Dec 18th 2017 Update

NoScript 10.1.6 reimplements the "Export" button functionality in a more convoluted way, which doesn't require the "downloads" permissions anymore though :) Enjoy!


It seems some users are really upset with NoScript 10.1.5.7 asking for an additional "downloads" permission.
This surprised me a bit. Not just because NoScript 5, which everyone loves to praise in order to bash 10, was all-mighty: like any other "legacy" add-on, it could even format your hard-disk, not before having sent all its content to a remote server in Siberia. But especially because they already granted NoScript 10 itself (like all the other content-blocking WebExtensions, including all the popular adblockers) plenty of much scarier permissions, such as the ability of monitoring and filtering all your network traffic, which I find the scariest of all but, quite obviously, is mandatory for the task you use NoScript for.

Unfortunately the WebExtensions permissions asking prompts don't let authors to explain in advance what a certain permission is used for (yet I did provide this info in the support forum since first release), but for those who couldn't figure it out from the changelog: the "downloads" permission just gives access to the downloads WebExtensions API, which NoScript uses to implement the "Export" feature and let you save a configuration file somewhere on your disk. Because, unlike "legacy" add-ons, WebExtensions cannot interact with your filesystem directly and so must make you "download" the file.

Notice also that instead, just like "legacy" add-ons, and unlike Chrome extensions AFAIK, Firefox WebExtensions are still reviewed at AMO by a trusted staff of experienced add-ons developers, whose job is much easier now because of the simplicity of the new API and, guess what?, because of the explicit permissions: the first thing they do with a new version is looking at the code differences and checking that those permissions are used in a legitimate way. Rob Wu, the reviewer which filtered 10.1.5.7 even suggested alternate ways to implement the Export functionality without the new permission, but we tried those and they just didn't work.

Anyway, if you can't trust with this (modest) power NoScript, a component of the Tor Browser (one of the most scrutinized software pieces on the planet by security experts all over the world), I wonder if it makes sense even trying to complete the WebExtension migration of FlashGot, which is much more frivolous but completely centered around this ultra-frightening "downloads" permission...
10157-options.png

78 Responses to “NoScript and the "downloads" permission”

  1. #1 asdf says:

    If you're in private browsing and noscript opens its xss or clearclick warning windows, the urls of those pages will appear in the non-private browsing's history.

  2. #2 Giorgio says:

    @asdf: are you talking about NoScript 5 or 10? Could you please follow up at https://noscript.net/forum? Thanks!

  3. #3 Andy says:

    Firefox should have add-on devs write brief descriptions of the reasons for each permission as a section on AMO to avoid having to answer these questions.

  4. #4 HigherPower says:

    I trust in noscript! Great job!

  5. #5 Tom says:

    You should have known before: Once you change the GUI, EVERYTHING* is your fault.

    *every(!) thing! Not just any problem -real or imaginary- within your application, or on the operating system or even the actual machine. Everything!! Software on remote systems. their phone, "the internet" in general. their dog, the wheather - EVERYTHING.

  6. #6 Tom says:

    UI design has gone downhill across the board - windows 10 is annoying as hell to use - wish I could use linux but software doesn't exist for it. its being dumbed down for capitalist reasons to sell more copies, widen appeal of computers or have same UI for moibile, tablet and desktop, when it is not suitable for desktop.. i've never had so much trouble with computes than I have in the last 3 years.. and i've been using computers for over 30 years

  7. #7 Wonderw says:

    Giorgio: You are completely right and have my full support!

  8. #8 AlBundy says:

    " it could even format your hard-disk, not before having sent all its content to a remote server in Siberia. ". That's not true, old extensions used to be reviewed.

  9. #9 Anonymous says:

    So now I'm lost, a bit. At first I said "Cancel" (or whatever it was). Then I read the explanation here and decided to allow this right. But where on earth (or just in Firefox) can you manage (or check) the permissions of the extensions? This is not an issue with NoScript but rather how to use the Firefox, but I couldn't find an appropriate answer when googling for "firefox manage extensions permissions". So maybe you know where to look at?

