 

@John Bull

I strongly recommend that you please read this 1st:

Using Noscript correctly

Once done, you have to do some serious thinking on your own. As far as I can tell, you have 3 options:

a) Learn to use it in it's default form or with a higher degree of control
b)Change it's settings for a bit more 'usability' (term is loosely used here)
c) Uninstall NoScript.

The 1st option can be quite cumbersome and intimidating for most users. I don't think that will be a good option for you right now, at least not at this moment. Nevertheless, if you intend to go along this route, then I'm sure some folks here will be able to guide you along...or if you can bother yourself to do so, then head over here and read (or glimpse through it):

http://noscript.net/features
http://noscript.net/faq

The 2nd option - I will personally suggest you to set NoScript to "Allow Scripts Globally (dangerous)", un-check the 'forbid Java' option for you to achieve what you stated here:

Yes, hardcore NoScript fans will probably say "that's mad", shout out loud that "damn you safeguy, that weakens NoScript " etc etc. They're obviously right and I won't argue against them. What I'm suggesting is merely to adapt to the specific OP 'wants', 'requirements', whatever you want to call it. At the very least, it's nothing worse than not using NoScript itself.

Of course, there are many other variables/options that you can check/un-check to gain what some optimists may define as a 'balance'. For e.g. some will recommend that you set it to "Temporarily allow top-level sites by default" etc etc...if you want that, then again, some folks here can help you with that too. You won't get a perfect consensus from everyone on which settings to go with though...

Finally, the 3rd option...

I truly think that using NoScript would just do the opposite of what you want or feel comfortable working with right now and that you are better off without it. There's no security gain in using something that you hardly understand or can utilize to a minimum...and there's nothing shameful about that. In fact, some argue it to the contrary and are opinionated that NoScript is no security tool to be used in practical day-to-day browsing scenarios for most folks. It's anyone's call and debate on the matter and we've seen this many a times on this forum itself...

One that catches my interest is this:
http://adblockplus.org/blog/usability-vs-security

Now, the power is in your hands. Javascript or whatever....nay.

 

Honestly the only hard part of Noscript is the 3rd party scripts that are often on a website. These include scripts that enable features of a website (think drop down menus and the sort), and 3rd party advertisers/trackers (Doubleclick and such) Let's take Tmz.com, for example. Obviously you're likely to need to allow tmz.com, as it is the website itself. Then you have "gumgum.com". If you have an interest in viewing their videos, you need to allow this as well. After that you have "Quantserve", "Revsci", "Adsonar", and others, these are advertisers and web trackers. They are not only not needed, but advised against.

Now, how do you know what is what after the top level? You don't. That alone is the biggest weakness of NoScript, and a weakness you have to ask yourself if you're prepared to deal with it and the possible consequences. It's a weakness that is less of an issue inside something like Sandboxie, as any consequences can be dealt with via deleting the contents of the box, but a weakness nonetheless.

 

Dear WhiteD and all the others, you have each given me some excellent advice and comments - much appreciated.

I do find that anything "Java" (which is more complicated by having Java and Javascript and I have`nt a clue what difference exists between them) drives me crackers. It is the same with anything "Adobe" as in my other thread. There seems to be an infinite variety of Java and Adobe mutations.

Regarding NoScript, the reason I have it I suppose is a "belt & braces" mentality, plus it is highly acclaimed throughout the web by millions of users. I do use SBxie exclusively, but also have FF normal and IE8 which is where NS and ABP adopt a much more important role.

When the dreaded "Javascript is disabled" message comes up, I can hit the NS Options at the screen base and either fully or temporarily allow the page, but it makes no difference. I would think the Options screen action would over-ride the checked box in the main NS panel.

John
PS - Why did I ever get a PC ? It was much easier watching TV and patting the dog. But then, I would never have met all you lovely people on Wilder's would I ? Rather look like a dick-head on Wilder`s than go back to TV. Gets a bit hot at times, but I like it.

