hackademix.net » Mozilla https://hackademix.net Giorgio Maone’s answers to the Web, the Universe, and Everything Mon, 11 Dec 2017 06:57:33 +0000 http://wordpress.org/?v=2.2.3 en NoScript, "Quantum" vs "Legacy" in a nutshell https://hackademix.net/2017/12/04/noscript-quantum-vs-legacy-in-a-nutshell-2/ https://hackademix.net/2017/12/04/noscript-quantum-vs-legacy-in-a-nutshell-2/#comments Mon, 04 Dec 2017 00:13:46 +0000 Giorgio https://hackademix.net/2017/12/04/noscript-quantum-vs-legacy-in-a-nutshell-2/ Someone seems to be still convinced that changing our beloved NoScript UI has been a whimsical (and suicidal) decision of mine, entirely avoidable.

The ones who know better about recent history of Firefox and of its add-ons ecosystem are aware, though, that the UI couldn't stay the same simply because the technical foundation (XUL/XPCOM) for the "old" one is not there anymore, and NoScript has been forced into being completely rewritten as a WebExtension (and therefore its UI as pure HTML) or just die.

Since it was anyway impossible to replicate exactly the well known user experience provided by NoScript 5.x (which, BTW, is still actively maintained and available here), I've tried to find a silver lining in the forced rewrite, taking it as a chance to incorporate user feedback collected over more than 12 years, especially about making the permissions system more customizable.

And indeed, the old concepts are all still there, but the way they are implemented is more flexible and amenable to customization, albeit admittedly less discoverable and, for long time users, surely confusing at least initially.

Bugs aside, I think the biggest problem with the transition, which I'm truly sorry for, is me not having found the time yet to write any proper user-oriented documentation for NoScript 10; but maybe we can start here by providing a minimalistic overview, mapping the new "Quantum" UI onto the "Legacy" (I actually prefer to call it "Classic") one:

  • In the NoScript 10 we've got 3 presets (DEFAULT, UNTRUSTED and TRUSTED): you can assign one of them to any site, and the sites with the same preset share the same set of (configurable) permissions
  • For sites that don't fit in any of the 3 aforementioned presets, you can choose to use CUSTOM permissions: CUSTOM is not a preset, but a way to give very specific permissions to a site, applying to that site only
  • Back to presets, DEFAULT is the set of permissions that any unknown site has. So if you don't touch NoScript, beside a handful of websites (the "old" default whitelist) pre-assigned with the TRUSTED preset, all the sites on the Web have the permissions of the DEFAULT preset (i.e. almost none).
  • "Temporary allow xyz.com" maps to clicking the TRUSTED preset on the xyz.com row.
  • "Allow xyz.com" (permanently) maps to clicking the clock-shaped icon onto the TRUSTED preset (which means "Temporary"), to disable it (and make the preset assignment "Permanent")
  • "Forbid xyz.com" maps to clicking the DEFAULT preset, which actually means deleting the site from the internal "whitelist". In facts, if you do it in the general Options panel, next time you open the panel (or refresh it) the site is not even listed there anymore. It doesn't disappear right away for convenience, to give you the chance to change your mind or correct mistakes.
  • "Mark xyz.com as untrusted" maps to clicking the UNTRUSTED preset, which contains no permission at all and is meant to collect and remember the "known bad sites" in a permanent blacklist.
  • And then CUSTOM, which is new to NoScript 10 and lets you fine tune just a certain website with its own specific permissions, either more restrictive than DEFAULT or more permissive than TRUSTED ; this tuning is either permanent (by default, the clock shaped icon in this case comes disabled) or temporary, by additionally clicking the clock-shaped icon.
  • Each and all the presets can be freely customized to your own needs, with the convenience constraint that you cannot remove the "script" permission from TRUSTED, and you cannot add it to UNTRUSTED. However, the factory presets are very similar to the "old" NoScript experience.

