NoScript and the "downloads" permission
Posted by: Giorgio in WebExtensions, Mobile, NoScriptDec 18th 2017 Update
NoScript 10.1.6 reimplements the "Export" button functionality in a more convoluted way, which doesn't require the "downloads" permissions anymore though :) Enjoy!
It seems some users are really upset with NoScript 10.1.5.7 asking for an additional "downloads" permission.
This surprised me a bit. Not just because NoScript 5, which everyone loves to praise in order to bash 10, was all-mighty: like any other "legacy" add-on, it could even format your hard-disk, not before having sent all its content to a remote server in Siberia. But especially because they already granted NoScript 10 itself (like all the other content-blocking WebExtensions, including all the popular adblockers) plenty of much scarier permissions, such as the ability of monitoring and filtering all your network traffic, which I find the scariest of all but, quite obviously, is mandatory for the task you use NoScript for.
Unfortunately the WebExtensions permissions asking prompts don't let authors to explain in advance what a certain permission is used for (yet I did provide this info in the support forum since first release), but for those who couldn't figure it out from the changelog: the "downloads" permission just gives access to the downloads WebExtensions API, which NoScript uses to implement the "Export" feature and let you save a configuration file somewhere on your disk. Because, unlike "legacy" add-ons, WebExtensions cannot interact with your filesystem directly and so must make you "download" the file.
Notice also that instead, just like "legacy" add-ons, and unlike Chrome extensions AFAIK, Firefox WebExtensions are still reviewed at AMO by a trusted staff of experienced add-ons developers, whose job is much easier now because of the simplicity of the new API and, guess what?, because of the explicit permissions: the first thing they do with a new version is looking at the code differences and checking that those permissions are used in a legitimate way. Rob Wu, the reviewer which filtered 10.1.5.7 even suggested alternate ways to implement the Export functionality without the new permission, but we tried those and they just didn't work.
Anyway, if you can't trust with this (modest) power NoScript, a component of the Tor Browser (one of the most scrutinized software pieces on the planet by security experts all over the world), I wonder if it makes sense even trying to complete the WebExtension migration of FlashGot, which is much more frivolous but completely centered around this ultra-frightening "downloads" permission...
December 11th, 2017 at 2:06 am
If you're in private browsing and noscript opens its xss or clearclick warning windows, the urls of those pages will appear in the non-private browsing's history.
December 11th, 2017 at 2:55 am
@asdf: are you talking about NoScript 5 or 10? Could you please follow up at https://noscript.net/forum? Thanks!
December 11th, 2017 at 3:23 am
Firefox should have add-on devs write brief descriptions of the reasons for each permission as a section on AMO to avoid having to answer these questions.
December 11th, 2017 at 3:42 am
I trust in noscript! Great job!
December 11th, 2017 at 7:12 am
You should have known before: Once you change the GUI, EVERYTHING* is your fault.
*every(!) thing! Not just any problem -real or imaginary- within your application, or on the operating system or even the actual machine. Everything!! Software on remote systems. their phone, "the internet" in general. their dog, the wheather - EVERYTHING.
December 11th, 2017 at 9:10 am
UI design has gone downhill across the board - windows 10 is annoying as hell to use - wish I could use linux but software doesn't exist for it. its being dumbed down for capitalist reasons to sell more copies, widen appeal of computers or have same UI for moibile, tablet and desktop, when it is not suitable for desktop.. i've never had so much trouble with computes than I have in the last 3 years.. and i've been using computers for over 30 years
December 11th, 2017 at 10:58 am
Giorgio: You are completely right and have my full support!
December 11th, 2017 at 1:09 pm
" it could even format your hard-disk, not before having sent all its content to a remote server in Siberia. ". That's not true, old extensions used to be reviewed.
December 11th, 2017 at 1:13 pm
So now I'm lost, a bit. At first I said "Cancel" (or whatever it was). Then I read the explanation here and decided to allow this right. But where on earth (or just in Firefox) can you manage (or check) the permissions of the extensions? This is not an issue with NoScript but rather how to use the Firefox, but I couldn't find an appropriate answer when googling for "firefox manage extensions permissions". So maybe you know where to look at?
