Someone seems to be still convinced that changing our beloved NoScript UI has been a whimsical (and suicidal) decision of mine, entirely avoidable.

The ones who know better about recent history of Firefox and of its add-ons ecosystem are aware, though, that the UI couldn't stay the same simply because the technical foundation (XUL/XPCOM) for the "old" one is not there anymore, and NoScript has been forced into being completely rewritten as a WebExtension (and therefore its UI as pure HTML) or just die.

Since it was anyway impossible to replicate exactly the well known user experience provided by NoScript 5.x (which, BTW, is still actively maintained and available here), I've tried to find a silver lining in the forced rewrite, taking it as a chance to incorporate user feedback collected over more than 12 years, especially about making the permissions system more customizable.

And indeed, the old concepts are all still there, but the way they are implemented is more flexible and amenable to customization, albeit admittedly less discoverable and, for long time users, surely confusing at least initially.



Bugs aside, I think the biggest problem with the transition, which I'm truly sorry for, is me not having found the time yet to write any proper user-oriented documentation for NoScript 10; but maybe we can start here by providing a minimalistic overview, mapping the new "Quantum" UI onto the "Legacy" (I actually prefer to call it "Classic") one:

  • In the NoScript 10 we've got 3 presets (DEFAULT, UNTRUSTED and TRUSTED): you can assign one of them to any site, and the sites with the same preset share the same set of (configurable) permissions
  • For sites that don't fit in any of the 3 aforementioned presets, you can choose to use CUSTOM permissions: CUSTOM is not a preset, but a way to give very specific permissions to a site, applying to that site only
  • Back to presets, DEFAULT is the set of permissions that any unknown site has. So if you don't touch NoScript, beside a handful of websites (the "old" default whitelist) pre-assigned with the TRUSTED preset, all the sites on the Web have the permissions of the DEFAULT preset (i.e. almost none).
  • "Temporary allow xyz.com" maps to clicking the TRUSTED preset on the xyz.com row.
  • "Allow xyz.com" (permanently) maps to clicking the clock-shaped icon onto the TRUSTED preset (which means "Temporary"), to disable it (and make the preset assignment "Permanent")
  • "Forbid xyz.com" maps to clicking the DEFAULT preset, which actually means deleting the site from the internal "whitelist". In facts, if you do it in the general Options panel, next time you open the panel (or refresh it) the site is not even listed there anymore. It doesn't disappear right away for convenience, to give you the chance to change your mind or correct mistakes.
  • "Mark xyz.com as untrusted" maps to clicking the UNTRUSTED preset, which contains no permission at all and is meant to collect and remember the "known bad sites" in a permanent blacklist.
  • And then CUSTOM, which is new to NoScript 10 and lets you fine tune just a certain website with its own specific permissions, either more restrictive than DEFAULT or more permissive than TRUSTED ; this tuning is either permanent (by default, the clock shaped icon in this case comes disabled) or temporary, by additionally clicking the clock-shaped icon.
  • Each and all the presets can be freely customized to your own needs, with the convenience constraint that you cannot remove the "script" permission from TRUSTED, and you cannot add it to UNTRUSTED. However, the factory presets are very similar to the "old" NoScript experience.

What about the "Match HTTPS only" green/red lock toggle? If green (locked), the toggle makes base domain entries (e.g. "..google.com") match themselves and all their subdomains, but only if their protocol is HTTPS (and therefore the traffic encrypted and not easily tampered with). Otherwise, if red and unlocked, both HTTP and HTTPS match: this has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy, but is unfortunately needed for some sites to work. NoScript tries to gives you the "smartest" default for each site, i.e. green if the page is already served on HTTPS, red otherwise.

A lot more needs to be written yet, but these are the bare bones.
If you find bugs or need support, rather than using in the blog comments or, even worse, the AMO review system as a way to communicate with developers, please submit to the support forum here.

And if you want to help me with development, please install latest development build, which is released even more often than the stable and ships earlier both bug fixes and new features. And please keep providing feedback, as especially the UI is still a work in progress and I'm eager to make it better than before, by merging as much as possible of your valuable contributions.

Thank you all!

164 Responses to “NoScript, "Quantum" vs "Legacy" in a nutshell”

  1. #1 Allan says:

    I've returned to FF 52.5.0 ESR until the dust settles a bit...

    What I would like to know is this: before I open any website with 57 will I be able to -globally- turn all my previous NS permissions to Default and delete all my previous NS history?

    Thanks for all you do!

  2. #2 Scote says:

    Thanks for all the work you are doing.

    Part of the problem for me is that it takes more clicks to do the same thing, and the paradigm has changed. I'm used to "allow" rather than "trust". I don't actually trust anything I only temporarily allow, so there is a bit of a mental disconnect for me in using the new UI.

    For temporary allow, I think an hourglass might be more intuitive to me than a clock with an explanation point.

  3. #3 sam says:

    Is there an equivalent to the old SHIFT-RIGHT-CLICK which allowed us check up on a script by submitting it to Virustotal, etc>?

  4. #4 PM says:

    I use 10.1.5.3.
    Here on this page where I write, there are two Trusted, one Temporary other Permanent.
    If I drag the mouse, there is no difference in the subtitle that appears.
    If the clock is color and big, is the Permanent?

  5. #5 Giorgio says:

    @Allan:
    You can already do it either clearing them one by one (a new thing in 10 which wasn't there in 5 is that the text box to insert new sites is also a search box filtering the ones in the list on the fly), or bulk edit their JSON representation if you go in "debug" mode by selecting the checkbox on the bottom. I'm gonna add some visual bulk-edit option ASAP, though.

    @sam:
    It's arriving in 10.1.5.4 stable :)

    @PM:
    The big solid clock (currently default for TRUSTED) means temporary (clocked), when it's faded it means the clock doesn't apply (permission is permanent).
    You're right, having different tooltips for different states would be better, trying to stuff it in 10.1.5.4 too.

  6. #6 john says:

    Any timetable for a working version for android? Many NS users upgraded to FF57 thinking that the new version of NS would work (it was briefly listed among the FF android add-ons on Mozilla's website, before being removed), now they cannot switch back. Keep in mind that there's no FF ESR for android.

  7. #7 Giorgio says:

    @john:
    I've got just to figure out what's preventing the UI from being populated with the current site data, and I'm sure it must be something stupid. I hope to have it by the end of this week, because I'm a NSA user myself :(

  8. #8 Jose says:

    Thank you for the constant updates... it feels smooth now.

    I would suggest a preference option: Previously on NS 10.1.3rc(2-3) clicking on NoScript UI will open a new window with websites preferencies, this was reported by most users like a 'annoying' bug, but some others perceive it like a feature... why? because if you 'hide' the NoScript button inside 'More tools' menu, the resulting UI is forcing the user to scroll right and left several times only to know what is going to block and/or allow: Demo: http://ow.ly/qALF30gZBHc

  9. #9 Solo says:

    @Giorgio...so when do you think you will have the right version that will be equal to the original or as you like to call it "Classic"?

  10. #10 pijulius says:

    Hi Giorgio, first of all thanks for the hard work you put in and agree with everyone about the confusing interface but I also do understand the reason behind it.

    Two notes if I may:

    1. Please please bring back the context menu (if possible with the new firefox as unfortunately I have no clue if it's possible at all) as it would fix so much of the troubles people are having. The context menu was an easy way to enable scripts especially with the two separate options (permanent and temporary) as the rest wasn't even needed in my opinion :)

    2. Having the old noscript icon in the new firefox toolbar is totally different than the whole firefox icons, so or please do a simple black icon that we can put on toolbar or please test it by putting the icon into the "More tools ..." toolbar icon (the two >> arrows) and you will see because the setup takes up a big space it will require you to scroll in that popup.

    On the rest for me everything is good and all the customization you had in the old version can come in later on with time as the most important is already there (disabling scripts which disables a bunch of ads and also speeds up page loads with a lot) so with the context menu in my opinion everything would be like 95% done and with the rest time will tell how and when to accomplish :)

    Thanks again for everything you do!

  11. #11 Shaun says:

    Thanks Giorgio for your fantastic addon, and for this v helpful quick bit of documentation. I now feel I understand the basics of the new interface.

    One further question though. For me, the "default" preset appears to have all boxes ticked except "fetch". That doesn't seem right, but I'm not sure of:

    a) Why it's like that for me
    b) How to change the preset
    c) What the factory preset is supposed to be for "default"? You mention that it is "almost none", so I'm pretty sure mine is non-standard. I'm happy to use your factory preset, once I know what it should be :)

    Thanks,
    Shaun

  12. #12 Giorgio says:

    @Shaun:

    a) you probably changed them by accident, or when you used NoScript 5.x last time you were in \Allow scripts globally\ mode (which during the migration translates in giving script permissions to DEFAULT and keeping UNTRUSTED to blacklist sites).

    b) Just click the preset twice and uncheck all the presets except for \fetch\ (needed for some extensions to work), \frame\ and \other\

    c) \fetch\, \frame\ and \other\ checked (see above)

  13. #13 JD says:

    For me, Default seems to have media, frame, font, webgl, and other checked. I'm not sure if leaving all those checked is still safe when visiting potentially unsafe sites. Is it mainly the scripts permission that poses a safety issue?

