Just released 10.1.5, and its changelog start to taste familiar, with names already well known in NoScript's development history, likw Masato or Mario:

v 10.1.5
=============================================================
+ [XSS] Added "Always block requests from ... to ..." in XSS
  warning prompt
x [XSS] Fixed url decoding bug (thanks Masato Kinugawa for
  reporting)
x Fixed some blocked items not reported in the UI (thanks Bo
  Elam for reporting)
x Changed the CSP internal report URI to noscript-csp.invalid
  (thanks Tom Schuster  Mario Heiderich for RFE)
- Removed unused MSE detection code (thanks Rob Wu for
  reporting)

From an usability standpoint, the biggest new is that now you can silence the XSS filter not just whitelisting ("Always allow requests from... to...") but also blacklisting ("Always block...").
Of course, much more to come in the next days and weeks...

XSS Prompt with "Always Block"

39 Responses to “NoScript Quantum 10.1.5, starts to feel normal”

  1. #1 passerby5 says:

    1 issue and another potential issue.

    Potential Issue: This XSS warning pop-up occurs a lot when entering a search on a new tab.

    Bug: When E10 (multi-process mode) is disabled, the XSS warning pop-up shows up as blank. Not sure if it's a Firefox issue or a NoScript issue.

  2. #2 Tomate says:

    Repeat:

    This is the correct and convenient place for bug reports/discussions:
    https://noscript.net/forum

    Thank You.

  3. #3 Giorgio says:

    @passerby5:
    The Google search bug is already fixed in 10.1.5.1 here.
    The popup showing blank is most likely a Firefox bug: what makes you keep it with e10s disabled (I believed it was not even an option anymore, in 57)?

  4. #4 passerby5 says:

    Responding to Giorgia (post #3):

    It's still in about:config. I keep it off since the multi-process mode eats up 1GB of RAM just from light browsing. So bloated.

    While on the topic of XSS, question. When the XSS warning pop-up shows up and you select to block it, the page also doesn't load. I thought in legacy NoScript, it would block the XSS component and keep chugging with the rest of the page. Is that no longer the case with NoScript 10?

  5. #5 Markus44 says:

    @Giorgio:
    Testing with my DEFAULT settings, i.e. only fonts allowed because Font-Awesome icons are broken otherwis, at news portal spiegel.de, __10.1.3c3__ (the version that works really well for me in productive use and to which I reverted after 10.1.3 and 10.1.4 and their respective bugs) shows 6 blocked scripts, __10.1.5__ races up to 112 scripts, then settles down to 6.

    Even more extreme jumping at sports portal kicker.de: __10.1.3c3__ shows 11 blocked scripts, __10.1.5__ first races up to 182 scripts, then settles down to the same 11.

    Is there an explanation for this new (partly extreme, see above) jumping of numbers in the counter on the said sites? Generally, even on other sites, it now seems to take a bit longer until the counter settles and shows a final number.

    Otherwise, this latest version, like 10.1.3c3, seems to be heading in the right direction. Well done!

    One little glitch I still see:
    CUSTOM settings are not temporary at first click each time. Aftre testing abit, it seems that if there is another entry in the drop-down list with _permanent_ CUSTOM settings, the CUSTOM settings of a new entry are directly permanent instead of temporary.

    Thanks a lot for your hard work!

  6. #6 Bo Elam says:

    The Google search bug appears to be gone with version 10.1.5.1. Nice.

    Bo

  7. #7 Giorgio says:

    @passerby5:
    The "old" XSS filter used to sanitize the request. More than once I vowed to discard this conservative approach and outright block it (that's what I had already done in NoScript for Android) because there's less potential for bugs: both over and under sanitization may lead to bypasses or even new vulnerabilities (it happened several times with the Microsoft Internet Explorer filter).

    @Markus44: the jumping number is due to NoScript counting all the blocked requests first, then coalescing them by origin. So if you've several scripts loaded from the same domain, you first notice a big number, then when the page is loaded it jumps down because they all are counted as one.

  8. #8 Markus44 says:

    @Giorgio:
    Thanks a lot for explaining the jumping numbers! Seen in that light, the big difference in numbers mentioned above makes perfect sense with Spiegel Online using almost a handful of CDN subdomains.

