ScriptSafe former ScriptNo: Discussion

https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf

v1.0.6.12 - Tuesday, January 1, 2013

- v1.0.6.12 - fixed whitelist/blacklist site modification issue in Options page
- optimized filtering speed (slightly refactored the main blocking function)
- improved blocking of Unwanted Content Domains and Antisocial domains
- for blocked iframes, a blank page will be loaded instead of the "This web page was blocked by an extension" error page
- added a few more domains to the Antisocial list (e.g. Google+)
- fixed image blocking (issue #20 (thanks drdaeman))
- more reliable blocking of inline scripts (issue #161)
- removed two sites from the unwanted content providers list (passport.baidu.com and rottentomatoes.com) (issue #96)
- fixed "Disable" bug (issue #112)
- there were some syncing bugs that caused whitelists/blacklists to be cleared, which all should be fixed in this version (v1.0.6.11). Whitelist/blacklist syncing was a dream of mine for this extension and I was admittedly too eager to share it with you when I had it working. I have included a button in the Options page to hopefully restore your whitelist/blacklist; it has worked for a few users, but I cannot guarantee it will work in every case. I apologize immensely if you had your whitelist/blacklist deleted.

 

Still getting consistently "Enabled" results from isjavascriptenabled.com. I was hoping .11 would help, oh well.

 

I tried http://isjavascriptenabled.com/ again today with v. 1.0.6.12 and got the same results as you

 

hi
Im getting this from comodo dragon.

 

If I click on the provided link I consistently get No, and same thing from a search result. Always No. It's only when I paste the link into the address field that I get Yes. I don't know why that is the case.

EDIT

just a couple things I've noticed:

• The Import Settings + Lists doesn't seem to work properly. The lists I import fail to overwrite the current one.
• The auto-refresh function doesn't always work.

I've submitted both issues to Project >> Issues.

 

Just did some testing, and found a weird quirk in the chrome.onBeforeRequest API where it's firing when you click to it from another page (100% success rate), and firing as well if you type it in the address bar (but perhaps too late?):

http://i.imgur.com/eWVX6.png

I'm determined to squish this bug in the next hour before I head out for dinner. Of course, if it is something on my end!

EDIT: can't seem to get it working. I've contacted someone at Google.

 

Keep us posted.

 

Still waiting to hear back, but I've updated some other aspects of ScriptSafe in the meantime.

v1.0.6.13 - Tuesday, January 4, 2013
- tweaked syncing behaviour (disabled syncing by default) (issue #166)
- improved popup widget to not group blocked items with blocked antisocial/unwanted matches (e.g. apis.google.com/js/plusone.js vs the "card" and "payment" APIs also under the apis.google.com domain)
- fixed minor import sync notification popup bug
- minor code streamlining

 

Do i need adblock plus as well if im running this?
Does scriptsafe block ads also or just scripts and flash.
I have flashblock and ABP installed so wondering if i can ditch these?
Thanks.

 

Adblock Plus is an excellent extension, as well as Flashblock. They each (including ScriptSafe) perform different functions, so I'd recommended keeping Flashblock and ABP

 

Aren't the HOSTS files in ScriptSafe blocking many of the same domains of those in ABP filter lists?

With 1.0.6.2 I was using the hosts file feature and ABP with 3 Easylist filters. I did notice some slowdown in page loading. Once I let ABP handle domain blocking and ScriptSafe block or allow the occasional JS I specified (with the Chrome handling cookies & plugins), I noticed a boost in speed.

And thank you for all your work to keep to ScriptSafe maintained!

 

I'm not familiar with ScriptSafe and how it works, but FWIW, ABP doesn't actually block *all* requests. I'm not crystal clear on the details, but IIRC an ABP rule like ||example.com^ won't prevent your browser from issuing requests to example.com in cases such as:

1) Someone attempts to navigate to [noparse]http://example.com/[/noparse] by typing that into the address bar
2) Someone clicks on a redirection link such as [noparse]http://example.com/redirect.php?destination=http://blahblahblah.com[/noparse]
3) A page such as [noparse]http://blahblahblah.com/[/noparse] redirects to [noparse]http://example.com/[/noparse] via javascript.

Thus ABP is, sadly and unnecessarily (1), insufficient for blocking various things. So if you want more comprehensive blocking I think you *need* another tool.

(1) Edit: In FF at least, I just remembered reading something that suggested some browsers don't allow extensions as much control over requests. So adjust the "unnecessarily" as appropriate for Chrome which I'm not familiar with.

 

Thanks for that.