    Also, an option to change all default presets at once to desired permissions would be nice or a way to reset them all to the "factory default".

    Thank you and keep up the good work!

  14. #14 aocab says:

    Saw Shaun's comment about "default" presets and was curious so I checked the settings in mine.
    If I understand correctly the "default" presets are: \fetch\, \frame\, and \other\.
    I must have accdently messed up the settings in mine because they are not the same.
    Plus I am curious to know what the meaning is of the highlighted options (see screenshots).

    http://imgbox.com/5bOTPrUI
    http://imgbox.com/xi2PWYM5

    Thanks
    Cheers

  15. #15 Gareth says:

    I wouldn't even use it, It asked to upgrade to NS10 so I reverted to older firefox

  16. #16 John says:

    what does it mean when there's 2 of every site? for example (https://www.google.com) and then right below it (…google.com) this is the happening with most sites I use.

  17. #17 Gill says:

    "...that the UI couldn't stay the same..."

    Respectfully, Giorgio, I think you may be missing the point.

    I don't believe most people are upset because the old UI isn't identical to the new one; they're upset because the new UI isn't anywhere near as user friendly as the old one. And in a previous thread on this site, I saw a mock-up of a UI (one that IS compatible with FF57) that I (and others that commented) thought was superior. So it's not as impossible to create a new UI as we're being led to believe. It is, however, time consuming and I'm not going to make a judgment on whether your time is better spent creating a new UI or fixing the existing bugs.

    Just trying to let you know that the problem of the UI is not as simple as the straw man you've set up (i.e., people hate the new UI just because they don't understand the old UI can't be exported into FF57).

  18. #18 crazy says:

    Thank you Giorgo for creating, maintaining and updating a Firefox extension that has become such an essential tool that so many of us feel naked on the web without it. I appreciate the predicament you face in transitioning from the classic UI we are all comfortable with to the Quantum UI many of us are having difficulty grasping. I've followed the development and deployment of NS10 closely and am gaining a better understanding of what each feature of the new UI is intended to do but it's going to take more time for users like me to get it. Maybe it's a generational thing, but the "everything on one page" style overwhelms my 60+ year old brain leaving me too confused to understand what I've changed per site, per session and how to get back. The genius of the classic interface was the "less is more" style of the browser icon and the granular detail available by choosing options. As you continue development of NS10 the more you can tweak the new UI to the simplicity of the classic design philosophy the more I'm sure old and new users alike would appreciate it. Thank you for incorporating so much of the user feedback in such a short period of time and thank you for such an essential browser extension.

  19. #19 PM says:

    @Jose
    @pijulius

    I haven"t icon in 'More tools' menu.
    Private and Noscript on the left.
    14 icon on the right (FF and Ghostery, ADP and others ).

    Noscript icon is blue S.
    Ghostery, ADP, Https Ewerywhere, S3. translator are colors.
    I don't like black and white FF icons.

  20. #20 Ray says:

    Although getting used to a new UI is always annoying, I rather like the increased flexibility. I usually had "Apply these restrictions to whitelisted sites too" set for embeddings, since I don't want things like Silverlight or Java running by default even if I trust the site. But that meant that fonts and media got blocked at the same time. Being able to allow specific requests from specific sites without messing with about:config/noscript.allowedMimeRegExp is a nice change.

    My stance is actually the exact opposite of a few I've seen here; rather than switching to an older Firefox to keep the old NoScript version, the new NoScript features are the *only* reason I haven't downgraded or switched to Pale Moon or another Firefox fork that didn't break half my extensions. The prior lack of documentation for NS10 was the only real issue.

    One thing that would be nice to have added to the documentation is an explanation of what the various settings cover: in particular, "fetch" and "other". I'm also unsure of what it means when one of the checkboxes has a red background (seems to have something to do with setting https only).

  21. #21 Layman_User1 says:

    Thank you for incorporating the feedback on the UI that you have so far, it has made NoScript far more usable.

    Is this http://mutik.erley.org/ns/ GUI not compatible for some reason?

    It seems to achieve the goals you had in implementing changes to the UI, still feels similar to the classic version, and uses words to associate meaning to symbols so tools feel more 'discover-able.'

    Allowing multiple clicks on the custom permissions button to cycle between custom permissions being permanent or temporary would give users the same abilities with the same number of clicks I think.

    I think this sort of UI would still work and feel great with the colorful icons you use now.

    What amounts to a matrix with columns giving info about items in each row may be 'easy' and 'simple' for some people, but for others it can seem overly 'technical,' 'intimating', and 'daunting.' From this perspective making it colorful just makes everything seem more chaotic. I know the two are arguably the same thing, but I think a lot of people's comments/feelings about the UI center on the fact that it went from being based on a list, to being based on a matrix.

  22. #22 Fran says:

    Is it a problem when a page works with "Scripts Globally Allowed" checked, but the page doesn't work when every domain is marked TRUSTED? That is the case with this page:

    http://www.tumbex.com/tumblr/space-wallpapers/photo

    If I check every checkbox in the DEFAULT scope, NoScript shows domain tumblr.com being blocked, but it is not shown when I trust every domain with no checkboxes checked in the DEFAULT scope. So in normal usage NoScript is blocking a domain without showing it in the popup.

  23. #23 Jose says:

    @PM:

    You have to add an icon to show 'More tools' panel. The method will be as follows: Click on the hamburguer icon > Customize > drag NoScript icon inside the fish/dragon panel & click Done: https://goo.gl/dWPkUt

  24. #24 Jose says:

    To be clear, I'm suggesting an extra option, an option (inside NS preferences) to change NoScript UI from popup to window. I agree with the present default configuration.

  25. #25 Tarja Halonen says:

    @Giorgio

    Any update on the Noscript for Android Firefox mobile?

  26. #26 PM says:

    #23 Jose
    I don't want hide any icon.
    The URL space too long and one click is enough and does not bounce Noscript what you show in #8.

  27. #27 Fran says:

    Unless I'm missing something, there is no visual feedback that I have clicked "Temporarily allow all this page". So I don't know that I may need to click "Revoke Temporary Permissions".

    Also, thanks, Giorgio, for all your hard work on NoScript.

  28. #28 Fran says:

    Please ignore my previous comment (#27). I just realize that the clock icons become solid when I click "Temporarily allow all this page".

  29. #29 Jesse P. says:

    @Giorgio

    I've been using NoScript for many years and, of course, updated to NoScript 10.x once it was publicly available. The UI is quite a difference (not in a good way, in my opinion) but it is not "difficult" to understand (for the most part). What annoys me about it, and is cause for me to effectively not use it (not in its full capacity, at least), is that it seems to randomly behave differently from one moment to the next. For example, I get XSS attack warnings (even up to 10.1.5.3) when going to sites such as IMDB, alerting me that there's an XSS attack between itself and Facebook, when I never did in the previous version of NoScript. Maybe XSS was not functioning the same way but, what makes it stranger is that I don't get the alerts every time - only some of the time. Also, the options page interface is horribly slow, especially when you have a large whitelist, on top of many of the features not being available to users yet - understandably, they will come in future updates.

    Personally, I currently allow scripts globally and only use NoScript for XSS filtering, while then relying on uMatrix for the script blocking and such, and will remain doing so until I feel that NoScript 10.x has become polished enough to remove uMatrix.

    As comment #17 (Gill) alluded to, there are other addons that use menu-based UIs and look very much how NoScript 5.x did (one example is 1Password). Yes, it has been WebExtensions based either since the beginning or at least for a while but, it looks just like a pre-FF57 addon would have. You had to convert your code to WebExtensions - nobody is questioning that, I don't think - but could you not have done the same thing that 1Password does, and use menus to keep it looking like the same old NoScript we all loved?

  30. #30 Barry says:

    WHY THE HELL WOULD I WANT TO USE A TABLET STYLE INTERFACE IF I'VE BEEN USING A DESKTOP SINCE WINDOWS 3.0 and EVERYTHING USES DIALOG BOXES?

  31. #31 Fran says:

    Please ignore my problem report in comment #27 above. It is no longer happening with 10.1.5.5. And thanks again for all your work on NoScript!

  32. #32 Rob says:

    I understand that having to use HTML for the new interface has caused you to be unable to replicate the old Noscript 5.x.x UI but I still can't understand why the new UI has so few options where the old one had so many. There seem to be a lot of features missing from NoScript 10 just because the HTML page for the settings has so few options on it, why does it not have, in HTML, all the options that were in NoScript 5's dialog boxes?

    Also, as far as having blocked objects show up as an orange placeholder that can be clicked to allow them, is there some difficulty in implementing this for NoScript 10? It was such a useful feature to let a specific object on a page run but not have to allow all others from the same domain at the time. Can this be made to work again please.

    Thank you

    P.S. any hope of text on the buttons "temporarily allow" rather than a clock, "settings"/"options" rather than tiny cogs and cross-spanners? Text shows up better than little graphics for small screens, screens a distance from your chair or poor eyesight.