    Re: CUSTOM settings being _permanent already with the first click_, AFAICS it's reproducible that it happens each time there is _another_ site in the drop-down list which has _permanent_ CUSTOM permissions.
    Would be nice if you could think of that glitch in one of the next versions. For everybody working a lot with CUSTOM settings it would be great to always have to click just once to give temporary permissions. Thanks :)

  9. #9 jon says:

    NoScript was great, then it was dead with the first 10 version, but now it becomes better and better. It's funny and a kind of strange to watch the development. NoScript's reincarnation..

    Some UI ideas.
    - Kill the Default mode, because NoScript users know what's the default: UNTRUSTED
    - TRUSTED and UNTRUSTED options are global, so the settings for object, media, frame, etc.. should be done in the global settings

    Some of the UI mockups from the community are pretty cool. NoScript will be No.1 again!

  10. #10 monique says:

    @the XSS alert message above
    What does "from [...]" mean?

  11. #11 Arie says:

    It still sucks. To many sites / scripts are allowed by default. The old NoScript blocked everything by default, and that's the way it should be.

  12. #12 Randor says:

    Hi Giorgio,

    Just to be clear, NoScript 10+ is expected to reach full feature parity by the time Tor Browser switches to the next ESR, right ? (So Firefox 59.2, released when Firefox 61 is released, if I'm correct)

    By full feature parity I mean even the hidden ones we know little about, as well as things like script surrogates and the ability for the user to create custom ones.

    My understanding is that yes, feature parity is to be reached. But I'd rather make double sure with WebExtensions being so new.

    Thanks!
    And congrats on getting NS 10 out!

  13. #13 Randor says:

    ^ Feature parity *with legacy NoScript*, of course

  14. #14 Guillo says:

    #9 says:

    "Some UI ideas.
    - Kill the Default mode, because NoScript users know what's the default: UNTRUSTED"

    THIS. THIS. THIS.

    If this was implemented, I would probably attempt to use NoScript 10 again.

  15. #15 Giorgio says:

    @monique:
    [...] means request "not originated from another site" but, for instance, by typing on the navigation bar.

    @Arie:
    The sites that are TRUSTED by default are the same in the old default whitelist. You can remove them from the Options panel, just like it was before (hell, is one of the few things remained almost identical), by setting them to DEFAULT.

    @Markus44:
    That's intentional: TRUSTED is temporary by default, CUSTOM is permanent by default. I figured out they were sensible defaults for those different presets.

    @Randor:
    Yes, feature parity with legacy NoScript, at least security-wise (it cannot ever be UI-wise), for the features which still make sense in Firefox 59 (browser security evolved as well in 12 years) is gonna happen before the Tor Browser switches to WebExtensions, of course.

    @Guillo:
    DEFAULT is the old "unknown site", and setting a site to DEFAULT just means deleting it from the lists (either whitelist, "TRUSTED", or blacklist, "UNTRUSTED").
    It was already there in NoScript 5, just less explicit. But without it you cannot have a concept of UNTRUSTED as "known bad", or (temporarily?) configure a blacklisting mode.
    What can make sense is a warning if you accidentally configure DEFAULT with too many permissions, which would make it equivalent to the old "Allow scripts globally" mode.

  16. #16 JD says:

    Anyone else getting double entries for everything in the UI? For example, I'd see both https://c.amazon-adsystem.com and …amazon-adsystem.com in the list. It's doubling practically every entry.

  17. #17 Znrl says:

    That just isn't really intuitive because especially at the settings page it does mean more like "reset and delete".
    I did update my suggestion a little to explain how it should be possible to di it without a real default button. I think it is important to make all the presets adjustable at the settings page. Then the popup doesn't need to be too complicated.

    https://forums.informaction.com/viewtopic.php?f=10&t=23751&p=93420#p93420

    http://www.bilder-upload.eu/show.php?file=c664ec-1512206860.png
    (labels should be optional)

  18. #18 Tomate says:

    @jon
    I think the new explicit DEFAULT mode/button is good, as it makes clear that the standard behaviour on new sites is a customizable mode as well. Makes it flexible for different types of usage. (eg. blocking everything by default)

    @Giorgio, @jon
    Giorgio Maone: "Tweaking a bit the permissions preset system by making them customizable only on the options page, rather than in the popup, except for the CUSTOM preset."

    Just to underline it: That would be a better solution in my opinion.
    - changing global stuff in the pop-up by accident in day-to-day usage can be dangerous
    - especially because every line has the (interactive) preset settings drop-down
    In the options there should be an indication that those are the global presets. Even there it could be safer to have an explicit "save changes" button (..warnings etc).