December 11th, 2017 at 2:06 pm
@AlBundy:
Of course the implication was "if it slipped past AMO reviews". Which, BTW, are still in place for "new" WebExtensions on Firefox (not so for Chrome, AFAIK), so my argument still stands.
@Anonymous:
I don't think you can individually give or withdraw permissions to a certain extension. You can only choose whether to install it or not. And at this moment they're mainly a tool for AMO code reviewers to better know where to look first (see above)
December 11th, 2017 at 3:50 pm
@Giorgio
You say that Rob Wu suggested some alternate ways to implement the Export functionality without the new permission, but it did not work. Have you looked into how the export functionality in uBlock Origin works? I have no idea if this is exactly what you've tried already, but if not it might be worth giving it a second look.
Personally I can partly understand some peoples skepticism, some people like to have everything locked down as much as possible to prevent a worst case scenario, BUT I can't understand where the distrust comes from and I find that stupid. As you say, the old extensions could do whatever they wanted and nobody said anything about it. Also, it's as clear as day that you work hard in the best interest for everyone. Keep up the good work!
December 11th, 2017 at 4:08 pm
I agree it reads a bit scary at first. But knowing what legacy NoScript could do, I was fine accepting it.
It's actually also a lot easier for developers. Apparently, if you extension asks for next to no extra permissions, they publish your extension almost immediately on AMO. In case of my own extension, I only demand cross site access from the background for a single website which is known to be completely legit. It took them less than 16 minutes to "scan" and "review" (whatever they actually did).
December 11th, 2017 at 4:37 pm
#11 Diggi!
I think uBlock was updated before 57 to Webex and there wasn't the permission asking! So it was saved and is probably whitelisted by the Firefox developers.
December 11th, 2017 at 4:58 pm
So will Flashgot be migrated to Firefox 57 eventually?
DownThemAllLite's taking a while, and I don't know how gimped the Lite version for FF57 will be.
December 11th, 2017 at 5:45 pm
For me, the problem wasn't that granting NoScript download permission was "scary" in any way. The problem was that it was unexpected. I couldn't fathom why NoScript would need download permissions. And it seems that it actually doesn't. An export settings feature isn't a download - the settings are already on my hard drive.
It's regrettable that Mozilla didn't wait until the WebExtensions API was more complete to make the switch. This might have prevented such avoidable problems.
I hope you will find time to port FlashGot when you're satisfied with the state of NoScript.
December 11th, 2017 at 7:22 pm
^ I agree with AnonymousCoward. I have been using Noscript for a long time, so when I saw that message at first I thought "Has the extension been compromised?" I'm not a developer so even if I wanted to check the legacy source code I would only have limited understanding of how NoScript interacts with Firefox. I made sure to come to this blog to see what was up and now that I've seen the explanation it makes sense. What Mozilla should do (if they don't already) is let the developer on the extension give a full explanation as to why they need access to this or that permission. That way at least you know what you're getting into.
Thanks for the years of work on NoScript and I hope that there will be many good years to come with it.
December 11th, 2017 at 9:41 pm
#10 Giogio : about your response to @Anonymous:
"I don't think you can individually give or withdraw permissions to a certain extension. You can only choose whether to install it or not. And at this moment they're mainly a tool for AMO code reviewers to better know where to look first (see above)"
So what can we do now ? I have 1 computer with no permission granted. Does uninstall/reinstall of NoScript work to reset the permissions, and hopefully without loosing all the settings ?
Many thanks for your patience and calm. I suppose ju-jitsu and music must help ;)
December 11th, 2017 at 10:58 pm
Open the "more" page than "check for updates" in the top combobox.
December 11th, 2017 at 11:30 pm
@Marco:
Just install it from AMO or https://noscript.net/getit#direct
Don't uninstall, it would erase your preferences -- it's a new WebExtensions "rule" :(
December 12th, 2017 at 12:34 am
Giorgio, thank you very much for the "Temporarily set top-level sites to TRUSTED" feature, now all my old settings works nicely
December 12th, 2017 at 9:45 am
@giorgio
I trust in your integrity all over the years. So I gave you download permissions. However, NoScript maybe doesn't need it. See #11.