What about the "Match HTTPS only" green/red lock toggle? If green (locked), the toggle makes base domain entries (e.g. "..google.com") match themselves and all their subdomains, but only if their protocol is HTTPS (and therefore the traffic encrypted and not easily tampered with). Otherwise, if red and unlocked, both HTTP and HTTPS match: this has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy, but is unfortunately needed for some sites to work. NoScript tries to gives you the "smartest" default for each site, i.e. green if the page is already served on HTTPS, red otherwise.

A lot more needs to be written yet, but these are the bare bones.
If you find bugs or need support, rather than using in the blog comments or, even worse, the AMO review system as a way to communicate with developers, please submit to the support forum here.

And if you want to help me with development, please install latest development build, which is released even more often than the stable and ships earlier both bug fixes and new features. And please keep providing feedback, as especially the UI is still a work in progress and I'm eager to make it better than before, by merging as much as possible of your valuable contributions.

Thank you all!

NoScript Quantum 10.1.5, starts to feel normal https://hackademix.net/2017/12/01/noscript-quantum-1015-starts-to-feel-normal/ https://hackademix.net/2017/12/01/noscript-quantum-1015-starts-to-feel-normal/#comments Fri, 01 Dec 2017 21:52:12 +0000 Giorgio https://hackademix.net/2017/12/01/noscript-quantum-1015-starts-to-feel-normal/ Just released 10.1.5, and its changelog start to taste familiar, with names already well known in NoScript's development history, likw Masato or Mario:

v 10.1.5
+ [XSS] Added "Always block requests from ... to ..." in XSS
  warning prompt
x [XSS] Fixed url decoding bug (thanks Masato Kinugawa for
x Fixed some blocked items not reported in the UI (thanks Bo
  Elam for reporting)
x Changed the CSP internal report URI to noscript-csp.invalid
  (thanks Tom Schuster  Mario Heiderich for RFE)
- Removed unused MSE detection code (thanks Rob Wu for

From an usability standpoint, the biggest new is that now you can silence the XSS filter not just whitelisting ("Always allow requests from... to...") but also blacklisting ("Always block...").
Of course, much more to come in the next days and weeks...

XSS Prompt with "Always Block"

Time to stabilize: NoScript Quantum 10.1.4 https://hackademix.net/2017/12/01/time-to-stabilize-noscript-quantum-1014/ https://hackademix.net/2017/12/01/time-to-stabilize-noscript-quantum-1014/#comments Fri, 01 Dec 2017 06:58:41 +0000 Giorgio https://hackademix.net/2017/12/01/time-to-stabilize-noscript-quantum-1014/ NoScript Quantum 10.1.4 is out, and while it might seem a fairly minor release, it does fix some performance issues under the hood and a quite annoying bug making maximized windows "jump down" when you open the NoScript UI. Talking of which, now that these back-end cleanup is done, I can finally give some more love to all the suggestion about improving usability that you kindly provided so far.

Starting with the XSS popup, which unfortunately cannot be an "old style", interactive but out of your way, notification anymore because of limitations in the WebExtensions (I cannot even open the NoScript menu programmatically, it must be reacting to user's input); but can, for instance, include an "always block requests from a.com to b.com" to make it less noisy.

Thank you also for all the UI prototypes and wireframes you've sent, I'm gonna start trying merging some of these ideas right away :)

