per the classic spec, without DEFAULT domains, the icon should be:

• either - all domains trusted
• or - some untrusted

here's what I am seeing in 10.2.1, with some untrusted

• sometimes
  

• sometimes
  

  

There is an image downloader extension which uses XMLHttpRequest to get the image blob on the page. When fetch option was checked, the request failed. See eight04/image-picka#150.

Is it possible to work around with this?

I love the Disable for Tab feature, but recently got to wondering if, by using it, I am actually allowing third-party script domains that I've previously marked as Untrusted to run normally.

For example, if google-analytics.com is Untrusted, but Disable for Tab is clicked on a page that uses GA, is google-analytics.com now effectively Temp Trusted?

If so, would two states for Disable for Tab (i.e. including Untrusted and excluding Untrusted) be a good idea? In particular where not trusting previously-Untrusted scripts was the default.

This regressed somewhere between 10.1.8.23 and 10.1.9, but it got overshadowed by #4.

Implementing a basic form using GET method exclusively in JavaScript with no server side workload and using window,location to submit it results in initial blank page. This can be reproduced using a webpage stored locally.

Steps to reproduce

• Create a HTML file with this content:

<html><head><title>NoScript redirect handling bug</title>
</head><body>
<script>

function $_GET(key, default_)
{
  if (default_==null) default_="";
  key = key.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
  var regex = new RegExp("[\\?&]"+key+"=([^&#]*)");
  var qs = regex.exec(window.location.href);
  if(qs == null) qs=default_;
  else qs=qs[1];
  return qs;
}

var form="<input type='button' value='Submit' onclick='submit()'><br>";

if ($_GET('test')=='') document.write(form);

function submit(){
var submitURL=window.location.protocol + '//' + window.location.hostname + window.location.pathname+'?test=test'
window.location=submitURL;
window.location;
}

function play (){
document.write(decodeURIComponent($_GET('test')));
}

if (!$_GET('test')=='') play();
</script>

</body></html>

• Open a fresh Firefox session with all web cache cleared;
• Open the webpage created previously. Do not open Firefox with that webpage directly. You need to have Firefox open before attempting to open that webpage, otherwise you won't reproduce this reliably.

Temporary cure

• Giving focus to address bar and hitting enter allows the page to render displaying what should have been rendered in the first place. The correct behavior is cached by Firefox so you won't be able to reproduce again until the cache is cleared.

My default text color is eeeeee and the settings page looks weirdly

I have noticed that all buttons have title tags, except the domain "button" in the popup.
For example …github.com
And those are clickable, but we don't see the information about this.
Yes we se a help mouse, but I guess with a title tag, we see detailed information what this actually does.

This is only a simply solution.
After this line:

So in the popup we see, when we hover on the domain, this:

Left-click to show site information about "github.com"…

The same in german:
"siteInfo_tooltip": {
    "message": "Mit Linke Maustaste klicken um Seiteninformationen über \"$1\" aufzurufen…"
},.

And for other languages, I hope you will get help :)

[NoScript] unseen navigation  log.js:9:5
Object { url: "https://www.youtube.com/", timeStamp: 1541983743038, frameId: 0, parentFrameId: -1, tabId: 4, windowId: 1, transitionType: "link", transitionQualifiers: [] }

Error: tabId is not defined
	checkNavigation moz-extension://67454433-f7eb-4e74-898f-e69f4d726434/bg/deferWebTraffic.js:9:9
	apply self-hosted:4632:5
	applySafeWithoutClone resource://gre/modules/ExtensionCommon.jsm:527:16
	fire resource://gre/modules/ExtensionChild.jsm:990:28
	receiveMessage resource://gre/modules/ExtensionChild.jsm:993:38
	_callHandlers/< resource://gre/modules/MessageChannel.jsm:876:29
	_callHandlers resource://gre/modules/MessageChannel.jsm:875:14
	_handleMessage/deferred.promise< resource://gre/modules/MessageChannel.jsm:952:7
	_handleMessage resource://gre/modules/MessageChannel.jsm:949:24
	_handleMessage self-hosted:976:17
	receiveMessage/< resource://gre/modules/MessageChannel.jsm:218:9
	forEach self-hosted:262:13
	receiveMessage resource://gre/modules/MessageChannel.jsm:211:5

This shows up in the browser console after restarting it with Ctrl-Alt-R. I'm guessing it should be nav.tabId here.