    Also, shouldn't "default" block the scripts? Only when I last looked (I've taken refuge in ESR until the commotion ends), although NoScript 10 may have changed since, sites on the "defeault" setting blocked objects and such but not scripts, which felt a bit risky to me. The philosohpy of NoScript always used to be "block it unless the user says allow" not "allow it until the user says block".

  33. #33 Joe says:

    Hi. Love NoScript.

    I had it pre-FF 57 and installed the version 10 on FF Quantum.

    One thing I have been unable to find, and hope you can implement.

    When you close the tab for a website which you have allowed some scripts for, then you click the NoSCript toolbar button, you see the list of scripts still allowed. How to mass delete all of them at once?

    The only way I have found is to individually click each and every one on the "Default" icon (first item on every line). If you have some dozens of scripts allowed (because that is what te website needed to operate correctly), it is a pain to click every since one.

    You have a mass script delete if the website is still displayed. Please add mass script delete even if the website tab has been closed.

    Thank you!

  34. #34 Sokolas says:

    Could you please add a more visible way to indicate that the TRUSTED setting is permanent? For example, there is that clock (or stopwatch?) icon that appears near the NoScript icon when I hover over the site in the list; it would be awesome to not bind it to hover but always show for temporary trusted sites and hide for permanently trusted.

  35. #35 Bo Elam says:

    @#32. Rob, you can make Default block all you want. By default, the Default preset comes with scripts forbidden (box unticked) but there are users that made changes to the preset without realizing what this changes were and that they were globally applied. With the end result being that they saw scripts running and couldn't understand why, complained about it and blamed NoScript.

    In NoSCript 10, we can set Default as we wish, something we could t do in version 5. There was no option for it. In my opinion, this is an improvement of the new version. Personally, I have set up Default more restricted than it was in version 5. Good stuff.

    Bo

  36. #36 Scote says:

    I hadn't heard of uMatrix before reading this thread, but after having installed it I must say that the UI is what the new version of NoScript needs. It is quick and intuitive to understand, quick to use and find what needs to be unblocked to make a page work
    , and minimal yet informationally rich.

  37. #37 Jose says:

    @#21 Layman_User1. I would like to see this UI on NS10, totally perfect in UX terms, and fits very well with Firefox Quantum UI.

  38. #38 tor says:

    "Legacy" (I actually prefer to call it "Classic")
    "Classic" is something that works, but mosilla killed it, therefore "Legacy".

    could you backport to 5.x:
    x Fixed potential fingerprinting through placeholder icon
    (thanks Rob Wu for reporting)
    x Fixed background requests from other WebExtensions being
    blocked
    x Fixed some blocked items not reported in the UI (thanks Bo
    Elam for reporting)
    and others that are applicable to 5.x
    Thanks.

  39. #39 Giorgio says:

    @tor:
    None of those are applicable to 5.x. Only the XSS filter one is.

    @everybody: thanks for the mockups, all very interesting. DUring the next weeks, while fixing bugs and adding back options and features, I'll experiment merging back those which seems most popular and making most sense.

  40. #40 Znrl says:

    I was nearly going to edit noscript to make my mockup a working demo.
    But I'm not really into developping addons and I noticed it would take too much time to get into you code since I would need to change some things...
    Here is my latest update: https://forums.informaction.com/viewtopic.php?f=10&t=23751&p=93696#p93696

    Your explanations about how it currently works is good and we do understand how you thought while programming it.
    But people who use it think different. And from experience people probably won't read documentations and stuff. There are just too many thing that aren't intuitive right know.

    For example that customizing "default" is global. Like 99% of the people who do and will try NoScript won't get this and documentations doesn't help, well they would but there are way too less people reading it.

    I still think that the "temp" option should be seperated because it makes it a lot more obvious whats going on.
    This and when I say I don't need the "default" button you don't have to change how it internally works. I am aware the "default" state makes sense but (except from customizing it, which should be done in options like anythng that is set globally) it doesn't really provide anything but an additional button for me as a user.

    The one posted in #21 also looks nice .

    It would also be doable to rebuild the old UI at least that list (old "popup" https://noscript.net/screenshots) with just "Temporarily allow" (like it was in private mode) and optionally with the line to "allow" things (don't know about the recently bocked etc.) .
    It has a lot less options but there could be a setting in options to choose between UI themes.
    - "Classic" (limited)
    - Modern UI
    ...
    The only thing would be that presets are customizable in options the rest would mainly be CSS.
    But I would understand that is isn't really the preferred way to go.

  41. #41 Steve says:

    Just wanted to say thanks for all your work getting NS migrated over to Quantum. I wouldn't update to FF57 until there was a stable version of NS. Glad I found this thread, I was wondering how to make permissions permanent, problem solved. Thanks again!

  42. #42 Jesse P. says:

    The change logs posted on NoScript.net as well as Mozilla's add-on site are outdated. Please update them with the release of each update, so we know what has changed. Thanks.

  43. #43 yelow says:

    Alternatives search "Startpage, Ixquick' does not work in FF57 for Linux Mint. Related to NoScript 10.1.5?

  44. #44 Werner says:

    Mr.Maone.
    Thank you for this great tool.
    Some issues are triggered by the firefox activity tracking.
    Greetings from Germany
    Werner

  45. #45 NoTwo says:

    Got somehow disappointed about the sudden complexity NoScript evolved to.

    At current state, fiddeling around with some settings, i realized that NoScipt is even more powerful than before (or i missed it b4).
    A perfect ad-/popupblocking addition, i can even block stuff, ABP and uBlock cannot :D

    It's just a "must get familiar" with NoScript quantum to have such a great freedom now

    The only thing im worried about is how strong or weak is default setting when visiting a site the first time.
    I would rather deactivate everything yet unknown and switch on 1 by 1.

    Fucking gread work! You da man ;)

  46. #46 Andrey says:

    @Giorgio

    I have a problem with the XSS warning. When I choose permission "Always allow document requests from ...... to ......" (both sites are trusted), then everything works fine. But after rebooting Firefox, the permission should be selected again.

  47. #47 MichaelG says:

    Not as friendly as old ui. I am no longer using Firefox or no script for shopping.

  48. #48 Jesse P. says:

    NoScript 10.1.6 is listed in the changelog on noscript.net but the newest release is still 10.1.5.5 everywhere, including noscript.net. Was there something wrong with 10.1.6 that kept it from being released, so we're likely to see 10.1.6.1 or 10.1.7 instead?

  49. #49 Jesse P. says:

    Oops. Meant 10.1.5.6, not 10.1.6; 10.1.5.7 or 10.1.6, not 10.1.6.1 or 10.1.7.

  50. #50 PM says:

    The 10.1.5.5 Noscript button not works well on this site (the window too big).
    https://www.cnet.com/pictures/the-best-tech-gifts-for-2017/?ftag=CAD-04-10aac3a&bhid=

  51. #51 George K says:

    I don't want tablet only UI on desktop thanks

  52. #52 Giorgio says:

    @Andrey:
    Thanks for reporting, it's going to be fixed in 10.1.5.6.

    @Jesse P.:
    10.1.5.6 is not released yet, there's just RC1 out and RC2 in the makin. The entry in the main changelog was just a fluke and has been removed, thanks for noticing.
    The stable release needs to be coordinated with AMO admins because there are backports to 5.x and a special procedure is required to ensure both classic and quantum users get properly updated.

  53. #53 Vince says:

    As several others have said, the fact you had to convert to WebExtensions does NOT mean that the UI (and UX) has to be horrid. And they are both still horrid.

    There are plenty of WebExtensions out there that aren't incomprehensible. This one is, and the above explanation doesn't solve the problem. Look at this:
    "Temporary allow xyz.com" maps to clicking the TRUSTED preset on the xyz.com row.
    "Allow xyz.com" (permanently) maps to clicking the clock-shaped icon onto the TRUSTED preset (which means "Temporary"), to disable it (and make the preset assignment "Permanent")

    Those make *no* sense, and are at odds with any sensible UI of the entire GUI era. The second one makes no sense even after ten readings.

    There's no reason to use icons that don't mean anything to anyone. Use words (e.g., Permanent and Temporary, or Perm and Temp), where one state means Not Allowed (greyed) and one state means allowed (not greyed). It's clear and makes sense to everyone. Have four buttons at the top/bottom for the combinations of [Dis]Allow Everything Permanently and [Dis]Allow Everything Temporarily.

    This is free software. You've done a HUGE service to everyone for many years now, and we truly appreciate it. This also means you are free to do whatever you want, and we also understand that. But if you actually want to meet the needs of your users (and it's clear you do), then AFAIC you need to admit that the entire new UI was a bad decision and start over. Forget the icons, forget having to click five things where one thing would do, forget pictures when words are so much clearer. I picked up the old NoScript without ever reading a manual, and my guess is most other people did, too. This one is incomprehensible even AFTER reading the "manual", i.e. the above.

  54. #54 Dave says:

    Totally redesign is a bust. It's just not user-friendly anymore for most of us. As far as Firefox Quantum? It's as bad of a roll out as Win 10 was. All i see at this point is 6 to 10 months of non-compatibility. Will check back next year. Meanwhile, I'm stuck using Edge as a browser.

