Javascript or whatever

That sounds like a good idea, though I'd prefer an exception list for that 'restrict whitelisted' option.(I like YouTube videos be blocked by default, it makes FlashBlock add-on redundant, OTOH, it cripples Hotmail.)

 

Yes, indeed. However, it seems that Giorgio Maone has stopped the development of site specific permissions. This is a bit unfortunate given the well-known susceptibility of Java and Flash. Thus, you have only two choices:

1. Either check "Apply these restrictions to trusted sites as well" under Noscript Options -> Embeddings. This means, of course, that you can't, e.g., view videos on Youtube unless you click the respective placeholders every time.

2. Use ABE and apply what Giorgio suggested on http://forums.informaction.com/viewtopic.php?f=10&t=415&start=120#p25264 Result: On every site you whitelist in Noscript, javascript is allowed but any embedded objects are forbidden unless you explicitly add this site to your ABE list. Granted, this is not really user-friendly but actually easy to accomplish. After a short while your list of sites which you regularly visit and which need flash should be complete. But it complicates things: Right now, I'm testing this solution and I had to add Wildersecurity to that list in order to be able to format this posting in the message editor.

EDIT: The last sentence is nonsense - see my other posting below.

 

Thanks, I didn't know this.

 

'Temporarily allow' goes virtually without saying for me. My whitelist is only about 40 or 50 items long, and I removed a few of the default ones, as well.

NoScript is a very malleable tool, and each user needs to find their own comfort zone with it and adapt with it accordingly.

For the new users it also takes some getting used to, no question about it.
I remember after the first couple of days using it I was near to uninstalling it, considering the PITA factor to be greater than any benefits achieved.
But I stuck with it for a while, got used to using it and became more acquainted with how I wanted to use it, and now using it has become second nature.

Gotta say, though, that from the moment I installed it I had full understanding that blocking javascripts was its raison d'etre, and so never had to sit around scratching my head much over why scripts were now being blocked.

 

Yes, I used to use FlashBlock to control Flash independently of NoScript (by unchecking Forbid Adobe Flash within NoScript). After a time though, it just seemed to me that if I was trusting a new site, I automatically wanted to view it's flash content straightaway. So I removed FlashBlock to simplify.

FlashBlock is useful for the additional whitelist, if you need it.

 

Sorry, this not true. I had erroneously added

Site *
Deny INCLUSION(SCRIPTS, OBJ, SUBDOC)

to ABE instead of

Site *
Deny INCLUSION(OBJ, SUBDOC)

No wonder that Wilderssecurity no longer worked in Noscript although it was whitelisted.

BTW: If anybody is interested: Details about ABE can be found here.

 

Similar to, though not the same as, ABee and sbseven, I am also using the temporarily allow option on several sites, allowing first the top level domain, and then using "temporarily allow" to allow only whatever else is necessary, while forbidding others, to view only the content I deem necessary, then once I'm satisfied, and it's a site I visit routinely, I will select "Make page permissions permanent". This is my "one time fine tune" approach, so I don't have to repeat the same thing the next time I visit. Otherwise if it's a site I think I will not visit often or again, then I will not apply temporary changes permanently.

I had tried NoScript off and on some time ago but always uninstalled it because of, as tlu mentions, the PITA factor, but I have decided to apply a little more effort because in the end, I believe it's an excellent complimentary security mechanism, especially given the ever increasing Internet malware dangers.

 

Yes, it is. And I actually think that the PITA factor is not that big. I mean, the sites you regularly visit and deem trustworthy are easily whitelisted, and Noscript remembers these decisions till eternity.

It's more difficult to decide what to do with sites you stumble upon via, e.g., Google. In my experience on many of them scripts and/or objects are blocked by Noscript, but in most cases they are still readable which is often sufficient. And if they really require to be temporarily whitelisted (which is the minority, IMO) you have at least the chance to make sure that the site is not malicious. (BTW: Noscript itself supports you here: If you hover the mouse above the Noscript symbol and middle-click the domain shown in the Noscript menu, you will see something like this site with links to WOT etc. - a great help). Nevertheless it would be helpful if there were an easy method to allow, e.g., only javascript but forbid java, flash and the likes. I described above the two methods how to do this.

