Author Archive

Just released 10.1.5, and its changelog start to taste familiar, with names already well known in NoScript's development history, likw Masato or Mario:

v 10.1.5
=============================================================
+ [XSS] Added "Always block requests from ... to ..." in XSS
  warning prompt
x [XSS] Fixed url decoding bug (thanks Masato Kinugawa for
  reporting)
x Fixed some blocked items not reported in the UI (thanks Bo
  Elam for reporting)
x Changed the CSP internal report URI to noscript-csp.invalid
  (thanks Tom Schuster  Mario Heiderich for RFE)
- Removed unused MSE detection code (thanks Rob Wu for
  reporting)

From an usability standpoint, the biggest new is that now you can silence the XSS filter not just whitelisting ("Always allow requests from... to...") but also blacklisting ("Always block...").
Of course, much more to come in the next days and weeks...

XSS Prompt with "Always Block"

NoScript Quantum 10.1.4 is out, and while it might seem a fairly minor release, it does fix some performance issues under the hood and a quite annoying bug making maximized windows "jump down" when you open the NoScript UI. Talking of which, now that these back-end cleanup is done, I can finally give some more love to all the suggestion about improving usability that you kindly provided so far.

Starting with the XSS popup, which unfortunately cannot be an "old style", interactive but out of your way, notification anymore because of limitations in the WebExtensions (I cannot even open the NoScript menu programmatically, it must be reacting to user's input); but can, for instance, include an "always block requests from a.com to b.com" to make it less noisy.

Thank you also for all the UI prototypes and wireframes you've sent, I'm gonna start trying merging some of these ideas right away :)

You may have noticed I'm rapid-firing NoScript updates to steer the new UI toward most reasonable directions emerging from your feedback.
Unfortunately (or not, in time) it couldn't ever be exactly the same as before, simply because the underlying "legacy" Firefox technology (XUL/XPCOM) is not available to extensions developers anymore. But it can become even better than before, with some patience and some.
Now to the pains.
This morning version 10.1.3rc2 has been available for a couple of hours, with some important fixeds but an even more annoying regression: it erased all permissions from the TRUSTED preset except for "script" (so no objects, no media, no fonts, no background loads and so on). Worse, the checkboxes to restore them were disabled. Since then I've released 10.1.3RC3 which fixes the disabled checkboxes issue, but you still need to restore the TRUSTED permissions (I suggest to check everything, like in the screenshot before, in order to make TRUSTED sites behave as if NoScript wasn't there).
Sorry for the inconvenience, and please keep the suggestions coming, thank you.
All permissions checked in the TRUSTED preset

v 10.1.2
=============================================================
+ Added "Revoke temporary permissions" button
+ Added "Temporarily allow all this page" button
x Simplified popup listing, showing base domains only (full
  origin URLs can still be entered in the Options window to
  further tweak permissions)
x Fixed UI not launching in Incognito mode
x Fixed changing permissions in the CUSTOM preset affecting
  the DEFAULT permissions sometimes
x Fixed UI almost unusable in High Contrast mode
x Fixed live bookmark feeds blocked if "fetch" permissions
  were not given
x Fixed background requests from other WebExtensions being
  blocked

Update

Oh, and in case you missed it (sorry, how couldn't you, since I didn't manage to write any documentation yet?), Alt+Shift+N is the convenient keyboard shortcut to #NoScript10's permission management popup :)

Based on the immediate user feedback, here's my TODO list for what I'm doing today:Temporarily allow on NoScript 10 Quantum

  • Fixing the Private Browsing (Incognito) bug making the UI unusable on private windows (even though everything else, including the XSS filter, still works)
  • Getting rid of all the "legacy" localization strings that are creating confusion on internationalized browsers, and restart fresh with just English, refining the messages for maximum clarity and adherence with the new UI paradigm
  • Tweaking a bit the permissions preset system by making them customizable only on the options page, rather than in the popup, except for the CUSTOM preset.
  • Figuring out ways to make more apparent that
    • temporary permissions are still there: you just need to toggle the clock button on the preset (TRUSTED or CUSTOM) you choose: the permission will go away as soon as you close the browser;
    • selecting DEFAULT as a preset really means "forget about this site", even though you keep seeing its entry until you close the UI (for convenience, in case you made a mistake or change your mind);
    • the "lock" icon is actually another toggle button, and dictates how sites are matched: if its locked/green, as suggested by the title ("Match HTTPS only"), only sites served on secured connections will be matched, even if the rule is for a (base) domain and cascades to all its subdomains. This is a convenience to, say, make just "noscript.net" TRUSTED and match also "https://www.noscript.net" and "https://static.noscript.net" but not http:www.noscript.net" neither http:noscript.net".

    OK, an updated guide/tutorial/manual with screenshots is sorely needed, to. One thing at a time. Back to work now!

Bad Behavior has blocked 1703 access attempts in the last 7 days.