  55. #55 Elias says:

    I think the new Ui is amazing, more flexible than the old one.

    I'm just waiting for the "enable top level scripts *.domain.com" feature.

  56. #56 Giorgio says:

    @Elias:
    Please check latest dev build, 10.1.5.6rc2 :)

  57. #57 Benny says:

    I don't like the new UI with all the icons instead of text; it is just not as intuitive (to me) as the old version. I much prefer to READ things rather than trying to interpret oversized icons.
    I also prefered NoScript to be on the bottom of my page in it's own "panel". I don't recall physically doing this with the old version so assume it was the default.
    This used to be my favourite plugin but I am now on the verge of removing it, along with Firefox. Might be time to look for a new browser.

  58. #58 Oleg says:

    I agree with Benny... Also, I have problems in the setting panel with over 750 records.

  59. #59 Andrey says:

    @Giorgio:

    Thank you for your response.

    I have already adapted to the new UI, and I like it more and more. Usually I need to give the necessary permanent permissions to maximize the functionality of sites that I often visit (about two or three dozen). With other sites, I get around the temporary permissions. It seemed to me that with the new UI I managed to configure it better (less unnecessary permissions).
    I have some wishes. When I look at the list of permissions in the settings panel, then to some permissions I have a question - when I chose these permissions and why. Perhaps I chose them wrongly, and they are dangerous.
    I would like, if possible, that the settings panel had the date and time when I chose this permission, as well as the domain name of the site that was opened when this permission was selected. Insert a comment, too, would be nice. And of course the ability to sort the rows by date, time, domain name of the site. Maybe other users will find this useful.
    Good luck in your very useful work.

  60. #60 Jon says:

    One more thing has confused me about the UI.

    When a site is default, the "Trusted", "Untrusted" and "Custom" icons are grey-looking. Yet you can click on them. I know this is probably because theyr'e toggle buttons. The clock icon on trusted sites is also a toggle. However, I think removing the grey-look and putting green checkmarks on enabled toggles is a better option. This is just a minor UI thing because I'm not a very modern user like most of the people here. In the old days, a grey button was typically unusable, whereas a toggle option used checkmarks.

  61. #61 Jauncy says:

    Huh. That was easy. I feel like a real idiot for not figuring that out for myself. Ultra Thanks! The following is my briefer notes from the above. Feel free to use them if they are accurate.
    There are 3 presets: DEFAULT, UNTRUSTED,TRUSTED. You assign one of them to any site. These factory presets are very similar to the "old" NoScript experience.
    Sites with the same preset share the same set of (configurable) permissions
    You can choose to use CUSTOM permissions: CUSTOM is not a preset, but a way to give very specific permissions to that site only

    DEFAULT is the set of permissions that any unknown site has. Apart from a handful of websites (the "old" default whitelist) pre-assigned TRUSTED, all sites have the permissions of DEFAULT (i.e. almost none).
    Clicking the TRUSTED preset on the xyz.com row is equivalent to the old "Temporary allow xyz.com". The icon changes to a clock.

    Clicking the TRUSTED Clock icon changes permissions to permanent.

    The first, leftmost icon changes permissions to DEFAULT & is used to Forbid xyz.com. It`s deleted from the internal whitelist & the site will disappear from the dropdown list on the next browser restart.

    Clicking UNTRUSTED, the 3rd icon ( red S with bar ), grants no permission at all, is used to collect and remember the "known bad sites" in a permanent blacklist.

    CUSTOM, new to NoScript 10, lets you fine tune a website`s specific permissions, either more restrictive than DEFAULT or more permissive than TRUSTED, initially temporary (Clock icon), then permanently by clicking again.

    Every preset can be freely customized to your own needs, but you cannot remove the "script" permission from TRUSTED, and you cannot add it to UNTRUSTED.

  62. #62 Jayson Black says:

    I DO NOT UNDERSTAND NO SCRIPT ANYMORE. I WILL NOT BE spending hours reading and learning how to use this because on a whim the developer just decided some shit. No script was fine, no script was great. NO ITS NOT! I would even pay a small fee for no script (how it used to be) BUt I will pay nothing, I will even campaign against no script if I even get a wiff that this was some ploy to back us all into a corner forcing us to pay a premium to get back the old style no script. in other words. I suspect No script Devs are splitting No script into to Programs. A lite version (Free) and a paid version Pro. The pro version will probably be an updated version of the old no script. If this is true YOU ARE committing suicide. Coz not only will I live after such manipulation. I will heavily campaign against anyone I think is playing silly buggers with my wallet. (Ever heard saying "If it aint broke, dont fix it")? Well i think it very much applies. THERE IS NOT EVEN A RIGHT CLICK MENU ANYMROE WTF!!!! Also, WTF am I even doing here? No ones gonna read this. No one gives a Flying Fat Fuck! Esp the developer. Why is there such a head up arse mentality amongst developers and their companies? WTF WTF WTF!!!

  63. #63 oldguy says:

    snag there; really dislike FF57 so sticking with (last known half-good) 56, here it comes.. updated to latest 5.x NS (legacy enabled of course), all options blank. setting them manually does not work, set, click OK, no change.
    trying to get latest 10.x NS bad luck. requires the cursed FF57.
    how to make FF work with a -working- NS either last 5.x or the new one? also the old settings have been ok, but are gone with the update to 5.1.8.1 somehow. also. making a button toggle everything with one clíck imo neglects the purpose of NS. too risky to accidentally click the button instead of the dropdown.

  64. #64 HigherPower says:

    @Jayson Black

    Step away from the computer and go outside to breathe some air. You taking this way too seriously man. Pure comedy when I read your post. There is more to life than living 24hrs a day on the internet.

  65. #65 Benny says:

    @HigherPower
    I sense some frustration int Jayson's comments and I agree with them, just not to the extent he expresses.
    I agree with the "if it ain't broke don't fix it" approach, but if you must try something new and radical, at least give the rest of us who were happy with the old UI keep it.
    I am more upset and frustrated because I actually contributed to the project not that long ago :-(
    Don't think I'll be doing that again in a hurry.

  66. #66 Oliver says:

    The pop-up scales in rc4 with the magnifing factor of the window and is from 110% on bad readable.
    else everything runs smoothly so far ;-)
    regards
    Oliver

  67. #67 Bencyc says:

    I thought that If I check a site all untrusted, I cannot see the page at all.
    However I can see and read it almost without a problem. Unless some scripts required for a special purposes.
    Is that the way it should be?

  68. #68 Giorgio says:

    @Bencyc:
    Yes, UNTRUSTED is meant to render documents as a plain HTML, with no active content being loaded or ran, but not to prevent them from being shown at all.

  69. #69 Giorgio says:

    @Oliver:
    It was a work around for for http://bugzil.la/1387340 - I removed it from RC5 after reading your comment and checking what was going on with custom zoom levels :(
    Thank you!

  70. #70 User101 says:

    I see why the change in the UI was necessary and I really appreciate your work but still I think it is overly confusing for simple users. I and I think most people just want an on/off switch for harmful content on websites and do not use most of the new options. When updating to NoScript 10, I heard about a lot of people who simply don't know what "object", "media", "frame", "font" etc are even supposed to mean in the preset menu. Many people don't understand why they should use the green and red locks either. Having a lot of buttons you don't understand around you makes it confusing and frustrating. A very good solution I think would be an "I am an advanced user" option like in ublock, which unlocks all the options.

  71. #71 JD says:

    Permission settings for certain sites aren't saving at all. I have to keep changing Google back to Trusted because it keeps going back to Default.

  72. #72 nac says:

    Sadly, I couldn't get NoScript to work... it behaved erratic and sometimes crashed, so I tried uBlock Origin. There is a bit of of a learning curve, but it is worth every minute, and it works flawlessly. It can also allow/block other domains on a domain basis.

    That being said, I am VERY grateful to you Giorgio for your hard work over the years, and I will check back on NoScript later and see if it has been stabilized.

  73. #73 JD says:

    Ok, seems like permission settings aren't saving for me at all anymore (Default -> Trusted). I have to manually add sites to the whitelist through the options menu.

  74. #74 PM says:

    Giorgio:
    #50 I wrote, this is still bad on 23" monitor.

  75. #75 GG says:

    Hi, what is the purpose of the "Match HTTPS content only" toggle? In what situation do we use it?

  76. #76 oldguy says:

    truly settings "sometimes" not saving with "classic" 5.1.8.1, i tick "show" to context menu, allow temp, revoke temp, then click OK and some like "show recently blocked", "mark as untrusted" and others aren't saved. haven't spent too much time in reproducing it. next up clean reinstall of everything.. 2 days+
    the 10.x is not backward to FF56 right? i don't like at all the "either click and allow all or click again and block all" behaviour, somehow this was not the case in the prev.. would like to keep sticking with NS but without a big change from the old gotten-used-to.
    on the other hand i do have the option to just turn from the web ;) lucky me.

  77. #77 George Hazard says:

    I still get the pop-up regarding XSS, even after the new update but only on one website. I can get it to go away after several attempts but it doesn't stay that way for long.