Providing an option to trust scripts from first party domain by default will help unbreak a lot of websites.

The popup window list shouldn't distinguish between file://path/name.extension and file://path/name.extension?list-of-parameters as it's confusing because NoScript doesn't distinguish the 2 internally.

To reproduce create a HTML document with this sample code:

<html><head><title>NoScript confusing entry in popup UI</title>
</head><body>
<script>

function $_GET(key, default_)
{
  if (default_==null) default_="";
  key = key.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
  var regex = new RegExp("[\\?&]"+key+"=([^&#]*)");
  var qs = regex.exec(window.location.href);
  if(qs == null) qs=default_;
  else qs=qs[1];
  return qs;
}

var form="<input type='button' value='Submit' onclick='submit()'><br>";

if ($_GET('test')=='') document.write(form);

function submit(){
var submitURL=window.location.protocol + '//' + window.location.hostname + window.location.pathname+'?test=test'
window.location=submitURL;
window.location;
}

function play (){
alert(decodeURIComponent($_GET('test')));
}

if (!$_GET('test')=='') play();
</script>

</body></html>

• NoScript popup UI before allowing active content. Everything is OK.
  
• NoScript popup UI after allowing active content. Everything is OK.
  
• NoScript popup UI after submitting the form. The page behaves correctly but the popup UI displays confusing content, It should display the exact same thing as before submitting the form as there is no internal difference between file://C:/Downloads/test.html and file://C:/Downloads/test.html?test=test.
  

Please update the language for each update. I have finished the Swedish translation.

For example, youtube iframe embedding (now?) requires scripting.

There is no significant security gain in distrusting trusted frames on non-trusted parents. Such parents can't access the trusted frame because

• they can't script
• even if they could, cross origin access is blocked by the browser

On the other hand there is a security loss if you are forced to trust the parent domain just to have trusted iframe embeds load.

So optionally, trusted frames on default sites should be allowed.

I get some error messages in my browser console:

TypeError: document.documentElement is null DocumentCSP.js:24:1

SyntaxError: redeclaration of let CSP CSP.js:1:1

[Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIDOMWindowUtils.addSheet]"  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/ExtensionCommon.jsm :: runSafeSyncWithoutClone :: line 65"  data: no]

[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMWindowUtils.removeSheetUsingURIString]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: resource://gre/modules/ExtensionCommon.jsm :: runSafeSyncWithoutClone :: line 65"  data: no]

Since I get the errors with a fresh profile of Firefox 64 (Windows 10) and NoScript 1.2.1, I don't think it's because of the changes for issue 48.

I can replicate the issue as follows:

1. create a new profile
2. set your start page and your new tab page to the blank page
3. set browser.tabs.closeWindowWithLastTab to false in about:config
4. install NoScript (I have tested version 1.2.1 and 1.2.2rc2)
5. start the browser with this configuration or close all tabs, such that there is just one tab with the blank page
6. I have to click X twice now, which is stupid, but that's how I get there most easily.
7. open and close the NoScript windows (the text regarding the privileged pages does not appear, if the bug occurs: the missing text is why I checked the browser console)

When i right click a website and select NoScript nothing happens.
This seems to be the default behaviour.
Only if i customize Firefox and drag the NoScript icon to the menu bar will the NoScript area appear when i right click and select NoScript.
But since it is not there by default nothing will happen by default and this is confusing for new users i think.

Using Windows 7 and Firefox 60.4.0esr and NoScript 10.2.1.

Also, what is the full syntax for these host/url patterns?

I've observed this in Firefox 62 with HTTPS Everywhere also installed, as well as Tor Browser 8.0.2.

Every time I hover over an extension icon, I see the following error in the browser console as well as each extension debug console:

Promise rejected after context unloaded: Message manager disconnected

This is coming from NoScript's Message.js. Added screenshot of how this looks in Tor Browser.

In Firefox customize the icon text is:

NoScript 10.2.1

I suggest just calling it:

NoScript

Using Windows 7 and Firefox 60.4.0esr and NoScript 10.2.1.