Growing Pains (10.1.3 RCs) https://hackademix.net/2017/11/28/growing-pains-1013-rcs/ https://hackademix.net/2017/11/28/growing-pains-1013-rcs/#comments Tue, 28 Nov 2017 16:45:56 +0000 Giorgio https://hackademix.net/2017/11/28/growing-pains-1013-rcs/ You may have noticed I'm rapid-firing NoScript updates to steer the new UI toward most reasonable directions emerging from your feedback.
Unfortunately (or not, in time) it couldn't ever be exactly the same as before, simply because the underlying "legacy" Firefox technology (XUL/XPCOM) is not available to extensions developers anymore. But it can become even better than before, with some patience and some.
Now to the pains.
This morning version 10.1.3rc2 has been available for a couple of hours, with some important fixeds but an even more annoying regression: it erased all permissions from the TRUSTED preset except for "script" (so no objects, no media, no fonts, no background loads and so on). Worse, the checkboxes to restore them were disabled. Since then I've released 10.1.3RC3 which fixes the disabled checkboxes issue, but you still need to restore the TRUSTED permissions (I suggest to check everything, like in the screenshot before, in order to make TRUSTED sites behave as if NoScript wasn't there).
Sorry for the inconvenience, and please keep the suggestions coming, thank you.
All permissions checked in the TRUSTED preset

NoScript 10.1.2: Temporary allow all and more https://hackademix.net/2017/11/23/noscript-1012-temporary-allow-all-and-more/ https://hackademix.net/2017/11/23/noscript-1012-temporary-allow-all-and-more/#comments Thu, 23 Nov 2017 00:28:17 +0000 Giorgio https://hackademix.net/2017/11/23/noscript-1012-temporary-allow-all-and-more/ v 10.1.2 ============================================================= + Added "Revoke temporary permissions" button + Added "Temporarily allow all this page" button x Simplified popup listing, showing base domains only (full origin URLs can still be entered in the Options window to further tweak permissions) x Fixed UI not launching in Incognito mode x Fixed changing permissions in the CUSTOM preset affecting the DEFAULT permissions sometimes x Fixed UI almost unusable in High Contrast mode x Fixed live bookmark feeds blocked if "fetch" permissions were not given x Fixed background requests from other WebExtensions being blocked


Oh, and in case you missed it (sorry, how couldn't you, since I didn't manage to write any documentation yet?), Alt+Shift+N is the convenient keyboard shortcut to #NoScript10's permission management popup :)

Top immediate priorities for NoScript Quantum https://hackademix.net/2017/11/21/top-immediate-priorities-for-noscript-quantum/ https://hackademix.net/2017/11/21/top-immediate-priorities-for-noscript-quantum/#comments Tue, 21 Nov 2017 16:06:32 +0000 Giorgio https://hackademix.net/2017/11/21/top-immediate-priorities-for-noscript-quantum/ Based on the immediate user feedback, here's my TODO list for what I'm doing today:Temporarily allow on NoScript 10 Quantum

  • Fixing the Private Browsing (Incognito) bug making the UI unusable on private windows (even though everything else, including the XSS filter, still works)
  • Getting rid of all the "legacy" localization strings that are creating confusion on internationalized browsers, and restart fresh with just English, refining the messages for maximum clarity and adherence with the new UI paradigm
  • Tweaking a bit the permissions preset system by making them customizable only on the options page, rather than in the popup, except for the CUSTOM preset.
  • Figuring out ways to make more apparent that
    • temporary permissions are still there: you just need to toggle the clock button on the preset (TRUSTED or CUSTOM) you choose: the permission will go away as soon as you close the browser;
    • selecting DEFAULT as a preset really means "forget about this site", even though you keep seeing its entry until you close the UI (for convenience, in case you made a mistake or change your mind);
    • the "lock" icon is actually another toggle button, and dictates how sites are matched: if its locked/green, as suggested by the title ("Match HTTPS only"), only sites served on secured connections will be matched, even if the rule is for a (base) domain and cascades to all its subdomains. This is a convenience to, say, make just "noscript.net" TRUSTED and match also "https://www.noscript.net" and "https://static.noscript.net" but not http:www.noscript.net" neither http:noscript.net".

    OK, an updated guide/tutorial/manual with screenshots is sorely needed, to. One thing at a time. Back to work now!