  78. #78 Victor says:

    The window NoScript for me doesn't have scrolls and doesn't fit all the scripts found on page. Thus can't see what else should I enable/disable. https://yadi.sk/i/zMK3uLCm3QSnci - screenshot

  79. #79 Nobody's Business says:

    I've been a loyal NoScript user for years; however, when I enable it now, my browser performance goes into the abyss (trust me: it takes a lot to overwhelm 3.6GHz and 24GB RAM) and the content of every tab turns black. Also, when I want to adjust my preferences and manage my sites (accumulated from several years of using NoScript), something as simple as deleting a site from the list isn't obvious (giveway: I cut my teeth on Mosaic, so I'm not a newbie). I can adjust to new UIs, so that's a non-issue, but an unusable app or extension is untenable.

  80. #80 allan says:

    I am patiently waiting for improvements and am sure giorgio and helpers will get there, but this seems really buggy .. when I open and get to "noscript options page" it seems to list all my old whitelisted sites but this page freezes my browser .. I can close it and reopen the browser but it takes a long time. Some sites I am clicking tempo allow all again and again but they will just not load or take forever to load.

  81. #81 LREKing says:

    Like so many, I've been using NoScipt for quite some time, and also like so many, I have found the recent rebuild to be essentially unusable.
    There are some people who just want to get into their cars and drive (most of us), and there are some people who want to tear their engines apart to see how they work (fewer of us).
    As far as I can tell, you have made the typical programmer's mistake of creating for the mechanic rather than the driver.
    The awful decision regarding the red/green color issue aside, I cannot for the life of me figure out how to use NoScript any more. Yes, I probably could spend half a day at various sites learning it, but I don't have time for that. Properly written, the basic NoScript should just _work_ in a clear concise way.
    What I want is to go to a site, temporarily allow all script needed to make the site work, use the site, disable the scripts (a timer would be useful) and then leave.
    I appreciate all the hard work that goes into the constant uphill battle of what you're doing. Really, I do. But it's all for naught if fewer people use NoScript. Also, I should point out that you will get the bulk of your feedback from mechanics, not drivers. When most drivers find the app too annoying to use, they will simply sigh, shrug, and delete it, and you will never know.

  82. #82 J says:

    To all whiners and bashers, Giorgio is providing a FREE software for all of us to use and protect ourselves. No one forces you to use NoScript, if it doesn't work for you or if you don't like it, DON'T use it. A lot of developers left the great projects because of you folks who endlessly complains and feel a sense of entitlement for a FREE service.

    I figured out how to use NoScript 10 in about 15 minutes, yes it's not perfect as we're all accustomed to NoScript 5, but the new UI and functionality is still very easy to pick up.

    My sincere appreciation to Giorgio for keeping NoScript alive with all the changes in Firefox 57! Thank you!

  83. #83 Gill says:

    #80

    Here we go again: another "it's free so they can do whatever they want" argument.

    What about all the people who donated? Screw them, right?

    And STDs are often free - why don't you go ahead and get some? Free things are great, right? Sleeping on the street is often free. Go find a curb and have a nap.

    I'm sick of seeing the "free" argument. Free does not imply useful or good. And a lot of people donated to NoScript based on what it WAS, not what it IS. That's an important distinction.

    I can create something free but it doesn't mean anyone will want it or should donate to me based on it. People donated because, like myself, they were amazed by how amazing NoScript WAS. Now people are frustrated and leaving because of what it has become.

    What Giorgio created was useful and amazing enough that a lot of people are upset and what has happened with NoScript 10. But why don't you sit on your soap box perched on your ivory tower and tell us more about how stupid, ungrateful and wrong we are for not liking what's been handed to us?

  84. #84 Giorgio says:

    @Gill:
    If you like NoScript "as it WAS", i.e. NoScript 5 (and perhaps donated for it), you'll be happy to hear that it's still there and I've even updated it multiple times this week. Not an easy feat, BTW: AMO admins told me I'm the only author actively maintaining both a legacy and a WebExtension version and parallel updates were completely untested.

    https://noscript.net/getit#classic

  85. #85 Sylvester Riel says:

    Thank you for this wonderful extension I am finding the new version confusing but I am learning. I have a question. I can't seem to get it to work.

    I have set googleapis.com as trusted. Why does it not automatically set maps.googleapis.com and ajax.googleapis.com to trusted as well? ..googleapis.com doesn't even show as an option to trust when I click on the noscript icon.

    Any advice would be greatly appreciated. Thank you.

  86. #86 Gill says:

    @Giorgio:

    I'm aware and I thank you for that. You've done a lot of good in creating NoScript. And the fact that you're still updating the old NS is commendable.

    My ire wasn't directed towards you. I'm very bothered by the "free" argument, as if something being free directly relates to its quality. It doesn't. NoScript is free and desirable; being run over by a diesel locomotive is also free but not desirable. Free =/= good.

    The reason people donate to you is because they like the free thing you've put out and want to a) show their appreciation and b) help to ensure you continue keeping it current and usable. That latter part is really important because essentially it's payment for work getting done.

    Anyway, NoScript 5 was great. Almost everyone agrees on that point. NoScript 10 is, at best, questionable - this is evidenced by the fact that there are many disagreements on it (far more than NS 5). And all I'm saying is that the fact that it's "free" should not factor into the argument of whether or not NoScript 10 is worthwhile EVER. As outlined logically above, it is NOT relevant.

  87. #87 Fred says:

    Please fix the xss pop up routine so it learns. I click always block and the next time I visit the same site, I have to redo the same xss pop ups for the same sites. Makes browsing worse than ever!

  88. #88 Peter 123 says:

    Giorgio, many thanks for all your phanatastic work and all your efforts.

    But after reading your above post I see that my impression was right:

    You mixed inevitable changes (caused by Firefox Quantum) with modifications that were not absolutely necessary (now).

    This was for many users an overkill. (For me too). I have also written about it in the Forum: https://forums.informaction.com/viewtopic.php?f=8&t=24124

    By no means I criticize your work. On the contrary! I appreciate it. But the timing was not good.

  89. #89 Marc says:

    XSS popup is hell. Allowing all requests doesn't help, it pops up again and again. Is there an option to switch it off completely, or to treat it like other allow/deny requests in the menu dropdown?

  90. #90 Giorgio says:

    @Fred,
    @Marc:

    You should be able to select "Always block" or "Always allow", and your choices should stick across sessions (there was actually a bug making NoScript forget about them when you closed the browser, but it's been fixed in 10.5.1.6).

    If that doesn't happen, could you please point me out to a reproducible test case? Thanks.

  91. #91 wa1975 says:

    Still not working with FF57 on my Android 7 tablet. No settings are visible and therefore some sites can not be used the way i want it. Everything is blocked and i can not change it. After version 10.1.2 (which i still use) noscript is useless for me.

  92. #92 Graham says:

    Re: Giorgio's info (#82) on how the old NoScript is still available is excellent news. As someone's who donated twice in the past, and who hopes to again in the future, I'd sadly just about given up. And btw it's a shame that many folks will not have seen this hackademix page and will be blaming Giorgio when it's not his fault. In the general scheme of things I guess it's nobody's fault really.

  93. #93 John says:

    Hi there!
    How it is possible to forbid meta-redirection?
    How it is possible to forbid/allow scripts, which are dependent on the particular one? I mean, if I allow google, then I want to allow/forbid other scripts to which google refers. Such option was in the nice old add-on, just forgot how it was called.
    And thanks for your excellent add-on. Hopefully, I'll get used to its new interface.

  94. #94 Bill Johnson says:

    What does "Match HTTPS Content only" toggle do???

  95. #95 Bencyc says:

    How do I get an image of a page settings? (As in the beginning of this section)

    When I try with various software the setting image disappears immediately when I
    click the screencapture software.

    I would like to pass on some of my settings.

    Using Ff 57 and Ubuntu 16.04.

  96. #96 Giorgio says:

    @John:
    Both the options are not ported yet, but they will be sooner or later (the latter made much simple to do than before).

    @Bill Johnson:
    If green (locked), the toggle makes base domain entries (e.g. "google.com") match themselves and all their subdomains, but only if their protocol is HTTPS. Otherwise both HTTP and HTTPS match (which has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy).

    @Bencyc:
    In order to let the WebExtensions' popup stick, you need to open about:config and set the ui.popup.disable_autohide preference to false.

  97. #97 Wolfgang says:

    Can I have my donation back? I´m not good in english and there ist nothing easy to understand. "I'm truly sorry for, is me not having found the time yet to write any proper user-oriented documentation for NoScript 10" is a bad joke. Interesting - all scripts works on new websites. There have been times everyone could see that no script was in "dangerous" mode. I didn´t change anything. Nice update... And the extrem popup xss warning - do you want us to do fingersport? How often shall I click "Always block...". Yes my english is bad, but I know what always means. Not that, what noscript interprets. Shurely there are reasons for, but why must I click 5 times and more that no Info (on the same site) about facebook doesn´t appears any more? So please make it as easy to understand as it was. Translate the information and I will give again a donation. First time I´m really disappointed about this product.