@#11
Good point. NoScript opens an "Save as" dialog to export its settings. uMatrix and uBO opens an "Open file" dialog. In this dialog you can choose between open or save a file.
@#13
No, uMatrix and uBlock origin just don't have download permissions. Check the manifest here: about:debugging
December 12th, 2017 at 12:25 pm
NoScript sucks now, uMatrix is better. Work on Flashgot, it's something we actually need.
December 12th, 2017 at 1:01 pm
@Giorgio #9, #10, #17
In my case NoScript (new version) was already installed, and now it said that it wants more rights. After "Cancel" it was still installed and working, not disabled or so. It seems it still has the previous rights but without the new download right.
I don't like the all or nothing mentality of these rights systems. And also not the "we make it so easy for you because we know you are stupid".
To be clear, I'm not blaming you, you can't do much about it. I think I'll leave it in this state, I don't need the download feature. Maybe one day Firefox will be usable again.
December 12th, 2017 at 3:39 pm
When will the keyboard shortcut for "temp allow all this page" reimplemented? One thing I miss most :-)
December 12th, 2017 at 3:54 pm
Thank you Giorgio. Great tool for anyone concerned about privacy. It has worked so well that I (we) have taken it pretty much for granted. I suspect that is why so many were surprised by the "downloads permission" request.
Please keep developing NoScript and FlashGot. Your effort has made the Internet safer. Really.
-Phil
December 12th, 2017 at 9:15 pm
So... you couldn't figure out how to save settings without the plugin/extension requiring download permissions. This despite the fact that other plugins/extensions are able to do so and Mr. Wu attempted to assist you.
That still doesn't explain why NoScript needs to be able to modify the browser's history. Or, then again, maybe it does.
December 12th, 2017 at 11:04 pm
Work on Flashgot. Noscript is a lost cause.
December 12th, 2017 at 11:36 pm
Thankyou! A little exposition goes a long way. I initially feared the NoS10.x% update stream had been hacked! Can't wait for the new FlashGot...keep up the great work!
Ciao ;)
December 12th, 2017 at 11:52 pm
Thanks for working on this! The UI is something any long time user would spend time trying out before complaining. I was adaptable but only stuck trying to find "temporarily allow site". Your "nutshell" article clarified it and I appreciate that! The net technology is always moving fast, and its awesome that you're willing to keep chasing it, in the name of privacy and security. Thanks again.
December 12th, 2017 at 11:56 pm
Plus, many of us just update periodically, and I personally had no advance knowledge about FFX 57, and so I took them both at once, losing other extensions completely, and I suspect other people did this too. Too much confusion trying to digest all at once. Thanks again.
December 13th, 2017 at 12:34 am
thanks for your work, don't listen to the haters :)
December 13th, 2017 at 12:48 am
Just as a question, what has happened to the "audio feedback when scripts are blocked" option in NoScript 10? It can be a really useful reminder to let one know when tabs are trying to reload themselves and things.
December 13th, 2017 at 12:53 am
NoScript is not a lost cause! The new version has problems, especially wth the changes to the interface (where have all those options from NS 5 gone), but they can be overcomeAs for permissions, it comes down to trusting NoScript with them or trusting the javascript, iframes and who knows what else from countless sites including ad networks which sell space on popular pages to other ad networks who then re-sell that space to shady drive-by download virus authors. I trust NoScript, I think I ALWAYS will, I know I'll never trust the multitude of scripts that get so happily scattered all over webapges.
December 13th, 2017 at 1:52 am
#19 Giorgio :
"Just install it from AMO or https://noscript.net/getit#direct
Don't uninstall, it would erase your preferences -- it's a new WebExtensions "rule" :("
Thank you. It's done, all computers are OK now.