  10. #10 Giorgio says:

    @AlBundy:
    Of course the implication was "if it slipped past AMO reviews". Which, BTW, are still in place for "new" WebExtensions on Firefox (not so for Chrome, AFAIK), so my argument still stands.

    @Anonymous:
    I don't think you can individually give or withdraw permissions to a certain extension. You can only choose whether to install it or not. And at this moment they're mainly a tool for AMO code reviewers to better know where to look first (see above)

  11. #11 Diggi says:

    @Giorgio

    You say that Rob Wu suggested some alternate ways to implement the Export functionality without the new permission, but it did not work. Have you looked into how the export functionality in uBlock Origin works? I have no idea if this is exactly what you've tried already, but if not it might be worth giving it a second look.

    Personally I can partly understand some peoples skepticism, some people like to have everything locked down as much as possible to prevent a worst case scenario, BUT I can't understand where the distrust comes from and I find that stupid. As you say, the old extensions could do whatever they wanted and nobody said anything about it. Also, it's as clear as day that you work hard in the best interest for everyone. Keep up the good work!

  12. #12 Langenscheiss says:

    I agree it reads a bit scary at first. But knowing what legacy NoScript could do, I was fine accepting it.

    It's actually also a lot easier for developers. Apparently, if you extension asks for next to no extra permissions, they publish your extension almost immediately on AMO. In case of my own extension, I only demand cross site access from the background for a single website which is known to be completely legit. It took them less than 16 minutes to "scan" and "review" (whatever they actually did).

  13. #13 HUE says:

    #11 Diggi!
    I think uBlock was updated before 57 to Webex and there wasn't the permission asking! So it was saved and is probably whitelisted by the Firefox developers.

  14. #14 lolol says:

    So will Flashgot be migrated to Firefox 57 eventually?
    DownThemAllLite's taking a while, and I don't know how gimped the Lite version for FF57 will be.

  15. #15 AnonymousCoward says:

    For me, the problem wasn't that granting NoScript download permission was "scary" in any way. The problem was that it was unexpected. I couldn't fathom why NoScript would need download permissions. And it seems that it actually doesn't. An export settings feature isn't a download - the settings are already on my hard drive.

    It's regrettable that Mozilla didn't wait until the WebExtensions API was more complete to make the switch. This might have prevented such avoidable problems.

    I hope you will find time to port FlashGot when you're satisfied with the state of NoScript.

  16. #16 AnotherAnon says:

    ^ I agree with AnonymousCoward. I have been using Noscript for a long time, so when I saw that message at first I thought "Has the extension been compromised?" I'm not a developer so even if I wanted to check the legacy source code I would only have limited understanding of how NoScript interacts with Firefox. I made sure to come to this blog to see what was up and now that I've seen the explanation it makes sense. What Mozilla should do (if they don't already) is let the developer on the extension give a full explanation as to why they need access to this or that permission. That way at least you know what you're getting into.

    Thanks for the years of work on NoScript and I hope that there will be many good years to come with it.

  17. #17 Marco says:

    #10 Giogio : about your response to @Anonymous:
    "I don't think you can individually give or withdraw permissions to a certain extension. You can only choose whether to install it or not. And at this moment they're mainly a tool for AMO code reviewers to better know where to look first (see above)"

    So what can we do now ? I have 1 computer with no permission granted. Does uninstall/reinstall of NoScript work to reset the permissions, and hopefully without loosing all the settings ?

    Many thanks for your patience and calm. I suppose ju-jitsu and music must help ;)

  18. #18 aaa says:

    Open the "more" page than "check for updates" in the top combobox.

  19. #19 Giorgio says:

    @Marco:
    Just install it from AMO or https://noscript.net/getit#direct

    Don't uninstall, it would erase your preferences -- it's a new WebExtensions "rule" :(

  20. #20 Elias says:

    Giorgio, thank you very much for the "Temporarily set top-level sites to TRUSTED" feature, now all my old settings works nicely

  21. #21 uwe says:

    @giorgio
    I trust in your integrity all over the years. So I gave you download permissions. However, NoScript maybe doesn't need it. See #11.