  98. #98 Jon says:

    Are permission settings not saving for anyone else? Every time I change one to Trusted, it reverts back to Default later whenever I reopen Firefox. It was working just fine until a few days ago.

  99. #99 Giorgio says:

    @Wolfgang:
    just email me your Paypal address and I'll refund your donation.

    @Jon:
    The TRUSTED preset is temporary (big solid clock) by default, just click on the clock (it fades away) to make it permanent.

  100. #100 asdf says:

    Hello Giorgio, first of all thank you very much for all your dedicated work on NoScript.

    I have been using NoScript for years and feel quite naked in Quantum as I currently have it deactivated. I understand that the Quantum/Webextension architecture needs to be blamed for the new menu which is quite disliked by me and many other users I am afraid.

    I have been looking at a lot of alternative addons since Quantum was introduced. One of the new(?) addons I run is undoclosed tabs which serves as an insufficient replacement for TabMixPlus, not intended as complaint though. Yet this addon actually offers a menu similar to the classic NoScript on rightclick, maybe it could serve as an inspiration for an alternative NoScript menu, similar to the old one?

    Sorry if my ignorance regarding coding is too big, but maybe you could take a look at https://github.com/M-Reimer/undoclosetab

    Anyway, thank you once again for your continued work on NoScript :)

  101. #101 Sylvester Riel says:

    "I have set googleapis.com as trusted. Why does it not automatically set maps.googleapis.com and ajax.googleapis.com to trusted as well? ..googleapis.com doesn't even show as an option to trust when I click on the noscript icon." from #83

    How about this?

  102. #102 nowe20 says:

    "ones who know better about recent history of Firefox and of its add-ons ecosystem [...] the UI couldn't stay the same simply because"

    OK, but changings in the GUI api-system should be 'betterment'.
    The new GUI for addons looks more .....artistry?
    Mozilla decides and all users/programmers must suffer; especially the users.
    I will miss the good intuitive legacy GUI in the new FF.

  103. #103 Eric says:

    Your new UI is pure cancer. I've moved to umatrix. Umatrix's UI HELPS YOU figure out what to unblock to get the things you want working, working (e.g. video playback, comments loading, embedded content loading).

    Your new UI takes minutes instead of seconds. You need to completely rethink your UI rewrite. Focus way more on usability and the feedback the user needs in order to get the bits of a page he wants to work while still blocking the insidious crap.

    Just copy Umatrix if you can't see a better way.

  104. #104 Jon says:

    @Giorgio
    I see what's happening now. By default, when I first set something to Trusted, it's temporary. I changed a bunch of permissions to Trusted and it's doing it for all of them. Is this a recent change? If so, I'm not sure it's a good one. The alignment of the Trusted button also happens to practically overlap the Temporarily Allow clock icon.

  105. #105 Subhasis says:

    The one feature I am missing in the new version of noscript is the ability to stop all scripts midway. In the past I could STOP all scripts from running with the click of a button. But in the current version, if I click "revoke temporary permissions" the page instantly goes blank. This happens because the current version of noscript cannot stop script from running. it can only stop scripts from loading.

    In my opinion, not allowing scripts to load is a pointless rfeature because most modern websites do not even load (I get a blank screen) without scripts.

    I am not saying the current version of Noscript does not add anything vital. The ability to selectively load scripts is very useful, and that is why I used to keep umatrix running in parallel with noscript. However, theonly feature that both umatrix and ublock origin lack is the ability to stop scripts mid-execution. That is why I sued to have noscript in the first place. Please add the ability to stop scripts midway if possible. If not, please continue to develop classic noscript for Pale Moon.

  106. #106 punny says:

    I hope the old Design will come back soon. We all know it was better. :(

  107. #107 Subhasis says:

    It seems that Noscript had lost its touch long before NPAPI fallout. Right now I am using the classic version 5.1.8.2 in Pale Moon, and it is allowing scripts to slip through it even when it is set to block everything. What is happening?

  108. #108 Subhasis says:

    Okay I just discovered what is happening. I just tested this by disabling JS from about:config. It is not Noscript that has deterriorated, it is the web that has advanced. Noscript cannot help us anymore.

  109. #109 Giorgio says:

    @Subhasis:
    NoScript does prevent scripts both from loading AND from running (e.g. if they're embedded in the page, hence no extra loading would be needed).
    Could you show me exactly what you're observing and where (by email, maybe)?
    Perhaps what you're seeing is annoying (like some kind of CSS-only animation) but not a script and definitely not a security threat.

  110. #110 Tarja Halonen says:

    @Giorgio

    Ready to release the mobile version?

  111. #111 Tim says:

    Thanks for all the work you're putting into this. Now, in the FAQ it says that I can change how the XSS information is presented in Noscript Options|Notifications|XSS preference but there is no notifications option in the options...?

    Also, NoScript seems to still forget the XSS preferences (always allow / block) in some instances even after the update. IMDB -> Facebook is such an example for me.

  112. #112 Giorgio says:

    @Tarja Halonen:
    Nope, I'm starting to actually test what's wrong on Android this very afternoon.
    I've been very busy with the XSS filter, both in the Quantum and the Classic version: in facts, I've just released 5.1.8.3 and 10.1.5.7, the latter also restoring Export and Import functionality, backward compatible with NoScript 5 formats (both textual lists and JSON preferences).

    @Tim:
    Unfortunately the FAQ applies almost entirely to NoScript 5 "classic" only.
    I still need to figure out a way to sanely support both in documentation until June 2018, when NoScript 5 will definitely be phased out together with Firefox ESR 52. In the meanwhile I should probably set up two separate sites, but I'm giving priority to 10 vs 5 feature parity first.

    Regarding XSS warnings on IMDB, could you please grab latest dev build from https://noscript.net/getit#devel and send me the actual details (they can be copypasted) from the XSS prompts you get? Thanks!

  113. #113 RayG says:

    Can I echo thanks for the work you put in on NoScript. One problem I have is that when I hover the mouse over the NoScript Icon it tells me how many items (Scripts/Fonts etc.) are on the page and how many have been allowed. What I cannot see at this point is which of these is required from which site. This makes it difficult to see which sites I should allow what on. Is it possible to list the sites in some order of priority or indicate in some way what is being requested for each site.

    I have also not yet worked out what the "Brown" coloring means when you look at some custom tabs.

  114. #114 q says:

    It looks ugly and absolutely not like the old NoScript.

  115. #115 Jim says:

    Great, dedicated work Giorgio, thank you.

    The Default icon comes with Frame, Fetch and Other enabled for all sites. Is there a reason those are initially globally trusted? Having all of the Default entries explained in the guide would help.

    Is it possible to have a larger NoScript window so that sites with more than 20 entries don’t have to be scrolled to be completely seen? Thanks.

  116. #116 Oliver says:

    maybe a suggestion for better readability: If possible sort the domains in the pop up not in alphabetical order but in order of the permissions. Trusted, untrusted and default. It seems easier for me to read because I can focus then on the permissions itselves (don't even look at trusted domains but check directly under default section for example) and not first on the domain and examine then which permission it has and go so on to the end of the list. It serves a better and faster overview in my opinion. Maybe also color the sections directly in light green, yellow and red... Think about it ;-).
    regards
    Oliver

  117. #117 FranL says:

    Giorgio wrote this about the "Match HTTPS content only" lock icon:

    "If green (locked), the toggle makes base domain entries (e.g. "google.com") match themselves and all their subdomains, but only if their protocol is HTTPS. Otherwise both HTTP and HTTPS match (which has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy)."

    Does this mean it is best to change the lock to green/locked when the domain name is red (meaning it is accessed via HTTP and/or HTTPS)?

  118. #118 Langenscheiss says:

    @Giogio:

    The "set top-level domains to TRUSTED" option makes my extension work again. Can you comment on what exactly this does (I have an idea of course), and how save it is to use it?

    Thanks!

  119. #119 Shaun says:

    When I try to update to v. 10.1.5.7 Firefox warns me that updating means giving permission for NoScript to "download files and read and modify the browser's download history".

    Presuming that this is genuine and intended, why does Noscript now require such permissions?

    I trust you Giorgio, but that sounds quite a serious permission to grant without understanding why. I imagine it might put off others too who may not go to the trouble of asking you what's behind it.

    Thanks for the essential addon,
    Shaun

    ps Thanks too for your help with my comment #11 above, which resolved my issue (seemingly shared by several other people too!)

  120. #120 Giorgio says:

    @Jim:
    Those are the permissions "unknown" sites already had by default in NoScript "classic".

    @Langenscheiss:
    Whenever you open a new document, the "main" site (the one you can see in the navigation bar) gets automatically set to the TRUSTED preset until the end of the session, while 3rd party scripts are left with the permissions they have. What's the broken extension, again?

    @Shaun:
    WebExtensions cannot interact with the local filesystem freely as "legacy" add-ons do. The download permission is required to "download" the exported configuration (i.e. for you to save it on your disk).

  121. #121 Langenscheiss says:

    @Giorgio:

    I am talking about my own extension (which I have most recently moved to AMO with my name, so you can find it ;)), and any other extension that is using xhr in content scripts (Zotero apparently, at least judging from what I have seen in your support forum).

