No Script

http://stackoverflow.com/questions/...fference-between-firefox-extension-and-plugin

 

Ah, I see you were interested in this very topic. Isn't it interesting that it only has been fixed so recently? Also, no that it is fixed, Mozilla is calling it a bug, and a security fix, whereas before it was fixed it was only a privacy concern.

That in itself makes me wonder if more advantage of this bug was taken than is generally known.

Thanks Again,

HandsOff!

 

If you come up with a site for which you have to uninstall NoScript in order to do something thats important, post the link.

Bo

 

Okay, maybe I have such a site. I don't understand what is going on here at this site:

http://www.photozone.de/Reviews/179...-report--review?start=1&ModPagespeed=noscript

I do not understand the reference at the end that says noscript.

This a camera lens review site that I can say is legitimate. Sites like these like to display a grid that shows the amount of distortion a lens has. This lens, being a zoom lens will have varying amounts of distortion based on the focal length so, and I admit it is sort of cool, you hover your pointer over the 17 that is immediately above the chart and you see the distortion, you hover over 24 and you should see the distortion for that length, the remaining to lengths covered are 50 and 85.

I lead a boring life. One of my biggest pleasures is watching the grid change when I migrate my pointer from one number to the next.

My life just got significantly more boring.

So, I started by white listing the site - No change
I deactivated No script. - No change.
I removed No Script - Still no change!!!

This site worked fine yesterday!

Any suggestions? Thanks!

- Mac

===============UPDATE===============UPDATE===============UPDATE===============UPDATE================

Apparently disabling, uninstalling and restarting Firefox was not enough. I guess for some reason you have to restart your computer as well. After doing so
I can finally view the page functioning the way I am used to.

The point still remains. White listing and disabling the plugin, and restarting firefox did not make the site work. Another site that has been around for years, if not decades, DPreview displayed the same behavior. (for example: http://www.dpreview.com/lensreviews/canon_17-85_4-5p6_is_usm_c16/3 ). Scroll to near the bottom of the page where their is a bar graph showing the effective blurriness of photos at four different settings.

You said sites that do something important, and you may not consider these examples important, but it is in fact a very good way to display the information. By seeing the effects of different settings change as you compare one setting to the next.

What I don't get is why white listing, then deactivating the plugin is still not enough to get access to the pages. I suppose I could try to white list and deactivate the sight then shut down Firefox, and restart my computer. (Without actually uninstalling No Script). Perhaps the computer restart is the key factor, though, ideally you would be prompted to restart your computer (not just browser - which BTW, it does not prompt you to even restart the browser! I did so because it seemed a good thing to try).

Clearly, one is not going to want to do that on a regular basis! Some user's consider it inconvenient. I don't doubt that statement!


-HandsOff!

 

HandOff, after allowing photozone.de, I can see the distortions when I hover the pointer over the numbers. Thats all you need to allow on this site to do what you describe above.

For DP reviews, after allowing dpreview.com and img-dpreview.com, the bar graph works when I hover the mouse over "17mm IS OFF", etc. Getting both of this sites to work was easy and didn't have to restart browser or computer. If you cant get then to work after allowing scripts from the sites that I mentioned, perhaps you are using another addon that's messing things up.

Bo

 

@ HandsOff: I think you bookmarked that photozone link when you had NoScript blocking some scripts that the website needed. Delete that bookmark and try again.

 

"Almost no other Firefox extension gets signed these days (NoScript and FlashGot had been among the earliest and few for a long time), and AMO being the only authorized repository you can install the add-on from by default, there’s little or no point in keeping the relatively expensive and clunky signature machinery in place."
http://hackademix.net/2013/07/20/noscript-and-flashgot-unsigned/

 

noscript.ABE.migration;1
noscript.contentBlocker;true
noscript.forbidBookmarklets;true
noscript.forbidMetaRefresh;true
noscript.forbidWebGL;true
noscript.gtemp;
noscript.notify.hide;true
noscript.notify.hideDelay;2
noscript.options.tabSelectedIndexes;0,0,1
noscript.policynames;
noscript.showAddress;true
noscript.showBaseDomain;false
noscript.subscription.lastCheck;1058131408
noscript.temp;
noscript.version;2.6.8.19
noscript.visibleUIChecked;true

NoScript complete "uninstall" (reboot) still leaves entries in about:config which
of course shows up in your profiles prefs.js file.

 

http://forums.informaction.com/viewtopic.php?f=8&t=19540

 

i don't use script blockers anymore.
they are becoming more and more of a headache to use.

lots of sites these days need 2 or 3 external resources to operate normally.
so in the end, you spend more time babysitting the bloody script blocker than surfing.

these days, i just use Chrome and Ghostery to cut down on some of the stuff.
Ghostery rarely breaks things and Chrome's sandbox is extra security compared to Firefox who still has no sandboxing.

 

Fair enough. I would say given the benchmarks I ran myself, Ghostery is a good choice indeed, marginally better than ABP. Even the "least performing" blocker (scare quotes because its my own assessment with which someone might disagree) is a significant improvement over no blocker at all.