    @#11
    Good point. NoScript opens an "Save as" dialog to export its settings. uMatrix and uBO opens an "Open file" dialog. In this dialog you can choose between open or save a file.

    @#13
    No, uMatrix and uBlock origin just don't have download permissions. Check the manifest here: about:debugging

  22. #22 IHateIt says:

    NoScript sucks now, uMatrix is better. Work on Flashgot, it's something we actually need.

  23. #23 Anonymous says:

    @Giorgio #9, #10, #17
    In my case NoScript (new version) was already installed, and now it said that it wants more rights. After "Cancel" it was still installed and working, not disabled or so. It seems it still has the previous rights but without the new download right.
    I don't like the all or nothing mentality of these rights systems. And also not the "we make it so easy for you because we know you are stupid".
    To be clear, I'm not blaming you, you can't do much about it. I think I'll leave it in this state, I don't need the download feature. Maybe one day Firefox will be usable again.

  24. #24 Anonymous says:

    When will the keyboard shortcut for "temp allow all this page" reimplemented? One thing I miss most :-)

  25. #25 Privacy_Advocate says:

    Thank you Giorgio. Great tool for anyone concerned about privacy. It has worked so well that I (we) have taken it pretty much for granted. I suspect that is why so many were surprised by the "downloads permission" request.

    Please keep developing NoScript and FlashGot. Your effort has made the Internet safer. Really.

    -Phil

  26. #26 thoromyr says:

    So... you couldn't figure out how to save settings without the plugin/extension requiring download permissions. This despite the fact that other plugins/extensions are able to do so and Mr. Wu attempted to assist you.

    That still doesn't explain why NoScript needs to be able to modify the browser's history. Or, then again, maybe it does.

  27. #27 IHateIt says:

    Work on Flashgot. Noscript is a lost cause.

  28. #28 chrispy says:

    Thankyou! A little exposition goes a long way. I initially feared the NoS10.x% update stream had been hacked! Can't wait for the new FlashGot...keep up the great work!
    Ciao ;)

  29. #29 Matt says:

    Thanks for working on this! The UI is something any long time user would spend time trying out before complaining. I was adaptable but only stuck trying to find "temporarily allow site". Your "nutshell" article clarified it and I appreciate that! The net technology is always moving fast, and its awesome that you're willing to keep chasing it, in the name of privacy and security. Thanks again.

  30. #30 Matt says:

    Plus, many of us just update periodically, and I personally had no advance knowledge about FFX 57, and so I took them both at once, losing other extensions completely, and I suspect other people did this too. Too much confusion trying to digest all at once. Thanks again.

  31. #31 red says:

    thanks for your work, don't listen to the haters :)

  32. #32 Rob says:

    Just as a question, what has happened to the "audio feedback when scripts are blocked" option in NoScript 10? It can be a really useful reminder to let one know when tabs are trying to reload themselves and things.

  33. #33 Rob says:

    NoScript is not a lost cause! The new version has problems, especially wth the changes to the interface (where have all those options from NS 5 gone), but they can be overcomeAs for permissions, it comes down to trusting NoScript with them or trusting the javascript, iframes and who knows what else from countless sites including ad networks which sell space on popular pages to other ad networks who then re-sell that space to shady drive-by download virus authors. I trust NoScript, I think I ALWAYS will, I know I'll never trust the multitude of scripts that get so happily scattered all over webapges.

  34. #34 Marco says:

    #19 Giorgio :
    "Just install it from AMO or https://noscript.net/getit#direct

    Don't uninstall, it would erase your preferences -- it's a new WebExtensions "rule" :("

    Thank you. It's done, all computers are OK now.

  35. #35 PM says:

    FF Quantum's the number of users is increasing:
    https://www.cnet.com/news/firefox-quantum-browser-downloads-increase-pc-and-mobile/
    If you see the site, please click the Noscript icon and you will see two rows instead one.
    Please make redesign versions and we will vote.

