hackademix.net

NoScript is (again) finalist for Best Security/Privacy Add-On at About.com, show it your love here (you’ll need to temporarily allow about.com).

Thank you!

Also Firefox’s native implementation of the Do Not Track proposal will end using the eponymous header, after all. It will be shrunk to DNT for bandwidth sake, though, without the “X-” and on its way to be submitted as an IETF internet draft.

Waiting for Firefox 4, NoScript 2.0.9.7rc4 has already adopted the new header name, after Jonathan Mayer politely asked me some hours ago.

Firefox embracing “Do Not Track” directly, shortly after Adblock Plus and NoScript started experimenting with it, is great news of course.

Just, why exactly inventing yet another header (”X-Tracking-Choice”) rather than reusing the “X-Do-Not-Track” proposal, which had even been endorsed by Sid Stamm himself?

Latest NoScript (2.0.9) supports the Do Not Track tracking opt-out proposal, joining AdBlock Plus in this experiment.

From now on, a web browser with NoScript installed warns every HTTP server it contacts that its user does not want to be tracked, i.e. that his data must not be collected for profiling and persistent identification purposes. I believe this is a safe assumption about the feelings of most if not all NoScript users.

As stupid as it may sound (why parties who are interested in tracking you would comply?), a mean to clearly express your will of not being tracked is going to be useful, especially when backed by law or industry self-regulation, as explained here. Therefore it seems in the interest of NoScript users and privacy-concerned netizens in general to participate in this effort.

In its current release, NoScript allows the “Do Not Track” feature to be disabled or tweaked by opening about:config and editing the noscript.doNotTrack.* preferences:

• noscript.doNotTrack.enabled (self explanatory)
• noscript.doNotTrack.exceptions, space-separated URL patterns of destinations which are not sent the “Do Not Track” message
• noscript.doNotTrack.forced, space-separated URL patterns of destinations which are sent the “Do Not Track” message even if they match exceptions

A GUI for these options, and possibly finer grained controls (e.g. to allow some or all the 3^rd party trackers on certain websites only) will be added in future releases.

Update

The header name has been changed in DNT, but the preferences to control it remain the same.

Collin Jackson just sent me this email about Browserscope, which I talked about in my previous post:

Hi Giorgio,

Just a quick note to let you know that we’ve released a new Browserscope security test for Content Security Policy and fixed some bugs in the other tests.

You might want to update the NoScript web site to reflect the new score for NoScript-enabled Firefox.

http://www.browserscope.org/?category=security

Keep up the great work on NoScript…

Collin Jackson

So, Firefox 4 + NoScript (with “Allow Scripts Globally”!) now leads with 15/17, the highest score, on a par with Chrome.
Overtaking waits for a cross-zone CSRF / DNS Rebinding (AKA “Router Hacking Protection”) test, for instance :)