 

As an Addendum to my previous post :-

Java ? Have not a clue what it is or whether I need it. I cannot find any Java pug-ins on my FF. See http://javatester.org/enabled.html - ME ? See screenshot 2 below.

Javascript ? This is presumable a big YES for me. See http://javatester.org/javascript.html - ME ? See screenshot 1 below.

Love your comments, I am confused on Java but delighted on Javascript.

John

Screenshot 1


Screenshot 2

 

Hi John

Safeguy's post was an excellent reply and there's some good info in it, although I wouldn't personally suggest anybody chooses option b), as I think it neuters NoScript too much.

NoScript is quite a technical product, not necessarily in the mechanical skills you need to operate it, but in the educated decisions you must make when deciding what to allow and what to block. If all you're going to do is allow scripts and objects to run when the new website appears broken (as it nearly always will) without really understanding what you're allowing then you haven't got any protection.

NoScript has parallels with HIPS and active firewall products in that these also "deny" things from running and they often "break" applications. If you just allow a HIPS / Firewall pop up without understanding what you're allowing then there's no protection there either.

So I would suggest, as some have said, that you research how to use NoScript properly (i.e. understanding the settings and the decisions you're making) or not use it at all. In your particular case, as you use sandboxing technology anyway, NoScript's protection aspect is just about an irrelevance.

Using NoScript can still have benefits though. If used properly, it can be used to deny third party scripting (mostly advertising/tracking) and it can be used to selectively display individual content. These are the main reasons I use it in parallel with a sandboxed browser.


p.s. Java / Javascript

You don't have Java installed on your machine by the looks of it, ergo you don't need it! Java and Javascript are two entirely different technologies, so changing the "Forbid Java" setting in NoScript will have no effect on Javascript or anything else for that matter.

 

@John Bull,

Click on this Java.com link & you can check the Java running on your PC.

 

The man installs a script blocker and then can't figure out why scripts are being blocked.

Who could make this stuff up?

 

I can top that! Recently I blocked that annoying flash-vert at the top of the IMDb page with ABP (on SeaMonkey), then spent hours trying to figure out how I'd achieved this with NoScript ... *Doh!*

 

I just went to the site, I didn't see a "flash-vert? (I hate those things too) I've got both ABP and Noscript and didn't touch either one. Do you mean the trailer for Pirates at the top? Funny stuff, it showed it (but didn't actually play) with scripts blocked, but the trailer picture vanished when I allowed the site in NoScript.

 

Yes, that's what I meant. They can be as annoying as adverts & can slow page loading. Luckily I have discovered a simple flashblocker for Iron/Chrome which deals with it.

 

Well evidently you can allow IMDB in Noscript and never see it again, lol. (with Firefox at least)

 

I'm just getting back to using NoScript again. For those additional sites (besides the main one) one is not sure about allowing, what about choosing "Temporarily allow somesite.com" option? It seems to be the logical choice when the site appears to be not functioning quite right and the user isn't sure what else to allow. Any thoughts on this from experienced NoScript users?

 

Hmmmm ... I'll have to learn how to use NoScript properly one day ...

 

It's perfectly fine until you pick the wrong one to allow and get compromised, which can be easy to do when faced with media-heavy websites with a long list of scripts. That's why 1. You need to be careful. 2. You need a backup plan in the form of other protections like a sandboxed browser.

 

Absolutely that's the best thing to do.
Of course, once allowing the site you're on and then reloading the page, you'll often see quite a few other sites to choose from if you want/need to allow something else.
So there's the rub. (As 'dw426' alluded to).

However, experimenting around and using some common sense will normally get whatever you need allowed on the site working in short enough order.
You'll also probably begin to learn who the likely suspects are in the list that you're going to need to allow, or the methods by which you can fairly rapidly determine what else needs to be allowed.