December 13th, 2017 at 4:41 pm
FF Quantum's the number of users is increasing:
https://www.cnet.com/news/firefox-quantum-browser-downloads-increase-pc-and-mobile/
If you see the site, please click the Noscript icon and you will see two rows instead one.
Please make redesign versions and we will vote.
December 13th, 2017 at 11:15 pm
NoScript stops syncing when there are too many sites allowed.
See also here https://bugzilla.mozilla.org/show_bug.cgi?id=1425019
December 14th, 2017 at 12:40 am
Please don't let the haters get you down, Giorgio. You are performing an extremely valuable service, and don't let anyone tell you otherwise.
Noscript was literally the first plugin I worried about after the update. The first.
Flashgot was the second.
I'm thrilled to have Noscript again, and I can't wait to get Flashgot again.
Please don't second guess yourself or get discouraged.
December 14th, 2017 at 2:25 am
@Georgio: NoScript 10. The noscript addon inserts:
moz-extension://GUID/ui/prompt.html
into the history list while in private browsing.
I don't think the proper solution is to have "incognito: true" to browser.windows.create(), I think there should be a "remember: false" to ignore history.
December 15th, 2017 at 12:01 am
"like any other "legacy" add-on, it could even format your hard-disk"
And how exactly it can do that? Especially without root rights and with proper user capabilities set. Sorry, but all that "Old addons can burn your PC, use WebExtention" sound like sorry excuse to force WebEx on peoples by Mozilla.
December 15th, 2017 at 5:19 am
Ok, I got it, allowing downloads is required, but... What about "edit download history"?
December 15th, 2017 at 6:59 am
#37
As far as I know the ability to edit the history is included within the download permission. So it is not an extra permission. See the manifest about:debugging and the API: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/downloads -> downloads.erase().
December 15th, 2017 at 8:55 am
@Kuromi:
Whatever the user of the browser could, the extensions could. Not that I was bothered about that, they were substantially better than most applications people install: they came as JavaScript source code, instead of opaque binaries, and each of them was reviewed by an editorial staff of human experts (as today, BTW).
@Alex:
Unfortunately that's just one permission for all the download manager API. Certainly not my choice.
December 15th, 2017 at 11:10 am
For me rc2 did it so far! ;-)
Performance and rendering issues with my Linux installation are fully gone. Maybe thanks to the new icon set. Icons are larger and I personally like it. Everything runs smoothly as it should!
regards Oliver
December 15th, 2017 at 12:40 pm
The main question that nobody is asking.
What data or information, if any, is getting sent to the noscript devs or to any other location or web site during web browser use? NOT talking about known options such as post-update install release notes or similar. Is NoScript phoning home at all without the users knowledge?
December 16th, 2017 at 12:53 am
@FLaura:
Nope.
NoScript Privacy Policy.
(notice that it applies to 5.x and below. NoScript 10.x doesn't even have ABE, and thus WAN protection, enabled yet).
December 16th, 2017 at 6:28 pm
Any chance on getting an option to block noscript tagged redirects?
December 16th, 2017 at 11:31 pm
Latest version (10.5.1.8) seem to work on Android too. Thanks!
December 17th, 2017 at 6:39 am
A last comment, i read
"- Kill the Default mode, because NoScript users know what's the default: "UNTRUSTED""
I would agree. On the other hand, i just deleted my previous settings to default and set all trusted to untrusted and wanted to build up a new more complete settingsstructure.
My problem now is this "...Site.Domain" - how the hell i could find out "who" requested "what"?
I see that red filled areas are actual those "what" issues, but how can i configure these without seeing "who"?
BTW. i don't and never ever will trust google & co! Too bad people depend on by using all their stuff like captcha generating and other stuff, that's why i want to reduce as much as possible, also helps speeding up browsing many times.
December 17th, 2017 at 6:47 am
Adding to my last post, there should be a temporary history per tab or window, resetting automaticly when closed or doing manually.
As i understand the problem, if a website is loaded but does't get rights to do stuff, loads other site, but noscript just forgot about what the initial "stuff" request were.
Hope this makes sense in some way.