  19. #19 E C says:

    The UI is beyond broken and makes the software unusable. This is security software. The UI needs to be obvious and clear about what is allowed and what isn't. I'm constantly getting surprised by what was allowed because the UI is unreadable.

    I can't imagine how this UI came to exist.

  20. #20 Wfoxie says:

    Thank you so much for NoScript, your hard work is much appreciated.
    As a non-programmer I feel with you that it is not simple to comply with new FireFox Add-On requirements.

    I messed up my (worked on) NoScript Whitelist settings while not understanding the new layout and features due to a lack of explanation or guides that are very crucial in this version.
    Lets hope this won’t have a devastating side-effect on my purchase exposed information, because I had to disable NoScript in some instances to be able to get Blak Friday super deals.

    I tried REALLY hard to bear with all the changes and error; but, today I am about to pull the plug.
    The new 10.1.5.1 version took off NoScript from my Firefox 57, than after I restarted Firefox while clicked on NoScript button I got an Error: moz-extension://30f6d90b-5e5a-4ede-bf8b-10ec6acbbe35 – NoScript Settings Mozilla Firefox. I used to have this error four days ago as well: moz-extension://30f6d90b-5e5a-4ede-bf8b-10ec6acbbe35 - NoScript NoScript XS Warning
    I restarted Firefox again and now I can’t make ScreenShots with the NoScript settings I have. The scren shot is made, but the NoScript options are not captured. I tried two diferent ways, none works.

    There is still no import of a whitelist (not that I have one created) and while I am very greatull for all the daily changes; but, the NSS10 should be labeled with some sort of warning; because the new versions remove old and add new problems in the same time.

  21. #21 Wfoxie says:

    I forgot to mention my setting is LinuxMint 18.1 Firefox 57.0

  22. #22 Fegr says:

    #14 Guillo
    No!
    I need the default mode, because this mode is useful!
    I set default that only "media" is allowed and most websites works with all scripts are blocked!
    UNTRUSTED is for me a blacklist where really nothing is allowed, even media isn't allowed!

  23. #23 Casquinhas says:

    arch linux firefox 57.0.1 still has the extensions warning problem, as it shows a blank window and you need to resize it to view the content. I don't know yet a way to fix this.

    4.13.12-1-ARCH

  24. #24 ILOVENoScript says:

    Ragazzi e' un piacere dare suggerimenti, l'applicazione di tali suggerimenti e' tutt'altra Storia.
    Premettendo che Giorgio Maone ci Rallegra ogni Volta ( grazie di R-Esistere ),
    volevo dare un contributino...
    Ricordando che Tutti Noi sediamo sulle Spalle dei Giganti,
    vi propongo cosa ne pensate dello stile di raggruppamento di nomi dei siti sotto monitoraggio cosi' come visualizzzato da un altro grande Plugin/Sforzo Umano vs Skynet, di EFF ?!?

    hxxps://www.eff.org/https-everywhere/atlas/index.html

    Bello, No?

    Come tu non sai cosa e'... uhmmm

    Cmq, parlando di Plugin e Magie tra i Merlino e le Morgane,
    spero che non vi capitino i due MALI del momento:

    [ Letture del Weekend ]

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    ### MAD 1 ###
    Plugin Infetti

    Title: Analyse of a fake update landing page. | BlackHatWorld

    [ hxxps://encrypted.google.com/search?&q="var+cookieName+%3D+"crsrcsvr"" ]

    ### MAD 2 ###
    CryptoMiners

    Title:Hacked Websites Mine Cryptocurrencies

    [ hxxps://blog.sucuri.net/2017/09/hacked-websites-mine-crypocurrencies.html ]

    ### Example NEW MAD ###
    Obfuscated CryptoMiners

    Example:

    [ hxxps://encrypted.google.com/searchq="rAFRXzQQsiqcPHoTEbJMvbmHOVPbJsu0" ]

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    Vi Auguro un Buon Weekend con i Vostri cari.

    Bye Bye

  25. #25 Tarja Halonen says:

    @Giorgio

    Giorgio what is the situation with the Noscript NSA for the Android?

    There are thousands of people waiting.

  26. #26 wetterauer says:

    Great work Giorgio, thx a lot! Is there a possibility to delete my whitelist?