My normal procedure, when needing to allow something other than the site I'm on and not knowing exactly what that might be, is to allow a first choice ('abc.com', e.g.), reload the page, then if that's no good I try allowing 'def.com', but at the same time disallow 'abc.com' again-- because usually there's just one other choice that needs allowing, not two or several of them, and I don't see any reason, personally, to allow scripts to run that don't need to be running.

A couple of more 'for examples' for you:

You want to watch a Flash video on a site where the video itself is not being hosted there. So when you allow the original site and then reload, you can pay attention to the status bar to see what site or sites are now trying to load content as well, or possibly you can hover the mouse pointer over the empty video box to see where that content is originating from-- then simply allow that site and reload the page again, and there's your video.

I have an account at DailyMotion. Recently, they changed the way they do things in order to log-in there. Simply allowing 'dailymotion.com' won't cut it anymore.
So I learned, via the 'allow one more at a time' method, that I now also need to allow 'dmcdn.net' in order to use the log-in and what-not other functions there.
But that's all. I still sure don't need to allow Facebook, or Quantserve, or ScorecardResearch, or 'fbcdn.net', or Google-Analytics. And in that instance, also allowing 'dmcdn.net' was the fairly obvious first choice to try.

Also, we're never really required to view content on a website, are we?
Meaning, for example, that Google-Analytics stays on my permanent 'untrusted' list, and if I were ever to need to allow Google-Analytics in order to view content, then that content would simply go unviewed on my machine. I'd say 'Oh well' and be off to some other site.

Experimentation, common sense, user choice and decision-- these are the things that should come into play when availing oneself of the functionality within the NoScript add-on.

 

I just click on "Temporarily allow all this page" on an 'interesting' site that needs to be allowed to work correctly, I can't be bothered to go through all blocked domains and try allowing them one by one, unless I find myself visiting that site often. I also enable "Apply these restrictions to whitelisted sites too" option under Embeddings tab, so when I allow 'all this page', only JavaScript is allowed.

 

This is pretty much what I do when I look at an unknown and untrusted site, after trying the most likely looking from the available blocked 3rd-party domain names.

There is further input available for your decision process. You can shift-click (or middle mouse) on a blocked item from the list and NoScript will give you convenient access to the WOT scorecard and the McAfee Site Advisor pages for the blocked domain. As an example, consider the Youtube page (with all domains currently denied). After you allow youtube.com, the page still doesn't work and there's a choice between doubleclick.net and yimg.com. Pretend you can't determine anything about their function from the domain names. Looking at the WOT scorecard for each of those using shift-click could help your decision...

Some other things:

I "Allow all scripts global (dangerous)" temporarily when I'm about to make a https trusted transaction of some sort. This avoids the transaction breaking in the middle when it goes from the starting website to a third party payment mechanism, for instance.

For sites I only occasionally visit, I only allow temporary permissions. This forces me to apply the same caution I used the first time when I visit again. It also keeps the whitelist cleaner.

I also consider how badly I want the site to work. If after enabling the top domain the site's still broken and there are lots of blocked domains I don't recognise, I tend to walk away and find something else to look at.

 

Indeed I've got lots of other protection mechanisms in place such as running LUA with AppLocker, EMET and recent backups of my system partition, so I don't worry too much about the potential of getting compromised. I figure over time I'll be able to determine the useless domains.

Allowing one which then triggers other candidates is exactly what I've noticed. I basically try to allow just enough to view only what is required. It's quite cool to see how NoScript will effectively block useless ads, including those really annoying ones that dance all over the place Of course for https sites I will allow all or at least enough to enable the important form-filling functionality.

 

This does give greater control of what's allowed to run but I find the setting 'too strong' as it also affects all your favourite whitelisted sites and means an extra step browsing flash content, for instance, every time you visit a page on one of those sites. There's no further granularity available.

I think NoScript could benefit from a couple of extra menu options: "Temporarily allow (no embedded objects)" and "Temporarily allow all this page (no embedded objects)". This would apply your methodology without affecting already trusted sites.