    Thanks for your explanation, that is what I expected, and is enough to fix the problem.

    On a different note: I am surfing/developing on Ubuntu 16.04 with Firefox 57.0.1, and your option page is really sluggish on this setup, and sometimes even crashes the browser. Works fine on my windows 7 machine though.

  122. #122 Sylvester Riel says:

    May I know why you are avoiding my question? I did not think it was offensive in anyway. If you do not wish to answer it, at least let me know.

  123. #123 Giorgio says:

    @Sylvester Riel:
    Sorry, I've just missed your question, twice it seems :(
    On the other hand, for me (and the wonderful staff of volunteer moderators there) it would much easier to give support and answer technical answers on https://noscript.net forum ;)

    Anyway, the answer is pretty simple, even if a bit counter-intuitive: Google managed to make googleapis.com be listed as a "public suffix", i.e. just like ".com" or ".co.uk", in order to provide better insulation to wildly different APIs, which are also presumably developed by different team which not necessarily trust each other or know every single security implication of each API.

    Therefore "maps.googleapis.com" and "ajax.googleapis.com" are considered two different top-level domains, and not - as you might assume without knowing the details above - two subdomains of the same googleapis.com TLD.

  124. #124 Tarkus says:

    Previously, I could open a list of all the rules noscript had, select them all and delete them, so that noscript had default rules for every site. Is there any chance of restoring this capability now?

  125. #125 Sylvester Riel says:

    Thank you!

  126. #126 Richard says:

    Firefox 57.0.2 (64-bit) Not blocking popups and no longer blocking scripts.

    Perhaps it is blocking some top level domain scrips but 100% it no longer is blocking other scripts on the site (The ones you actually want to block).

    This is like a must have for me on firefox for many years and I hope its fixed soon right now its just unusable and does nothing.

    I do like the new crosssite tracking block though (if it actually works)

    Appreciate all your work on this addon and hope it becomes useful again.

  127. #127 Nicola C. says:

    Hi,
    how can I remove entries from NS v10?
    I have to delete a huge list of "127.0.0.1" imported from the previous version... thank you!

  128. #128 Michael J says:

    Who'd be a developer? Keep up the good work and don't let us whinging users get you down.

  129. #129 Giorgio says:

    @Tarkus & @Nicola C.:
    ATM the easiest way is exporting, editing them out and reimporting.
    Otherwise you can filter the 127.0.0.1 entries by entering 127. into the text box and set them to DEFAULT one by one.
    Bulk editing capabilities will arrive soon, I hope.

    @Richard:
    Could you please show me an actual site where it happens, even better emailing me your exported configuration? Thanks!

  130. #130 Bryan Bruns says:

    Thanks for NoScript, which I've appreciated using over the years. I have donated. However, I need a simple intuitive way to allow sites to use javascript, cookies, etc., and can't find it in your new interface. So, I'll have to go without NoScript, and maybe check back someday to see if you've come up with something, visible onscreen, contextual menu or wherever.
    Best Regards
    Bryan

  131. #131 Lesley says:

    Thanks for writing this explanation of the new GUI. I wasn't entirely confident with it but it makes much more sense to me now.

    Thanks for your efforts with NoScript over the years.

  132. #132 beachbubba says:

    Love the new NoScript. Excellent work. I'm still getting used to it. But, you did a great job!

  133. #133 Emma says:

    First off, I am glad you are around to let us know about updates and explanations. And I really appreciate that you have been explaining why things had to change. I have been taking it in stride and I'm definitely glad that NOScript is still around.

    Feedback:
    1) I constantly keep wishing I had way to search/sort by feature, for example — so I could see list of all that I have allowed to be in permanently trusted or untrusted position for example. (Ok, I just updated to latest version and noticed an ability to search by site name, so partway there — thank you!)

    2) Sorry if this is a stupid Q: I understand that the green lock is indicating HTTPS only but is it also, OR is there still a function/option to force a certain site to HTTPS - like when I used *.website.* ? Or is that basically also happening with this new green lock toggle? If not, I would hope to see the feature return later on if possible.

    3) May I suggest: I think we need a 2nd way of distinguishing between Temp Trusted and Perm Trusted setting. Because at this point they both share the same word indication of "Trusted". Although I did finally pick up on the distinction with the coloured and faded clock icon, it really could be more and better distinguished between. I would suggest renaming Temp Trusted to Allowed. Thus your 3 presets becoming 4: (DEFAULT, UNTRUSTED, TRUSTED, ALLOWED). I really think this would be a benefit.

    (Also, personally it took me weeks to realize that the clock icon itself was the way to adjust between temp and permanent. I really had thought that there was no-more of a permanent setting for that. So essentially I guess I also wish for there to be more visual indicators that there are other options & how-to.)

    Anyway, thanks for the hard work and for still keeping up with NoScript all these years.

  134. #134 Emma says:

    Another Question: Looking over the custom settings area you have checkbox option for multiple things and then a box for "Other". - What does this "Other" equal?
    (I would say this custom area can definitely be fleshed out with more info & options.)

  135. #135 Giorgio says:

    @beachbubba, thank you :)

    @Emma:
    Thanks for your feedback.
    2) I purposely omitted the function to force sites to HTTPS because HTTPS Everywhere does a much better job at this, by including rules to redirect to different domains/paths when necessary and avoid locks and malfunctioning on sites which have bad HTTPS support. Rather than replicating HTTPS Everywhere (which, ironically, was initially based on NoScript's HTTPS forcing code), I preferred to better surface the "lock permissions to HTTPS" feature, which was previously quite hidden and used mainly by the Tor Browser (where both NoScript and HTTPS Everywhere are built-in).
    3) That's a good suggestion, thank you.
    4) "Other" is the internal "catch all" request type used by Firefox and Chrome to label loads that are not categorized yet (e.g. because specified by a new HTML standard).

  136. #136 Tim says:

    TL;DR all comments

    Bug: clicking on a domain in the NoScript popup sometimes gives a confirmation dialog asking if I want to query the domain at NoScript. Clicking either Ok or Cancel both take me to the NoScript page. When the dialog does not show up, I automatically get taken to the NoScript page.

    The trusted with a clock thing is weird. I'd prefer another clear preset for temporarily allow versus always allow. This save me a click and makes things clearer.

    The UI is very big. I'm on a 12 inch laptop and value my screen real estate. Can you make it more compact or provide some options to adjust the size of it, e.g. reduce the massive icons, text size and drop a lot of the white space.

    Thanks for updating this essential extension for Quantum and all the hard work you put in! Looking forward to the Quantum dust to settle.

  137. #137 DMiller says:

    THANK YOU!

    Great explanation. I couldn't figure out the new permanent/temporary thing until reading this post!

    Basically, you can click the clock to toggle (didn't realize) and when the clock is grayed out, it's permanent (non-intuitive, but now I know, yay!).

  138. #138 Charlie says:

    I despise FF Quantum. So, I upgraded FF to 52.5.x. Now, NoScript doesn't work. Upon attempting to upgrade NS, I find it doesn't work with v52.5.x of FF. Not cool. I hate to abandon NS, but FF Quantum sucks and I won't be forced by my favorite add-on to endure using the slowest browser since IE4.

    So, what is the deal on making NS compatible with FF 52?

  139. #139 Charlie says:

    Addendum to #138 above -- Due to living in a rural area with no broadand providers, my Internet connection is completely cellular based -- and SLOW. Some software that looks for a faster Internet connection times out. I assume that is why Quantum is so slow and unusable - not bc FF is a bad browser.

    Also, NoScript is my favorite Add-On. It has saved me useless data (by blocking ad domains) and given me much protection against hackers/hijackers. Keep up the great work!

  140. #140 Giorgio says:

    @Charlie:
    If you're using Firefxo 52, you need to install NoScript 5 "Classic".

  141. #141 Charlie says:

    Awesome Giorgio! Thank you for supporting FF 52. Best Add-On ever made for browsers.

  142. #142 AC says:

    OK, I tried it again.

    Opening the NoScript options page freezes the browser. Completely unresponsive. Had to kill the browser. Known bug on Linux, apparently. Still not working. Unusable.

    The temporary permissions are also not working. When temporary permissions are revoked, the sites given temporary trusted status appear to retain trusted status permanently rather than reverting to default. This is unexpected and undesirable.

    Back to 52.x ESR.

    I'll try again in week or two and complain more. :)

  143. #143 EpicSlayer7 says:

    to use the internet with out noscript is like doing underwater exploration in your underwear and no air tanks! tho a only have 2 complains, 1 i tried to make Facebook.com and .net blocked and it always seems to pop the crosslink site pop up in crunchy roll and the second complaint is that popup has always allow and such but no always block... also maybe make a separate box with those permissions even if they end up in the "main window" to track them more effectively! this way any one who would put accept or block by accident don't need to search the whole list. also i end up using accept globally in crunchyroll since accepting all sites don't make the video play so some sites even tho all accepted seems to be missed in the list available... and all i want to block on that site is facebook and i never was able to block it even with all the different ways i wrote it(additional to the 2 present in the list!).

    short version, black listing is hard and i want a "always block" choice in the XSS popup!