December 17th, 2017 at 7:07 am
As example try to get gmx.de running at lowest count of enabling stuff, i'm currently inside my freemail account, blocking all ads, having 17 blockings, even more counting the "forgotten" ones.
December 17th, 2017 at 7:22 am
Another problem, noscript-quantum locks up my firefox on a regular basis since release, using FF for Linux Mint (no difference between just opening config or scrolling the table/moving mouse over entries)
December 17th, 2017 at 11:54 am
in the .9 release there is in the pop up on certain sites a line break which causes the custom icon to appear in a second line.
everything else: working great ;-)
regards Oliver
December 17th, 2017 at 2:52 pm
@Oliver (#48):
This occasional line break is nothing new, happened with earlier versions, too, when one of the URLs on a specific page is veeery long, AFAICS.
_Almost_ "everything else, working great ;)", because in 10.1.5.9., EXPORT on the options page doesn't work anymore. Just a little glitch that will be fixed very soon, I'm sure.
I love the new NoScript even more than the old one!
Thank you so much for your tireless and excellent work, Giorgio!
December 17th, 2017 at 7:24 pm
@Markus44: yes I see. Maybe I was not clear enough. It is just the linebreaks were not there in the.8rcs versions before for this particular site and the probably responsible domain ist not so extreme long. It seems to me that the horizontal scrollbars are missing now. Another Point is that all 20 shown entries for this site are wrapped. No matter if long or not.
Export problems are not nice but do not bother me at the moment. Do not want export something ;-)
regards Oliver
December 18th, 2017 at 5:26 am
@Giorgio,
Baulking at any explicit permissions - or any other of the changes mozco's introduced so carefully and transparently - not ;) - to its NS users isn't a sign that your user base lacks trust in you.
It's a sign that they lack trust in mozco's new code.
I believe you yourself will be doing a lot of double duty with these initial truly beta Firefoxes - establishing trust more in mozco than in our beloved NS.
It's going to take a little longer for many to come to appreciate just how much less access to browser function the new Firefox is prepared to give to anyone.
Binary choice now: Trust mozco. Don't trust mosco.
All those scary looking long permissions lists are basically what Gecko did mostly under the hood anyway.
Thanks for NS and FlashGot. I run this ESR alongside 57 precisely so FlashGot can get all those annoying short clips that webmasters seem to think just *make* a page these days. The only way
many of them *make* a page is to *make* it slow down to a mangled mess. NS as the gateway for those embeddings combined with FlashGot makes browsing on a low bandwidth connection entirely bearable.
December 18th, 2017 at 6:56 am
@Oliver (#50):
I have the same problem, menu breaks - there's sample site news site: http://apollo.tvnet.lv/
Really hard to pick entries when list is like that - it becomes very long.
December 19th, 2017 at 1:13 am
re #49 (export broken)
@Giorgio: Export feature functional again in version 10.1.6, thanks a lot for the new implementation that doesn't even require the "downloads" permission!
December 19th, 2017 at 1:28 am
re #48, #49
@Oliver: Seems the line breaking of the CUSTOM settings icon has also been fixed in 10.1.6?
I am not entirely sure since I don't remember which sites I encountered it on, but looking closer I now see the URL part, if somewhat longer, breaks, but the CUSTOM settings icon stays in line in the example I have before my eyes. Excellent!
December 19th, 2017 at 1:41 am
re #49, #50
@Oliver: I just have another example with 10.1.6 where the longish URL doesn't break but neither does the CUSTOM settings icon, since the horizontal scroll bar is back. That's also OK in my book. :)
December 19th, 2017 at 6:18 am
re #54
I wrote three times this error since 6 December.
The 10.1.5.5 Noscript button not works well on this site (the window too big).
https://www.cnet.com/pictures/the-best-tech-gifts-for-2017/?ftag=CAD-04-10aac3a&bhid=
December 19th, 2017 at 9:14 am
Thank you for the hard work Giorgio.
He gave my opinion that the original design of the add-on was better. Now the icons are too large. Can they be reduced?
December 19th, 2017 at 11:58 am
in .6 the line breaks are gone.