In src/ui/options.html is an unlocalized string.
Is this intended, or fall into oblivion?

I expected a localized string like __MSG_OptionsLong__.

This is a regression but I don't know since when.

Prerequisite

• a HTML5 compatible media file with audio, video or both tracks - it doesn't matter. It has to be on local computer and served over file protocol.

Steps to reproduce

• Just try opening a locally stored media file in Firefox and see what happens:
  
  Allowing <MEDIA>@null won't help.

Accessing devices in local area network via browser doesn't work with latest NoScript addon as it blocks JS and I cannot get it to allow it. In my case its my NAS which I access in browser via the device name -> https://diskstation:5001 and this is how the setting menu looks like on the page I'm trying to access:

As you can see I've trusted the site (which isn't named there for whatever reason). But JS is still blocked after refreshing the site.

When i click the NoScript icon in the tool bar in Firefox the popup area appears.
But it appears very jumpy.

Like the scroll bar is visible the first 100 milliseconds and the icon moves to a different location and the width changes and the size of the icon changes.

I suggest having the size calculated and not use what looks to be CSS transition to make the icon change size.

So the area just appears nicely with jumping.

The text "High contrast apperance" will show just at the start of each reload and sometimes "MSG".

Using Windows 7 and Firefox 60.4.0esr and NoScript 10.2.1.

NoScript has options to allow the following media types by default:

• script
• object
• media
• frame
• font
• webgl
• fetch
• other

What exactly does 'other' cover? "Java", "Flash", "Silverlight", "Plugins"?

Version: 5.1.8.4 on seamonkey.

Reproduce: with noscript active (no js allowed on that page) go to this page and click the download button (close to the bottom right corner of the image).

Result: 404 error and "noscript filtered a potential cross-site scripting attempt from [https://scrot.moe]. ..."
this is what i found in the console:

Exception { message: "Component returned failure code: 0x…", result: 2152398858, name: "NS_ERROR_MALFORMED_URI", filename: "resource://gre/modules/commonjs/too…", lineNumber: 85, columnNumber: 0, data: null, stack: "observe@resource://gre/modules/comm…", location: XPCWrappedNative_NoHelper }  filter.js:95
Exception { message: "Component returned failure code: 0x…", result: 2152398858, name: "NS_ERROR_MALFORMED_URI", filename: "resource://gre/modules/commonjs/too…", lineNumber: 85, columnNumber: 0, data: null, stack: "observe@resource://gre/modules/comm…", location: XPCWrappedNative_NoHelper }  filter.js:95
Exception { message: "Component returned failure code: 0x…", result: 2152398858, name: "NS_ERROR_MALFORMED_URI", filename: "resource://gre/modules/commonjs/too…", lineNumber: 85, columnNumber: 0, data: null, stack: "observe@resource://gre/modules/comm…", location: XPCWrappedNative_NoHelper }  filter.js:95
Exception { message: "Component returned failure code: 0x…", result: 2152398858, name: "NS_ERROR_MALFORMED_URI", filename: "resource://gre/modules/commonjs/too…", lineNumber: 85, columnNumber: 0, data: null, stack: "observe@resource://gre/modules/comm…", location: XPCWrappedNative_NoHelper }  filter.js:95
[NoScript InjectionChecker] JavaScript Injection in ///images/2018/11/05/Gaia---screenshot.png
(function anonymous() {
images/2018/11/05/Gaia---screenshot.png /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://cdn.scrot.moe/images/2018/11/05/Gaia---screenshot.png] requested from [https://scrot.moe/image/9hs9D]. Sanitized URL: [https://cdn.scrot.moe/images/2018/11/05/Gaia-screenshot.png#5518958446656822370].
[NoScript InjectionChecker] JavaScript Injection in ///images/2018/11/05/Gaia---screenshot.png
(function anonymous() {
images/2018/11/05/Gaia---screenshot.png /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://cdn.scrot.moe/images/2018/11/05/Gaia---screenshot.png] requested from [https://scrot.moe/image/9hs9D]. Sanitized URL: [https://cdn.scrot.moe/images/2018/11/05/Gaia-screenshot.png#6821784149821626523].

i understand from the faq that XSS might complain about certain URLs, just want to make sure that this is not fixable - three dashes seem harmless enough to me?

