Firefox 57 & Noscript 10 usage guide - 1st edition

Discussion in 'other software & services' started by Mrkvonic, Nov 22, 2017.

  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    I've written an important guide on how to manage and use Noscript Security Suite 10, the new WebExtension for Firefox 57 (Quantum) and higher, including overview, scopes, capabilities, temporarily allow functionality, per-site overrides, whitelisting, debug and JSON configuration, other options, current usage model problems, suggestions, and more. This is the 1st edition of this tutorial, and there will be updates. Enjoy.

    https://www.dedoimedo.com/computers/firefox-noscript-10-guide-1.html


    Cheers,
    Mrk
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    This is how I temporarily allow sites.

    #22
    [​IMG]
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    What happens after you restart the browser. What permissions do you end up with for the domain?
    Mrk
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    I see this works in 2 out of 3 cases - does not persist on one of the browsers.
    I will add this, for people to test and experiment. Thanks.
    Mrk
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    For me personally, allowing per site temporarily works 100% of the time. You just have to be a little more careful now than before "as you have to make sure the little clock gets actually clicked when you click it". It becomes a little bigger when the permission is set as temporary. So, look at the clock as it changes size. Thats the tell sign.

    If you do it right, allowing temp permissions works identically as it did before: Sites go back to default when you restart the browser.

    Temporarily allowing sites can be done 2 ways, via clicking the Custom button or the Trusted button. I think its a little easier doing it via the Trusted button.

    By the way, MrKvonic, good article, I ll make some comment about some of the things you said.

    You mentioned the scope for Default. I think whats best is to set Default as it was in version 5, no permissions at all, look below.

    Sin título.jpg

    That way, NoScript 10 would treat all scripts when you visit websites as Untrusted (like before), except the ones that you have white listed.

    Another thing. About deleting whitelisted entries, you dont need to use the debug button.You can delete white listed and black listed sites from the UI. When you visit a site, if you want to delete a site that's white listed or black listed, just move the toggle to default. After doing that, when you reopen Options, sites wont appear in the list anymore.

    Last comment. You said, "As you can see below, the UNTRUSTED scope does not have any elements (capabilities), nor sites at the moment, and custom is also empty." The Untrusted list looks empty for you, because you are not black listing sites. To me personally, blacklisting/untrusting sites is more important than white listing. You should start doing it MrK. This is huge, for example, when you Allow scripts globally, all scripts are allowed to run (the ones under Default), but not the ones in your Untrusted list. Building your black list also make things work out pretty well when you allow sites temporarily (this setting will make it back in the future) or when you land in a new site and you need to temp allow one or 2 domains to run.

    In NoScript 10, unlike version 5, all trusted and untrusted domains are in one list. I have a large black list, compare the end of my Options page to the one you posted in your article.

    black.jpg

    Bo
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hey bo,

    I'm not sure about blacklists, as they can break things. But then, it's entirely up to you, of course. And also, why would you turn scripts globally?

    True, you don't need the debug, but it helps people really understand what's happening - and if you read the json file, it makes more sense.

    In the end, we will most likely have a decent extension, but it's still a bit rough.

    Mrk
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Thanks Mrk.
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Using a black list doesn't break things, but it makes things safer and easier when you go to a new site with a bunch of domains and you need to allow a few for the site to work. At this type of site, when you open the NoScript menu, you ignore the black listed sites and deal only with the ones labeled default. The ones labeled Default would be the only domains that run scripts if you temporarily allow the whole page to load scripts or the ones you ll fiddle with if you try to get the site to work by only allowing one or two domains.

    When you are browsing, you ignore the black listed sites. This type of list, in my opinion, should be built based on each users case use. For example, my black listed sites are sites that I found that allowing their scripts to run are not required in any site I usually visit. So, sites I blacklisted on sites I visit on a regular basis are almost never required for anything meaningful in any site I visit for the first time at random. This is so because most black listed domains are ad servers, trackers, malicious domains.

    Why turn scripts globally? You know, just like there are sites that fight adblockers, there also sites that wont allow you to view content if you are using an script blocker. They are rare but there are some. This are sites that load malware, trackers, mean sites. And also, sometimes in a new site, a site you are never going to visit again, after temporarily allowing the page 3 or 4 times, the page might still not load what you want. So, what are you going to do, turn NoScript completely off. No, you dont need to do that. By allowing scripts globally, all scripts that load in that page would run, except the ones in your black list. Using the black list STILL eliminates the nasty scripts when using that setting.

    Here, let me give you an example. Look at the 2 pictures below, they are from a site I visit regularly to watch live sports. Thats a mean site. I had to post 2 pictures to cover all the scripts it loads. The first one ends with sawlive.tv, start reading the 2nd picture from sawlive. At the end of life of version 5, I had to allow scripts globally for that site to work. So, thats a plus right now, as I dont have to do it with version 10. But when I allowed scripts globally with version 5 in that site, all domains you see labeled as Untrusted did not run scripts. None. The only ones that ran are the 2 scripts that you see as Trusted (goatdee and sawlivetv) and the ones labeled Default.

    The end result experience watching games was basically the same with NoScript completely turned on or with scripts allowed globally. The reason being because all the nasty scripts were and still are now included in my blacklist.

    1.jpg

    2.jpg

    Bo
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    For people who dont know NoScript, the only domains that load script for me when I open that site are the 2 labeled as Trusted (sawlive and goatdee). NoScript is power.