Export works on windows but not on ubuntu. On linux a white page appears and does not stop loading. No save-dialog comes up as in windows.
;-)
regard Oliver
December 19th, 2017 at 4:36 pm
hey how about you dump your trash addon Noscript and work on something actually useful like Flashgot. Noscript is obsolete and poorly designed compared to uMatrix.
December 20th, 2017 at 9:15 am
@IHateIt
How about you go f**k yourself?
December 20th, 2017 at 9:19 pm
@IHateIt:
OMG, this is "freeware", take/use it or leave it, or make your own addon.
Such statements are not helpful nor saying anything.
@yellow:
"Now the icons are too large. Can they be reduced?"
I agree, felt like having a magnifying glass on ;)
December 20th, 2017 at 9:22 pm
Btw. @Giorgio: wishing wonderful and relaxing holidays, use the free time. :D
December 20th, 2017 at 9:23 pm
...and before getting misunderstood, use the time with family, not NoScript ;)
December 21st, 2017 at 10:09 am
Peaceful holidays and a successful New Year. :-)
December 21st, 2017 at 11:45 pm
Hey, I was wondering if you could add the option to turn off automatic reload?
December 22nd, 2017 at 1:22 am
Hey Giorgio,
It's been a real gem, this NoScript, in the wake of predatory Web sites and scripts especially in recent years. It's a one man show and one cannot appreciate it enough. two things:
1) What's the matter with LinkedIn? I am not being able to open it when NS is enabled lately that I tried to check it. As expected, I'd like it open with the "minimum"est privileges...
2) The UI for recent Quantum version kind'a sucks... sorrry buddy! In which usable format I can share an idea of me, hopefully u may find it useful to deploy?
keeep kick'in (pls!)
December 23rd, 2017 at 1:47 pm
@Ré:
1) Linkedin: all you actually need to set as TRUSTED is ..linkedin.com and ..licdn.com.
2) my email address is on the top right of https://maone.net/
December 23rd, 2017 at 6:21 pm
hi i must install NoScript Security Suite from mozilla or download NoScript from this link?
https://noscript.net/getit#direct
what is difference between them? thanks
December 25th, 2017 at 11:53 am
@pc:
It's the same as the one on AMO.
On https://noscript.net/getit you find also shortcuts to the "classic" 5.x version and the development builds.
December 26th, 2017 at 12:18 am
Hi!
I am using NOSCRIPT since forever, but I really struggle with the 10.x release for FF quantum.
The add-on has just become un-reliable and I am very often not able to get a website to work.
just ONE example: https://www.nintendo.de/Spiele/Nintendo-Switch-Download-Software/Flip-Wars-1241038.html
I'm not able to get the price displayed which is supposed to be shown below the picture on the right. Looking at what NOSCRIPT offers to me, no further nintendo server is blocked. Only the doubleclick.net servers...even if I enable those the page does not display the price and beyond that the font on the right is also not shown correctly.
And this is just one page where I am not able to get to a state that I am able to get displayed what I am looking for.
I never really had this issue on the old 5.x version.
I would love continue using noscript, but I'm not sure I will...
Would be great to get a feedback...
But in general I really appreciate your work Giorgio over all the years!
Regards,
Fritz
December 26th, 2017 at 8:48 pm
@Fritz:
The best place to receive support for stuff like that is the NoScript support forum.
That said, from what I could see on a default NoScript installation you need the following domains to be TRUSTED:
Look at the screenshot for reference:
December 29th, 2017 at 5:42 pm
Hey, Giorgio,
Thank you so much for the software and all.
Have a blessed and prosperous life!
December 30th, 2017 at 10:20 am
Can you change the background colour to match Windows?
December 30th, 2017 at 11:07 am
@Larry:
Not sure what you mean: are you talking about adapting the popup's color scheme to the theme currently used by the OS? Not sure there's a consistent way to do that, since in WebExtensions we're limited to Web APIs (HTML) for the UI.
However, please follow up in the forum.
Closing comments here, since the download permissions is not needed anymore :)