  36. #36 Harald der Zweite says:

    NoScript stops syncing when there are too many sites allowed.
    See also here https://bugzilla.mozilla.org/show_bug.cgi?id=1425019

  37. #37 Anonymous says:

    Please don't let the haters get you down, Giorgio. You are performing an extremely valuable service, and don't let anyone tell you otherwise.

    Noscript was literally the first plugin I worried about after the update. The first.

    Flashgot was the second.

    I'm thrilled to have Noscript again, and I can't wait to get Flashgot again.

    Please don't second guess yourself or get discouraged.

  38. #38 asdf says:

    @Georgio: NoScript 10. The noscript addon inserts:

    moz-extension://GUID/ui/prompt.html

    into the history list while in private browsing.

    I don't think the proper solution is to have "incognito: true" to browser.windows.create(), I think there should be a "remember: false" to ignore history.

  39. #39 Kuromi says:

    "like any other "legacy" add-on, it could even format your hard-disk"
    And how exactly it can do that? Especially without root rights and with proper user capabilities set. Sorry, but all that "Old addons can burn your PC, use WebExtention" sound like sorry excuse to force WebEx on peoples by Mozilla.

  40. #40 Alex says:

    Ok, I got it, allowing downloads is required, but... What about "edit download history"?

  41. #41 uwe says:

    #37
    As far as I know the ability to edit the history is included within the download permission. So it is not an extra permission. See the manifest about:debugging and the API: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/downloads -> downloads.erase().

  42. #42 Giorgio says:

    @Kuromi:
    Whatever the user of the browser could, the extensions could. Not that I was bothered about that, they were substantially better than most applications people install: they came as JavaScript source code, instead of opaque binaries, and each of them was reviewed by an editorial staff of human experts (as today, BTW).

    @Alex:
    Unfortunately that's just one permission for all the download manager API. Certainly not my choice.

  43. #43 Oliver says:

    For me rc2 did it so far! ;-)
    Performance and rendering issues with my Linux installation are fully gone. Maybe thanks to the new icon set. Icons are larger and I personally like it. Everything runs smoothly as it should!

    regards Oliver

  44. #44 FLaura says:

    The main question that nobody is asking.
    What data or information, if any, is getting sent to the noscript devs or to any other location or web site during web browser use? NOT talking about known options such as post-update install release notes or similar. Is NoScript phoning home at all without the users knowledge?

  45. #45 Giorgio says:

    @FLaura:
    Nope.
    NoScript Privacy Policy.
    (notice that it applies to 5.x and below. NoScript 10.x doesn't even have ABE, and thus WAN protection, enabled yet).

  46. #46 Phaete says:

    Any chance on getting an option to block noscript tagged redirects?

  47. #47 Francesco says:

    Latest version (10.5.1.8) seem to work on Android too. Thanks!

  48. #48 NoTwo says:

    A last comment, i read
    "- Kill the Default mode, because NoScript users know what's the default: "UNTRUSTED""

    I would agree. On the other hand, i just deleted my previous settings to default and set all trusted to untrusted and wanted to build up a new more complete settingsstructure.

    My problem now is this "...Site.Domain" - how the hell i could find out "who" requested "what"?
    I see that red filled areas are actual those "what" issues, but how can i configure these without seeing "who"?

    BTW. i don't and never ever will trust google & co! Too bad people depend on by using all their stuff like captcha generating and other stuff, that's why i want to reduce as much as possible, also helps speeding up browsing many times.

  49. #49 NoTwo says:

    Adding to my last post, there should be a temporary history per tab or window, resetting automaticly when closed or doing manually.
    As i understand the problem, if a website is loaded but does't get rights to do stuff, loads other site, but noscript just forgot about what the initial "stuff" request were.

    Hope this makes sense in some way.

  50. #50 NoTwo says:

    As example try to get gmx.de running at lowest count of enabling stuff, i'm currently inside my freemail account, blocking all ads, having 17 blockings, even more counting the "forgotten" ones.