I've always wondered where the line is between potential overkill of hosts files and the things traditional ABP extensions let through, or even how they overlap. For max protection it seems that ABP wouldn't be necessary with ScriptSafe, if you're blocking full domains from 5 hosts files, you're pretty well covered. I'm just surmising, but I know the MVPS hosts file isn't maintained as frequently as Fanboy or Easylist subscriptions. I don't know about others.

 

I believe the standard hosts file approach is inadequate in some ways. There is no wildcard or regular expression support. It is DENY only and you can't overlap ALLOW rules with the DENY rules in order to more easily achieve some objectives. Hits are based solely on the hostname being looked up. Say xyz.example.com resolves to 192.168.100.100. What if the user wants to block, by specifying an IP Address or range or CIDR notation, 192.168.100.100? What if the folks running example.com mapped xyz.example.com to a DoubleClick IP Address, a reverse DNS lookup for 192.168.100.100 would return foobar.doubleclick.net, and the user has a deny rule for foobar.doubleclick.net? In some cases, the ability to base actions on other DNS records/results would be useful. Particularly in a browsing context, one would often want to factor in context such as whether the communication will be to a third party, be able to target certain types of elements/content, pattern match other portions of URLs, etc. Again, I don't know how ScriptSafe works, just throwing out food for thought.

 

Indeed, the HOSTS file has those limitations. I don't use it and don't know about most of its functionality, but those wanting to use wildcards can make use of Acrylic DNS Proxy (I think it's how it's called.), which does use its own HOSTS file.

 

Another trigger point is from Bookmark / Bookmark Bar.
Direct Click --> Not Blocked.
Right Click Bookmark - Open in New Tab (Ctrl/Command - Click) --> Blocked.

1 Usage scenario.
Google Reader.
If using Google Reader - V keyboard shortcut to open a link. (Target site script enabled)
If Right click-Open in new tab (Ctrl/Cmd - Click) to open a link. (Target site script disabled)

***

Another things is this weird bugs or problem?
Assume a new/clean browser + extensions (default settings)
Visit eg www.cultofmac.com
Confirm all script is in disabled state.
Then Temp Allow www.cultofmac.com domain.
Almost everything execute including lot of 3rd party scripts eg lot of ads, widget etc.
IIRC last i check only 1.0.6.X version got this weird problem.

 

there's been quite a few discussions here as to why Chrome has problems dealing with those javascripts blocking plugins.

i think it's got to do witn Chrome API (if i recall correctly).
whatever that is. lol

 

Tons of images are being blocked at Howtogeek (e.g. http://www.howtogeek.com/138456/htg-explains-why-is-my-browser-storing-all-this-private-data-anyway/). Any idea what to unblock?
At least I finally got my extensions and Instapaper to work with SS.

 

of course you have to allow the main site in Scriptsafe if it's javascript-happy.
if the image are hosted from somewhere else you will also have to allow that domain as well.

 

I love how it has syncing and multiple sources to block unwanted content. Since I'm lazy and surf way too much, I just set it to allow mode with strict unwanted content mode and click to play plugins. That's secure enough for me.

 

The new declarativeWebRequest API is now considered to be feature complete. It's available in the Chrome beta and dev versions. Since it is considerably faster than the old webRequest API, ScriptSafe should definitely benefit.

Andrew, are you working on a new version using that API?

 

Thanks for posting this info, tlu.

If Andrew can get ScriptSafe to work properly with this new development, then I will consider going back to Chrome + ScriptSafe, otherwise I'm sticking with Firefox + NoScript.

 

I would consider ScriptSafe again as well. A few bugs was killing daily usage for me.

 

Two questions.

Are the unwanted content lists suppose to automatically update? I ask, because I've never seen them updating. Not much sense in having this feature, if it won't automatically update.

Any news about the -http://isjavascriptenabled.com/ issue?

@wat0114

Regardless of the way that I access -http://isjavascriptenabled.com/ I always get it to display Yes... But, it does block Google Analytics properly. Isn't that how the URL tests whether or not JavaScript is enabled?

 

Sorry, I don't know how it tests for javascript's rendering status. I haven't used ScriptSafe for several months now. In fact, I just switched yesterday from Chrome to Chromium daily builds, using a link you supplied a few days ago in another thread

I'm just using block javascript and images with exceptions using ([*.]com, [*.]org, [*.]ca, etc...) obviously not ideal but that combined with restricted remote browser ports does at least reduce the attack surface to some degree.

*Edit*

if I block .com it shows the script tags...

<h1 id="no">NO</h1>