 

Right, I found that last night. Nice feature

A little more fine-tuning capability would be nice to see. I'll check out those methods describe.

 

I have to say this, no contribution on my part of course to this excellent thread response but highly deserved.

The response has been remarkable in discussing in great detail all the Java, Javascript, NoScript, ABP and various combinations of these relatively minor but incredibly complicated and often misunderstood programs. Even the influence of SBxie has been raised.

They are an everyday part of our miserable PC lives and it is astonishing how many users including myself just take them for granted and do not understand fully what we are doing. Each of these programs seem to be as difficult to master as a Rubik Cube to quite a few users and certainly can give ordinary keyboard thumper`s a headache.

The posts submitted so far give an enormous amount of detail and expertise on how these programs operate and should be configured.

It comprises an extremely comprehensive "user guide" and I cannot thank you all enough for the time you have spent in covering this subject in so much detail.

I certainly have found it all highly educational.

John

 

After playing with both methods I must say that I'm not happy about them. If you block objects also for trusted sites, you have to click the respective placeholders every time. If you do it via ABE, you have to define too many exceptions - very annoying.

I think the best/easiest strategy is the following:

1. In Noscript Options -> Embeddings uncheck "Forbid Adobe Flash" and "Forbid Microsoft Silverlight".
2. Check "Apply these restrictions to whitelisted sites too".
3. Allow Flash/Silverlight with the extension Flashblock only for those websites where appropriate.

Advantages of this solution: Flash is probably the most often used object. With Flashblock it's easy to create a whitelist for Flash and Silverlight (once the respective sites are whitelisted in Noscript as well as Flashblock doesn't work with javascript disabled!). All other objects are blocked by Noscript on all websites - as you stumble upon them less often, clicking the placeholders should not be too pesky.

I'm going to test this solution if it's really usable.

 

That was my solution as well, but I decided I didn't use the extra granularity often enough.

Perhaps it is because I don't have Java installed? I was only really blocking Flash content and nearly always wanted to see it anyway! After a while, I went back to vanilla NoScript, allowing the Flash content to run on whitelisted sites...

 

Yes, it might be that I will come to the same conclusion after a couple of days ...

 

I'm using the QuickJava Firefox extension to globally enable or disable Java quickly. QuickJava can do the same with JavaScript, Flash, Silverlight, and images. I use NoScript also.

 

I haven't tried that, but as far as I understand it's not possible to create a whitelist - and that's the advantage of Flashblock as I don't want have to manually allow objects on trusted sites every time I open them.

 

That's correct. I use QuickJava only for Java, which I apparently don't use often within the browser.

 

But why don't you click the respective Noscript placeholder? Isn't that actually easier than using an additional extension?

 

I want Java to be disabled for NoScript-whitelisted sites by default as an extra precaution.

 

I understand - but that's exactly what I proposed in posting #36 above.

 

Maybe not quite?

You wish to block all embedded objects on whitelisted sites by default and use an add-on to independently whitelist Flash for convenience. MrBrian seems to wish to block only Java on whitelisted sites (implying he's not wanting to block Flash etc. once a site has been whitelisted). You would each need a different add-on to achieve your respective aims.

 

Exactly

 

I'm just going to stick with Noscript only, since it seems to strike a nice balance between decent additional security with the lowest amount of maintenance. Additional plugins are just going to create more work for me That said, I do like the merits of what both tlu and MrBrian are achieving with their approaches. It looks like MrBrian is focusing more on restricting Java, while tlu's emphasis is on restricting Flash.

 

Not really . In my approach Java is also blocked by default on all sites, and my argument is that it's easy to allow it by clicking the respective Noscript placeholder without the need of an additional extension. The same is true for Flash, but it's used more often than Java - thus, creating a whitelist for trusted sites with Flashblock is simply a matter of convenience.

But, well, everyone to his/her own taste ...

 

Also useful to bear in mind that Flashblock can easily be defeated:

http://netticat.ath.cx/Misc/overrideflashblockdemo.htm

 

Thanks. I wasn't aware of that.

As a test I set the "Apply these restrictions to whitelisted sites too" option on NoScript and allowed the Javascript on that page to run. The Flash object remained blocked. So NoScript is still as option if you absolutely desire to control Flash, but the setting used will also affect all your whitelisted sites too...