  51. #51 NoTwo says:

    Another problem, noscript-quantum locks up my firefox on a regular basis since release, using FF for Linux Mint (no difference between just opening config or scrolling the table/moving mouse over entries)

  52. #52 Oliver says:

    in the .9 release there is in the pop up on certain sites a line break which causes the custom icon to appear in a second line.
    everything else: working great ;-)

    regards Oliver

  53. #53 Markus44 says:

    @Oliver (#48):
    This occasional line break is nothing new, happened with earlier versions, too, when one of the URLs on a specific page is veeery long, AFAICS.

    _Almost_ "everything else, working great ;)", because in 10.1.5.9., EXPORT on the options page doesn't work anymore. Just a little glitch that will be fixed very soon, I'm sure.

    I love the new NoScript even more than the old one!
    Thank you so much for your tireless and excellent work, Giorgio!

  54. #54 Oliver says:

    @Markus44: yes I see. Maybe I was not clear enough. It is just the linebreaks were not there in the.8rcs versions before for this particular site and the probably responsible domain ist not so extreme long. It seems to me that the horizontal scrollbars are missing now. Another Point is that all 20 shown entries for this site are wrapped. No matter if long or not.
    Export problems are not nice but do not bother me at the moment. Do not want export something ;-)
    regards Oliver

  55. #55 OldMoz says:

    @Giorgio,
    Baulking at any explicit permissions - or any other of the changes mozco's introduced so carefully and transparently - not ;) - to its NS users isn't a sign that your user base lacks trust in you.
    It's a sign that they lack trust in mozco's new code.
    I believe you yourself will be doing a lot of double duty with these initial truly beta Firefoxes - establishing trust more in mozco than in our beloved NS.

    It's going to take a little longer for many to come to appreciate just how much less access to browser function the new Firefox is prepared to give to anyone.
    Binary choice now: Trust mozco. Don't trust mosco.

    All those scary looking long permissions lists are basically what Gecko did mostly under the hood anyway.

    Thanks for NS and FlashGot. I run this ESR alongside 57 precisely so FlashGot can get all those annoying short clips that webmasters seem to think just *make* a page these days. The only way
    many of them *make* a page is to *make* it slow down to a mangled mess. NS as the gateway for those embeddings combined with FlashGot makes browsing on a low bandwidth connection entirely bearable.

  56. #56 Anonymous says:

    @Oliver (#50):
    I have the same problem, menu breaks - there's sample site news site: http://apollo.tvnet.lv/

    Really hard to pick entries when list is like that - it becomes very long.

  57. #57 Markus44 says:

    re #49 (export broken)
    @Giorgio: Export feature functional again in version 10.1.6, thanks a lot for the new implementation that doesn't even require the "downloads" permission!

  58. #58 Markus44 says:

    re #48, #49
    @Oliver: Seems the line breaking of the CUSTOM settings icon has also been fixed in 10.1.6?
    I am not entirely sure since I don't remember which sites I encountered it on, but looking closer I now see the URL part, if somewhat longer, breaks, but the CUSTOM settings icon stays in line in the example I have before my eyes. Excellent!

  59. #59 Markus44 says:

    re #49, #50
    @Oliver: I just have another example with 10.1.6 where the longish URL doesn't break but neither does the CUSTOM settings icon, since the horizontal scroll bar is back. That's also OK in my book. :)

  60. #60 PM says:

    re #54
    I wrote three times this error since 6 December.
    The 10.1.5.5 Noscript button not works well on this site (the window too big).
    https://www.cnet.com/pictures/the-best-tech-gifts-for-2017/?ftag=CAD-04-10aac3a&bhid=

  61. #61 yellow says:

    Thank you for the hard work Giorgio.
    He gave my opinion that the original design of the add-on was better. Now the icons are too large. Can they be reduced?

  62. #62 Oliver says:

    in .6 the line breaks are gone.
    Export works on windows but not on ubuntu. On linux a white page appears and does not stop loading. No save-dialog comes up as in windows.

    ;-)
    regard Oliver

  63. #63 IHateIt says:

    hey how about you dump your trash addon Noscript and work on something actually useful like Flashgot. Noscript is obsolete and poorly designed compared to uMatrix.