  27. #27 Justin says:

    The user interface is the equivalent of being punched in the face every time you want to change a setting

  28. #28 Bo Elam says:

    @Justin #27. Thats not true Justin. To change a setting, you dont even have to move away from the NoScript Menu, it cant get much easier than that.

    Bo

  29. #29 Bo Elam says:

    @wetterauer #26. To turn any white listed domain into default (and clear them from the white list), click the Default preset. You can do it at the NoScript drop down menu when visiting a site or in Options.

    Bo

  30. #30 Neph says:

    I've been using FF's built in "javascripts either completely on or off" setting for the last 10 days since NoScript has stopped working properly then and wanted to give it another try yesterday.
    Unfortunately the "enable/disable 1 script and all the others get enabled/disabled too" bug is still there!

    I also have to agree with the UI changes:
    It's simply not intuitive because there's simply too much going on (does anyone actually need/want all the checkboxes?). The old version was so much simpler and still had everything you needed: You could just click the specific script you want to enable/disable and it would also automatically reload the website, now you have to click on the URL and then check/uncheck the "scripts" box. You don't actually see what scripts are enabled or disabled without clicking on the specific URL and half of the time the NoScript windows won't even open but there's a white, tiny, empty one instead.

    Plus, there's a really weird thing:
    When you click on the "NoScipt" icon in a new tab, it opens the full list of trusted websites. I have an entry for "https://www.amazonmusiclocal.com" BUT it's actually not a single entry but half of the list (appr. 300) is filled with it and I can't seem to get rid of it.

  31. #31 StashOfCode says:

    This gets better each version.

    People may have a hard time at first because the interface is so different, but I find it efficient after some days.

    Features still missing :

    - In the preferences, enable/disable per domain authorization in the menu
    - In the prefernces, enable/disable script name display in the menu
    - Remember site profiles so that you don't have to allow given scripts when you come back to a given site : it would be done automatically (eg : remember to allow google.com for hackademix.net)
    - In the menu, button to enable/disable NoScript

  32. #32 farb.los says:

    Software development made entertaining - every now and then new fixes and features.

    A few enhancements I'd like to request:

    - make the domain-level table entries ("...") come *BEFORE* the address-level entries ("https://"), like this:

    ... google.com
    https://www.google.com

    - on user option, hide the address-level entries completely. I only use the domain-level entries.

    - it takes some aiming to hit the icons, so make the table rows with the domain names clickable as well. Either toggle between "default" and "temporary allow", or cycle through all possible states. In addition, the exact behavior of clicking a non-icon could be made customizable.

  33. #33 wa1975 says:

    I asked for it on the forum several times and get no answer: Is noscript working with FF57 on Android or not after version 10.1.2 ? I only see a blank screen in the settings. I need an answer. I know noscript is free but i have to know if my system is protected or not.

  34. #34 Giorgio says:

    @wa1975:
    The answer is "I don't know yet". It's currently unsupported because of some Android-specific bug, I hope to figure it out within this week.
    Can you confirm it did work in some version before 10.1.2? If so, which (it would help spotting what's wrong)? Thanks!

  35. #35 wa1975 says:

    Thanks 4 ur answer. The last version i can see the settings is 10.1.2 and it worked before.

  36. #36 Oliver says:

    in 10.1.5.5 still firefox freezes for a (large) couple of seconds after switching (trying to switch) from NS options-Tab to another Tab. Sometimes tab content is replaced with loading spinner. Only closing the FF window helps.

  37. #37 nowe20 says:

    Problems users has with the GUI may not an failure from the NoScript programmer but
    in reality an failure the Mozilla distributor has make with this new ..... GUI api?
    GUIs should be practical for the unexperienced user, too.

  38. #38 passerby5 says:

    In the XSS warning pop-up, can we get an "Always Sanitize" option? In some windows, I see the "Sanitize" option and an "Always Allow" but no "Always Sanitize".

    I'm also getting a lot of pop-ups on Tumblr and wix sites. Some have the Sanitize option, others don't.

    Below Tumblr example has the Sanitize option but no Always Sanitize.
    http://fo4-mischairstyle.tumblr.com/post/139169515871/mischairstyle16-download-47-new-hairs-for-male

    Thankfully it only pops up once on this site. I've seen other Tumblr sites where it pops up a lot.

  39. #39 Ruff says:

    blank here too. not to mention android version, which is too small for any fingers.

Leave a Reply

Bad Behavior has blocked 721 access attempts in the last 7 days.