  144. #144 Steve says:

    First of all - NoScript is amazing. Been browsing with it for years, and have been much more secure for it.

    Like others, though, I'm having difficulty adapting to the new UI. Simple question: What happened to 'temporarily allow' option per script? Do I have to mark a script as trusted - I don't want to do that.. My comment/issue is really the same as #2 which didn't get response: "..the paradigm has changed. I'm used to "allow" rather than "trust". I don't actually trust anything I only temporarily allow"
    Those are my sentiments exactly.

    The bulleted list says only :
    "Temporary allow xyz.com" maps to clicking the TRUSTED preset on the xyz.com row.

    But I don't want to trust it. How do I just temporarily allow it like I used to inthe old UI?

    Please help!

    Thanks Again,
    Steve

  145. #145 S. T. says:

    While I appreciate all the work put forth for this free program, I cant say I am happy with how this turned out. I liked how simple it was to allow and disallow scripts along with the temporary allow script system.

    With the previous system it was so intuitive I figured it out without having to look anything up at all. Now it feels like I need a tutorial just to allow a single script. Why do I now have to jump through hoops when before only two clicks got me exactly what I wanted?

    Its gotten to the point that I am seriously considering straight up uninstalling noscript because its no longer the reasonably simple process to do simple actions.

    I do hope you give those of us who are not entirely tech savvy the simpler interface back, but I understand if you feel like we are no longer worth it as this is a free addon.

    Best of luck,
    S. T.

  146. #146 Jesse P. says:

    @Steve (#144): Clicking on Trust only allows it temporarily, unless you go back and click the little clock symbol/icon on that same item afterward, to make the permissions permanent.

  147. #147 Jeff Creston says:

    I understood the old UI. I have no idea what the new UI is doing. Trying to adjust settings seems to produce an ever more confusing situation. Pages that the old UI blocked now seem to load in full. Hats off to the creators for trying to deal with a difficult problem. But if the old UI did work, was it necessary to reveal this extra complexity?

  148. #148 Jose Cena says:

    This new UI is pretty poor.

    I suspect a new no-script alternative will now pop up with a more simple UI since there is now a demand for it.

  149. #149 Brian Cranston says:

    Thank you for re-writing this great Addon as a Web Extention

    My problem is that the 'Default' setting seems to Allow everything. I want the default to Deny everything until I decide to allow it.

  150. #150 bo elam says:

    Brian #149. To get what you want, untick all boxes for the Default preset. and keep it that way. That will give you a more restricted experience than you had with version 5.

    Bo

  151. #151 Brian Cranston says:

    Thanks Bo,

    The problem with that approach is that you have to go to the (sometimes dodgy) website unprotected the first time you visit.

    Plus, with the old noscript 5.x I would often reset all settings to start fresh. This would no longer be a viable option with the amount I would need to customise after every reset.

    Bri

  152. #152 bo elam says:

    Hi Brian. You said, "The problem with that approach is that you have to go to the (sometimes dodgy) website unprotected the first time you visit."

    I dont think so. Actually, with that approach you are protected more than before, likely a lot more than needed. With this approach (all boxes unticked for the Default preset), I find some webpages that are completely blank, when before they loaded some minor stuff. So, the protection is a few notches higher if you untick all boxes..

    You also said that you, "... often reset all settings to start fresh". If you dont white list or black list sites, I guess that's viable. In you do this, that should give you about the same protection as before with version 5 when you visit dodgy websites. Scripts are not ticked by default for Default, but make sure you dont tick it by mistake. Only Fonts, Fetch and Others come preticked for Default when you reset version 10. That should be about the same level of protection we got in version 5 with default domains.

    Bo

  153. #153 Blargstrom says:

    This new UI is so bloody cumbersome and disgusting to use. It's confusing and everything is so goddamn huge. So you're saying there was _no_ possible way of making it even remotely like the old one instead of this horrible mess it's now? Well, I guess it was to be expected since this quantum release of firefox is pure cancer, so naturally it infects and ruins everything good with it.

  154. #154 dc says:

    I must say it took a few tries to get used to new UI but now, since introduction of "temporary set all top-level sites to TRUSTED" option I prefer the new one over Classic one. Good work, thx!

  155. #155 AC says:

    Re: #138 Charlie says: " I upgraded FF to 52.5.x. Now, NoScript doesn't work."

    You have to first uninstall NoScript, then re-install it. After updating to 52.x ESR (retrograding? whatever) from 57, version 10.X of NoScript is still installed but is non-functional on 52.X.

    To get version 5.x of NoScript (which will work with 52.X), you must remove NoScript and then install NoScript.

  156. #156 Brian Cranston says:

    Thanks again Bo for your help. Sorry, I'm trying to get my head around the new Noscript. I've only just realised where the temporarily allow 'clock icon' is ( next to the word Trusted on the trusted Tab).

    I think I can explain where my confusion is coming from. Starting from a fresh install of noscript, when I visit a site, as you said only frame, fetch and other are pre-ticked for the default tab. This is good although I'll prob untick those too now I know how this works.

    I had been ticking script on the Default tab not realising this was allowing the scripts for every URL listed (not what I wanted). I now realise I have to select the Trusted or Custom tab for the entry I want to allow and then tick script so that it only allows the script for that particular URL.

    I'm back in business :) and feel I have more control than ever now.

  157. #157 Bob says:

    I like the new interface, but it is not intuitive at all. Tapping the clock twice to turn it small is not intuitive at all. I kept clicking it thinking I was approving a script, but the browser kept forgetting. Having to click it twice is odd. It was infuriating to have NoScript seemingly forget what I selected. Maybe four buttons: Trust, TempTrust, NoTrust, Custom. Also -the green/red locks are not intuitive. When I click a lock, it indicates to me that I've locked a setting. This is how OSx/MacOS settings work. So, when I clicked the lock and it turned green, I thought: "Well, OK, now I've locked the setting and it will remember the setting" but it would forget the setting because clicking the clock twice is the "lock"... haha.

    So - now that I know the interface, I like it more than the old interface. But wow, man. It's not intuitive. Great extension though! The best! But maybe you should find a friend who has done interface design and buy him a cup of coffee and ask him to give you some feedback on improving the layout and buttons and text. Even just adding tool-tips so that when you click a button, some text is there saying (for the clock, for example) "Script temporarily approved, click again to permanently approve" or something like that.

    Merry Xmas & etc.

  158. #158 Kuromi says:

    Giorgio, first i want to say want to apologize to people who gives NoScript 1star at AMO blaming you for this change, but in same time i can understand why they so pissed off. First time i seen NoScript 10 i was pretty much WTF too. And i was on Nightly, so i know about things going on and general public arrived to 57 mostly not knowing about that will happen.

    But still, new UI is much less intuitive then it was previously. For example, making some site trusted (temporally) and then clicked again to be trusted permanently...this is not seems logical. And yes, lack of clear "this was this way, now you you it this way" tutorial is not good either. Peoples need to relearn completely and its hurts a lot.

  159. #159 Major Payne says:

    Sorry, really, because I'm sure you had the best intentions, but I had to uninstall this version - UI or UX are awful. This addon was an epic disaster from a usability perspective, and whatever you posted on this Web page for instructions, is horrid. I wouldn't even call it "instructions."

    Wish you the best. Peace.

  160. #160 John says:

    Oh My. These instruction... the confusing UI... the lack of usability....
    I just have to uninstall this addon. It's UI is so intuitive, so un-user friendly, I can' not work it out. (and I even poured over your above tutorial several times.

    Sites just don'e "fully" work, no matter what options are pressed/toggled.
    The Clocks and Padlocks.... ??? WTF is that all about.

    While I apreciate the effort to make such a helpful addon, this could be much better. I'm sorry to be so negative. Please don't take it as a personal hit against you. I'm just talking about the addon.

  161. #161 nomos says:

    it is a hard piece of work to set noscript for a page - unfortunately after restarting the browser the work is gone again - I don't understand the buttons and settings: (

    Isn't it possible to make a setting "Simple" vs."Expert"?

    For most pages, the buttons "Secure" (Permanant) and "I try it" (temporary) are enough for me - the rest can be fine-tuned for experts.

  162. #162 Aart says:

    Hi,
    Happy with the update but 2 small things I'd like to mention/discuss:
    1. why is the 'permanent' a clock? it totally goes against my idea of permanence because i associate a clock with a timer and hence with a 'temporary' trust.
    2. downloads: i noticed that you need to see my downloads (or at least that's what firefox mentioned in the add on permission section)... why do you need download information at all?

    cheers

  163. #163 Jay says:

    Liked the prior version, dislike this new version, because: No explanation of each symbol, or how to use each. No apparent way to delete all or selected history/lines (some are years old). No way to revert to the prior version. This is a change which is not an improvement.

  164. #164 joe says:

    Changes should ONLY be made when/where they are NEEDED. "Allow" is a MUCH more accurate word, in this case, than "Trusted", and it's shorter...easier to fit. When unnecessary changes cause this much confusion, it's got to tell you, that either A)everybody are morons (not the case); OR B) the changes weren't great or even good.

Leave a Reply

Bad Behavior has blocked 721 access attempts in the last 7 days.