Comments on: A Fistful of Pixels

By: Giorgio

Giorgio — Tue, 19 Jul 2011 09:40:09 +0000

The “25% slow down” you read about is referred just to the browser *startup* time (i.e. the time the browser takes to start when you summon it first time) and, even so, the measurement has been widely criticized for its methodological flaws.
However, if you take it for good, this just means that NoScript’s initialization adds about 1/10 of second to the browser time to start. Is this something you can live with? On the other hand, by preventing lots of useless content from being loaded and executed, NoScript sensibly reduces page load times, CPU burden and memory consumption. What’s more important to you, performance-wise?
At any rate, the startup time is being optimized as well, but don’t forget that taken alone it is a misleading metric.

By: Reto in Geneva/Switzerland

Reto in Geneva/Switzerland — Tue, 19 Jul 2011 07:30:19 +0000

Hello,

Using your add-on since always,

I believe its an important one… :-)

BUT It seems it slows down Firefox of 25% !!!

I think it would be nice if you put an effort
on Firefox RAM’s use…

Thanks for taking this critic in account and improve this point for one of the next Version :-)

By: Björn

Björn — Sun, 26 Jun 2011 11:08:25 +0000

And now the protocol is gone…

By: Giorgio

Giorgio — Mon, 20 Jun 2011 13:37:30 +0000

It’s been an AMO bug see http://forums.informaction.com/viewtopic.php?f=8&t=6626

By: Reolo

Reolo — Mon, 20 Jun 2011 13:24:56 +0000

OT:
@Maone, it’s the second time I receive automatic RC updates for Noscript, why I don’t get only final versions?

By: Sergio Leone

Sergio Leone — Mon, 30 May 2011 23:26:53 +0000

@ Thrawn,

Thanks, but I wouldn’t use IE to e-mail my grandmother on her anniversary, much less do online banking with it.

"for better or worse, in terms of proper website rendering, it has the most developer support."

For worse, methinks. My sites render fine in Fx. What if my bank is the victim of, say, an XSS attack or a clickjack attack? And did you know that there are a few financial sites that won’t work unless you allow doubleclick or amazon or whatever? Possibly in iFrame. Facilitates such attacks.

I deleted IE from this machine a couple of years ago, along with all support files that weren’t needed by the OS itself.

By: Thrawn

Thrawn — Mon, 30 May 2011 00:05:38 +0000

@Sergio Leone:
Hmm…maybe the suggested best practice of using a separate browser session for sensitive activities is a use case for Internet Explorer? After all, it should only be let loose on highly-trusted sites anyway! Browse in Firefox, then close it (and let it save your session), open IE, follow bookmarks to your bank/webmail/etc (or configure your homepage to open them automatically), close IE, back to Firefox for browsing. Methinks it has potential.

Of course, IE doesn’t have to be the trusted-sites-only browser; anything could be. But it’s available on Windows machines without installation, and for better or worse, in terms of proper website rendering, it has the most developer support.

By: Sergio Leone

Sergio Leone — Wed, 25 May 2011 08:06:05 +0000

Grazie for the plug, Signore. I repeatedly ranted against the jazz-it-up look of Fx3 (The Ugly) vs. the clean, simple lines of Fx2 (The Good), and was derided for it. Now, Fx4 (The Bad) goes too far in the other direction, with gray-on-gray icons on top, and no status bar on the bottom for icons of add-ons, their status, and easy use of same. Getting rid of the URL bar is idiotic, after all the time and trouble spent getting color codes to show standard or EV SSL/TLS, or even just the yellow icon.

Does the attack work when a non-secure-site tab is "morphed into" a secured one?

One of the contributing factors is an ADD-lebrained generation that cannot possibly bear life with fewer than half a dozen tabs open. As a very wise man wrote,

"Best Practice: Before engaging in sensitive activities like financial management, close *all* browsers, tabs, windows, whatever. Then re-open a fresh browser, do your banking, and *close it* before resuming non-sensitive browsing.".

Anything that requires a username and password is, by definition, sensitive to some degree. This Best Practice would seem to defeat the tab-morphing attack completely. In the meantime, it’s a good idea to allow users leeway to configure the toolbars, etc., that will or will not be visible, but a very bad idea to strip out everything at the factory. So yes, I’m with you, amico: We still need A Few Pixels More.

by the way, that Best Practice quote is found by clicking the link in my sig, which takes you to my alter ego, The Man With No Name But Who Posts Under One. Post #28160. (I think Bad Behavior blocked an attempt to put the entire PHP post address in the Website block. And I’m going blind trying to read the **** recaptcha nonsense words. There must be a better way.)

By: sabret00the

sabret00the — Mon, 23 May 2011 12:28:29 +0000

The site identity block seem to be getting a lot of mentions lately, but it’s obsolete for the vast majority of the net and especially so in a conversation where we’re discussing the removal of the url bar. A prime example is this very site. Click the site identity block and what do you get? Nothing. How is that helpful to anyone? Saying that URLs are obsolete to the average Joseph/Josefine is all well and done, but surely if that is such a case, the emphasis should be on educating the average user of it’s importance and role?

By: AnonymousCoward

AnonymousCoward — Mon, 23 May 2011 08:10:49 +0000

@Asa Dotzler
Cart before Horse; give us the site identity block and let us evaluate it before disappearing the only plain UI tool left for individuals to verify web navigation. All warning systems have failed so far, so pardon the skepiticism about this airware.
And that those who are alert to subversion of the web find the address bar a help should be deprived of it because it’s "not a big win" seems a tad dismissive. Then again, if all Firefox wants is to look after Important-But_Inattentive Mobile Users In A Hurry, then say it now and I can get moving on a push for a fork of Fx-with-UI-feedback.
See, the problem with one-web-fits-all is that while the web has indeed been mostly taken over by commerce, and all power to you and your mates in your work to make users meld seamlessly with services, some of us are forced to access government and financial organisations through web interfaces only and know that those organisations are mostly years behind your bleeding edge in their attention to users’ security.
So, in sort of the same way as ISPs with any sense are getting up and running towards IPv6 with dual stack addressing, it’s really only fair that Firefox should continue to provide dual old-style UI feedback/new style fingerpoken ideograms … until us dinosaurs who can read and compare text die out.
Fx participant here, since Firebird.
NS participant since V1.0
The complete, entire pressure for the development of Firefox was to get back diverse user control from MS of what web pages were delivering. NoScript took up the baton as even Firefox lost sight of the way that the web and browsers had become the battlefield for malware, and I hope there’s enough still under the hood to allow us to support anybody else who wants to step up to the plate and continue to allow that diversity some agency.

Thanks Giorgio for the pointer. Fistful of Pixels :-)