To the benefit of other readers (not to try to change your mind), I will just note that HTTPSB can be used in allow-all/block-exceptionally mode, which, depending on the selected ubiquitous blacklists, results in a behavior similar to Ghostery or ABP, with the added benefit of all information a web page tries to do readily available if a user gets curious (and the UI to act upon that information if ever a user wishes to).

 

I'm the opposite; I find browsing incredibly annoying without some form of script blocking. Most websites are fancy with the JS to the point of being obnoxious.

That said I don't use Noscript any more, because I don't use Firefox any more (but that has nothing to do with the software itself).

 

Same here.

NoScript makes browsing enjoyable as it gets rid of annoyances and makes browsing faster.

Bo

 

Well said.

 

See post #15.

When I don´t want to break sites, I use only Ghostery. When I want to speed up things, I use ScriptKeeper.
And with Opera v12 it´s also quite easy to disable scripting per site (without the need for extensions).

For example, a site like Dailymail is ridiculously slow because of way too many scripts.
Ghostery doesn´t help in this case. However, it´s kinda funny that with scripting disabled, Dailymail still works (for the most part).

 

tnx ray.
i just re-installed HTTP SB in allow-all mode (while blacklisting frames) and will give it another try.
----
edit:
blacklisting frames was too much pain, so i whitelisted everything:.allow-all/block-exceptionally mode,
at least, i got the preset blocked host list to cut down on the sludge.

like i said, managing these script blockers is way too much troubles these days.
and it's only gonna get worse.

 

I tend to agree with your assessment. Lately, I've found a few streaming audio sites I use routinely require some ad-type hosts to be allowed or the audio player won't work Some other sites (non audio)I frequent often now require some undesirable js to be allowed for the sites to load properly, whereas before they didn't.

 

If you want send me the URLs, I will look how I can make it work, and create preset recipes.

 

the paranoid in me says they do it on purpose to defeat add blockers and js blockers. lol

 

It might be a Chrome problem, actually, with this site. The plug-in crashes when I try the "Listen Live " link:

-http://www.sportsnet.ca/960/

This one does work now on the "Listen live" link:

-http://www.teamradio.ca/Canucks.aspx

These sites have given me some grief, although I think I've got them working ok:

-http://www.vancouversun.com/index.html
-http://ca.askmen.com/
-http://thechive.com/
-http://www.upworthy.com/

Thanks Raymond.

You're probably right.

 

My attempt to make this one work failed. I allowed everything, including stuff in the behind-the-scene scope, and I just can't make it work. Could be because of some cookies. I gave up.

That's a reality check for me. I need to provide user-friendly workaround for these cases where it is beyond convoluted.

Whitelisting all for a given scope is not good enough, because of those preset blocked hosts that get in the way unfortunately on such web pages. Disabling those preset blocked hosts globally is not an acceptable workaround.

I need to do some thinking here. Maybe a per-scope switch to disable all preset blocked hosts, the same way there currently is a per-scope switch to disable BP filtering... I think that is what is missing. This way, a user could disable all blocking for a specific scope, and yet still be able to blacklist selectively for that scope, while that leaves all the other scopes untouched. This way security/privacy is not globally compromised because of just one annoying web page.

I will enter a new issue: "Per-scope switch to disable all ubiquitous blocked hosts". I think this is what I will be working on for the next release.

 

Glad it's not just me. I was practically pulling my hair out (what's left it) on this one. But you know what, I have no problems with it using Firefox w/NoScript, which is why I figured it could be a Chrome-related issue. Thanks again.

 

I have a prototype of HTTPSB here where I made the master switch (left-most button) apply to only the current scope. So I turned off that switch, and the player would still not work. Turns out there is a hidden flash object in there somewhere which need to be allowed, and since we have click-to-play enabled, there was no way to click on that hidden flash plugin, which means no amount of work on HTTPSB would have helped make the player work unless one allow all plugin for that page in chromium settings (the plugin icon appears in the address bar when at least one is blocked, so it is easy to change the permissions from this icon).

Still, I like the idea of the master switch affecting *only* the current scope, rather than HTTPSB globally. I think it is more likely a user would want to turn off HTTPSB just for one specific site (or more rarely domain) than globally. So I think I will keep this idea (found out that turning off only ubiquitous rules create a lot of complicated side-effects, I rather not go that way).

Edit: Actually this per-scope-master-switch will take care of a problem that was worrying me: the behind-the-scene scope. Since I had removed the checkbox to disable/enable enforcing rules on the behind-the-scene scope, this meant that all ubiquitous rules would now apply to that scope and there was no easy way to really completely whitelist the behind-the-scene scope. So the switch here will bring back that ability.

 

Seems like a good idea.

 

Well guess what, mypassword-is-password on github figured the set of rules required for http://player.rogersradio.ca/cfac/on_air and they are ridiculously small, considering the ginormous amount of bloat on the page. The preset rule is already available for download. Just be sure you allow your browser all plugins on that page, there is a needed hidden flash in there somewhere which cannot be clicked.