    ]]> https://hackademix.net/2017/11/21/top-immediate-priorities-for-noscript-quantum/feed/ NoScript 10.1.1 Quantum Powerball Finish... and Rebooting https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/ https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/#comments Mon, 20 Nov 2017 23:17:44 +0000 Giorgio https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/ noscript-quantum.jpg

    v 10.1.1
    + First pure WebExtension release
    + CSP-based first-party script script blocking
    + Active content blocking with DEFAULT, TRUSTED, UNTRUSTED
      and CUSTOM (per site) presets
    + Extremely responsive XSS filter leveraging the asynchronous
      webRequest  API
    + On-the-fly cross-site requests whitelisting

    Thanks to the Mozilla WebExtensions team, and especially to Andy, Kris and Luca, for providing the best Browser Extensions API available on any current browser, and most importantly for the awesome tools around it (like the Add-on debugger).

    Thanks to the OTF and to all the users who supported and are supporting this effort financially, morally and otherwise.

    Coming soon, in the next few weeks: ClearClick, ABE and a public code repository on Github.

    Did I say that we've got a chance to reshape the user experience for the best after more than a dozen years of "Classic" NoScript?
    Make your craziest ideas rain, please.

    Long Live Firefox Quantum, long live NoScript Quantum.


    Just gave a cursory look at the comments before getting some hours of sleep:

    • Temporary allow is still there, one click away, just toggle the clock inside the choosen preset button.
    • For HTTPS sites the base domain is selected by default with cascading, while for non-secure sites the default match is the full address.
    • For domain matching you can decide if only secure sites are matched by clicking on the lock icon.
    • You can tweak your "on the fly" choices in the Options tab by searching and entering base domains, full domains or full addresses in the text box, then customizing the permissions of each.

    Next to come (already implemented in the backend, working on the UI) contextual permissions (e.g. "Trust facebook.net on facebook.com only").
    And yes, as soon as I get a proper sleep refill, I need to refresh those 12 years old instructions and screenshots. I know I've said it a lot already, but please keep being patient. Thank you so much!

    Update 2

    Thank for reporting the Private Browsing Window bug, I'm gonna fix it ASAP.

    Update 3

    Continues here...

    The Week is Not Over Yet https://hackademix.net/2017/11/18/the-week-is-not-over-yet/ https://hackademix.net/2017/11/18/the-week-is-not-over-yet/#comments Sat, 18 Nov 2017 20:43:13 +0000 Giorgio https://hackademix.net/2017/11/18/the-week-is-not-over-yet/ I apologize for not providing a constant information feed about NoScript 10's impending release, but I've got no press office or social media staff working for me: when I say "we" about NoScript, I mean the great community of volunteers helping with user support (and especially the wonderful moderators of the NoScript forum).NoScript 10 object placeholder

    By the way, as most but not all users know, there's no "NoScript development team" either: I'm the only developer, and yesterday I also had to temporarily suspend my NoScript 10 final rush, being forced to release two emergency 5.x versions (5.1.6 and 5.1.7) to cope with Firefox 58 compatibility breakages (yes, in case you didn't notice, "Classic" NoScript 5 still works on Firefox 58 Developer Edition with some tricks, even though Firefox 52 ESR is still the best "no surprises" option).

    Anyway, here's my update: the week, at least in Italy, finishes on Sunday night, there's no "disaster recovery" going on, and NoScript 10's delay on Firefox 57's release is still going to be measured in days, not weeks.

    Back to work now, and thank you again for your patience and support :)

    Double NoScript https://hackademix.net/2017/11/14/double-noscript/ https://hackademix.net/2017/11/14/double-noscript/#comments Tue, 14 Nov 2017 12:11:53 +0000 Giorgio https://hackademix.net/2017/11/14/double-noscript/ NoScript Work
    Later today In a couple of days, if everything goes fine, and definitely by the end of this week, NoScript 10, the first "pure" WebExtension NoScript version, will be finally released for Firefox 57 and above, after years of work and months NoScript 5.x living as a hybrid one to allow for smooth user data migration.