    Bo
     
    Last edited: Nov 22, 2017
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Mr K, take a look, this is the killer way to set nasty sites you visit often. This is from the same site I posted pictures yesterday, post#8. I played with the site just now and "update" it, to include recently added garbage to my Untrusted list.

    Sin título.jpg

    2.jpg

    Bo
     
  11. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    Messy UI and no good on all my Linux OS - has anyone got it running satisfactorily in Linux? uMatrix is so much more intuitive.
    I won't be using it in Firefox 57, in any case I was only interested in XSS protection before the web extension upgrade.
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Yup, got it running fine in Kubuntu. Small glitches here and there, but not specific to Linux.
    Mrk
     
  13. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    Sort of works (terrible really) if I disable uMatrix.
     
  14. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    same for me. NS10 seems a hybrid of uBlock and uMatrix. some are no/yes and some are "noop" (similar uB feature).

    https://noscript.net/features
    this seems not simple to use for me, 7 state icons and a horrible ui for management.

    missing ABE.

    currently i never would recommend it.
     
  15. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,718
    The worst in this program is that when you change settings inside a given site you're actually changing global settings.
    I allowed disqus.com and twitter.com on a site only to find them allowed in all other sites. This is definitely a flaw and it compares unfavourably to the granularity of Ublock.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    At first site I really don't like the new interface, seems to be a step in the wrong direction, but still need to play with it.
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    No, NoScript is not a hybrid of uBlock and uMatrix. It might appear to you as such, but it aint.. NoScript sill works the same as the old NoScript where you globally allow a few scripts, black list others (in my case thats a long list), and the rest of domains are treated as Default (as in the past). The only difference now is that Settings where you set what Default domains are allowed to run is now also in the same window, were before they were in a different window. And also now, there is a new heading were you can set rules for individual domains.

    Bo
     
    Last edited: Nov 25, 2017
  18. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    No, thats not a flaw, thats how NoScript works by design. As a long time NoScript user, thats exactly how I want the program to work.

    Bo
     
  19. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,718
    But why? Hasn't the feature (per-site settings) been asked time and again? And hasn't it been promised by the developer?
     
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Joxx, you ask, why wouldn't I want NoScript to function like Umatrix? There are a few reasons. For one, I like the way NoScrip works. If you think a domain should be untrusted, you untrust it everywhere. If you trust it, and require the domain, then you white list it. In my view and personal experience using the internet, there are only a few domains that I wouldn't mind setting up so they can only run in some webpages and not in the rest. Not even 10. Sites like that in my personal case are like google, facebook, tweeter, cloudfront, ajax.googleapis, etc. Thats about it. I said 10, but what I wrote is really it. And what do I do with domains of this kind? I treat them as Default. In my case use, Default is the same as Untrusted, meaning this are domains that are not allowed to run anything. And when you require one to load scripts, then you allow it temporarily.

    Another thing, I like set and forget programs. And thats NoScript. Once you set things up, after a while, you dont have to be fiddling around with this domain and that domain, and allow this and forbid that, Is all done. All this tinkering that you do with Umatrix, in my view is unnecessary. If doing it gives you joy, good for you, and not into it.

    Regarding people asking for NoScript to work as Umatrix. The only people I seen doing something like that are Umatrix users, like you :D.

    Bo
     
    Last edited: Nov 26, 2017
  21. gorhill

    gorhill Guest

    This argument against uMatrix is fallacious, because the same can be (and is) said of uMatrix: "Once you set things up, after a while, you dont have to be fiddling around".

    Whoever prefers to always work with global rules can work this way as well with uMatrix, there is no specific usage enforced: per-site rules are supported, as well as global rules -- it's possible to work completely with only setting global block/allow rules.

    At least I am happy to see that many are now trying it and realizing for themselves many of the false claims made about it.
     
    Last edited by a moderator: Nov 26, 2017
  22. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Gorihill, Joxx asked why I like the way NoScript works and prefer not to do the tinkering that your fans are proud to claim that is the Suoerprogram feature, and I answered. I like NoScript over your programs. period.

    By the way, this thread is about NoScript, not your programs.

    Ocky, you keep using SuperGorhills programs, I ll keep using NoScript.

    1.jpg

    2.jpg

    3.jpg

    And now is time to go watch my Falcons..

    Bo
     
  24. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    @bo elam.
    No disrespect but i found your reply both disrespectful and incredibly rude toward gorhill.Your reply was in typical fanboy fashion and it seems that any criticism of noscript will fall upon deaf ears as far as you are concerned so any further discussion about noscript with you is a lesson in futility.
    It was actually you that brought umatrix into the conversation and you cannot seriously expect to speak of noscript without also talking about ublock and umatrix.
    i tried noscript and its a no-go for me.
    Where on earth are the options ?
    Plus it does not block ads which i mentioned to you before.why should i bother adding another extension to block ads when UBO does it all in one.?
    As you can imagine noscript was given the boot.
     
  25. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    @bo elam

    I haven't bothered much with uMatrix. But as for uBlock, you don't need to tinker too much with it if you don't want to. NoScript adds rule globally but also uBlock, the difference is that with uBlock users can also make more specific rules (of course this isn't requirement. You can allow a script globally as you do with NoScript).

    uBlock also has the benefit of being considered a very lightweight adblocker.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.