  64. #64 HigherPower says:

    @IHateIt

    How about you go f**k yourself?

  65. #65 NoTwo says:

    @IHateIt:
    OMG, this is "freeware", take/use it or leave it, or make your own addon.
    Such statements are not helpful nor saying anything.

    @yellow:
    "Now the icons are too large. Can they be reduced?"
    I agree, felt like having a magnifying glass on ;)

  66. #66 NoTwo says:

    Btw. @Giorgio: wishing wonderful and relaxing holidays, use the free time. :D

  67. #67 NoTwo says:

    ...and before getting misunderstood, use the time with family, not NoScript ;)

  68. #68 yellow says:

    Peaceful holidays and a successful New Year. :-)

  69. #69 Anonymous says:

    Hey, I was wondering if you could add the option to turn off automatic reload?

  70. #70 Ré says:

    Hey Giorgio,

    It's been a real gem, this NoScript, in the wake of predatory Web sites and scripts especially in recent years. It's a one man show and one cannot appreciate it enough. two things:

    1) What's the matter with LinkedIn? I am not being able to open it when NS is enabled lately that I tried to check it. As expected, I'd like it open with the "minimum"est privileges...

    2) The UI for recent Quantum version kind'a sucks... sorrry buddy! In which usable format I can share an idea of me, hopefully u may find it useful to deploy?

    keeep kick'in (pls!)

  71. #71 Giorgio says:

    @:

    1) Linkedin: all you actually need to set as TRUSTED is ..linkedin.com and ..licdn.com.

    2) my email address is on the top right of https://maone.net/

  72. #72 pc says:

    hi i must install NoScript Security Suite from mozilla or download NoScript from this link?
    https://noscript.net/getit#direct

    what is difference between them? thanks

  73. #73 Giorgio says:

    @pc:
    It's the same as the one on AMO.
    On https://noscript.net/getit you find also shortcuts to the "classic" 5.x version and the development builds.

  74. #74 Fritz says:

    Hi!
    I am using NOSCRIPT since forever, but I really struggle with the 10.x release for FF quantum.
    The add-on has just become un-reliable and I am very often not able to get a website to work.
    just ONE example: https://www.nintendo.de/Spiele/Nintendo-Switch-Download-Software/Flip-Wars-1241038.html
    I'm not able to get the price displayed which is supposed to be shown below the picture on the right. Looking at what NOSCRIPT offers to me, no further nintendo server is blocked. Only the doubleclick.net servers...even if I enable those the page does not display the price and beyond that the font on the right is also not shown correctly.

    And this is just one page where I am not able to get to a state that I am able to get displayed what I am looking for.

    I never really had this issue on the old 5.x version.
    I would love continue using noscript, but I'm not sure I will...

    Would be great to get a feedback...

    But in general I really appreciate your work Giorgio over all the years!

    Regards,
    Fritz

  75. #75 Giorgio says:

    @Fritz:
    The best place to receive support for stuff like that is the NoScript support forum.
    That said, from what I could see on a default NoScript installation you need the following domains to be TRUSTED:

    • nintendo.de
    • nindendo.net
    • nindendo-europe.com
    • nindendo.com (this one appears in the list only after you allowed the others and reloaded the page, but it's mandatory for the price to appear).

    Look at the screenshot for reference: nintendo-8.png

  76. #76 Seu_Aba says:

    Hey, Giorgio,
    Thank you so much for the software and all.
    Have a blessed and prosperous life!

  77. #77 Larry says:

    Can you change the background colour to match Windows?

  78. #78 Giorgio says:

    @Larry:
    Not sure what you mean: are you talking about adapting the popup's color scheme to the theme currently used by the OS? Not sure there's a consistent way to do that, since in WebExtensions we're limited to Web APIs (HTML) for the UI.
    However, please follow up in the forum.
    Closing comments here, since the download permissions is not needed anymore :)

Bad Behavior has blocked 521 access attempts in the last 7 days.