    NoScript 10 is very different from 5.x: some things are simpler, some things are improved, some are still missing and need to wait for WebExtensions APIs not available yet in Firefox 57. Anyway, whenever you decide to migrate, your old settings are kept safe, ready to be used as soon as the feature they apply to gets deployed.

    If you're not bothered by change, you're ready to report bugs* and you're not super-paranoid about the whole lot of "NoScript Security Suite" most arcane features, NoScript 10 is worth the migration: active content blocking (now more configurable than ever) and XSS protection (now with a huge performance boost) are already there. And yes, Firefox 57 is truly the most awesome browser around.

    If, otherwise, you really need the full-rounded, solid, old NoScript experience you're used to, and you can't bear anything different, even if just for a few weeks, dont' worry: NoScript 5.x is going to be maintained and to receive security updates until June 2018 at least, when the Tor Browser will switch to be based on Firefox 59 ESR and the "new" NoScript will be as powerful as the old one. Of course, in order to keep using NoScript 5.x outside the Tor Browser (which has it built-in), you have to stay on Firefox 52 ESR, Seamonkey, Palemoon or another pre-Quantum browser.
    Or you can even install Firefox 58 Developer Edition, which allows you to keep NoScript 5 running on "Quantum" with the extensions.legacy.enabled trick. Just please don't block your updates on Firefox 56, it would be bad for your security.

    Let me repeat that: your safest option for the next few days is Firefox 52 ESR, which will receive security updates until June 2018.

    So, for another half-year you there will be two NoScripts: just sort your priorities and choose yours.

    Update 2017-11-15

    As you probably noticed, yesterday's today has gone away in most time zones and we're not ready yet (Murphy law and all) :(
    But we're definitely on track for the end of this week, and in the meanwhile your awesome patience deserves a couple of preview screenshots...
    NoScript 10 menu

    Update 2017-11-18

    The week is not over yet.

    * in the next few weeks will move NoScript 10.x source code and bug tracking on GitHub, in the meanwhile please keep using the forum.

    Targeted email attack against (open source?) developers https://hackademix.net/2017/01/27/targeted-email-attack-against-open-source-developers/ https://hackademix.net/2017/01/27/targeted-email-attack-against-open-source-developers/#comments Fri, 27 Jan 2017 12:01:47 +0000 Giorgio https://hackademix.net/2017/01/27/targeted-email-attack-against-open-source-developers/ Second email I've received today (some headers omitted):

    Return-Path: <ludv.jani-2015@vrg.se>
    Received: from unknown (HELO mail.bsme-mos.ru) (
    by ariel.informaction.com with SMTP; 27 Jan 2017 11:25:22 -0000
    Received: from unknown (HELO o) (zayavka@bsme-mos.ru@
    by mail.bsme-mos.ru with SMTP; 27 Jan 2017 14:25:17 +0300
    Subject: question
    Date: Fri, 27 Jan 2017 12:25:26 +0100
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
    X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331

    This is a multi-part message in MIME format.

    Content-Type: multipart/alternative;

    Content-Type: text/plain;
    Content-Transfer-Encoding: quoted-printable

    Hey. I found your software is online. Can you write the code for my proje=
    ct? Terms of reference attached below.
    The price shall discuss, if you can make. Answer please.

    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    (HTML omitted)


    Content-Type: application/octet-stream;
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;

    The "PROJECT.gz" file, despite its extension, was actually a RAR archive containing a "PROJECT.doc" MS Word document, presumably with some malicious macro payload (I didn't bother to check).

    The earlier one had a "2701.zip" attachment, with a "2701.doc" inside, likely the same as the other one (unfortunately I had not kept it for reference).

    Both messages appearing to be hand-crafted, and the reference to today's date in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as "high return investments", such as developers (possibly working on popular / open source projects).

    I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)


    As soon as I published this post I checked my inbox and there was another one...

    Update 2

    It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.