The function "Disable restrictions for this tab" doesn't work correctly under certain conditions (see below): Activating "Disable restrictions for this tab" does not disable restrictions for third-party sites, unless the option "Temporarily set top-level sites to TRUSTED" is set or some other conditions are met (see below).

I have tested this bug with Firefox 63 and 64 with NoScript 10.1.9.9 and later on two computers running Windows 10. At the moment, I use Firefox 64 and NoScript 1.2.1.

The following steps are required to reproduce the bug:

1. create a new profile in about:profiles and start Firefox using the new profile
2. install NoScript (from addons.mozilla.org, for example)
3. visit a page which needs third-party scripts: I load the top-most article of theguardian.com to reproduce the bug. The section Most popular at the end of the article needs guim.co.uk to work. The bug is reproducible for any other page with third-party sites.
4. set "Disable restrictions for this tab" and nothing happens after the automatic reload the page apart from disabling restrictions for the top-level site theguardian.com. Setting theguardian.com to "Temp. TRUSTED" loads guim.co.uk and the other third-party sites.

The bug does not occur under the following conditions:

1. the option "Temporarily set top-level sites to TRUSTED" is set
2. the development tools of Firefox are displayed in the tab
3. other extensions like "uBlock Origin" or "HTTPS Everywhere" are running (installing an arbitrary second extension is not sufficient though: installing "TabWalk", for example, doesn't help)

Why displaying the development tools or installing certain additional extensions is sufficient for the bug to not occur, is a mystery to me. Activating the tracking protection of Firefox, by the way, does not change anything.

Found myself running without Noscript a couple of days ago, when I accidentally clicked the S! button instead of the ^! button.

100% entirely user-error, but it would be nice if that global action was a little bit more difficult to do. I was thinking:

• Either moving the S! button to the options page (removing it from the popup menu)
• Or adding a confirm dialog to the clicking of the S! button

Just an idea. As I said, though, entirely my error, so feel free to point, laugh and discard!

This is a regression in 10.1.8.9rc4.
It also happens with Firefox internal folder tree browser page.

System:
OS: Windows 10 Version 1803 x64
Mozilla Firefox 61.0.1 64-bit.

I have noticed that webpages (I have tested on https://openjscad.org/) have access to WebGL even if it is not allowed in NoScript.

It would be nice if noscript would provide an option to either allow or disallow displaying of SVGs (set or unset the firefox config property "svg.disabled"). This is currently only possible for webfonts.

This would be especially nice for TOR users which use the Safest mode and only enable JS via NoScript for certain pages.

With Old version, once i visit website A and disable script from domain B and when i visit domain B i dont need enable script for this domain because script disable is not global, it's just a local(only tab disable it) so now with newest version how i can do it ?
ty

The new NoScript interface has a lot more in common with uMatrix than the old one did. However, on the whole, I'd have to say that the uMatrix implementation is more mature. It neatly handles site-specific permissions, temporary vs permanent permissions, base domains vs full domains with readily visible inheritance, fully disabling per-domain (for debugging, or when there's an important transaction that mustn't be disrupted, etc), and a variety of content types.

Would it be useful to copy the interface, or at least the design principles? I think that some convergent evolution may be in order.

Does noscript offer anything different than uBlock's no-scripting feature?
https://github.com/gorhill/uBlock/wiki/Per-site-switches#no-scripting

Firefox version 63.0.1 on Arch Linux
NoScript version 10.2.0

When I am on a website I need to work properly (for job, banking ,etc.) and some feature doesn't work, I start to debug by temporarily trusting URLs for loading javascript. Then when I have the site working with the minimal amount of javascript, I permanently trust some of the former temporarily trusted URLs. This often causes a page reload. I don't think it should cause a page reload, because the same javascript is loaded whether it is trusted permanently or temporarily.
This isn't a huge deal and I'll still use NoScript if it is not fixed, but it is a minor annoyance that would improve the usability from my perspective.

NoScript no longer blocks any scripts, how can I fix that? I'm running Firefox 63.0.3 and NoScript 10.2.0 I ran it on a custom website and I notice the following console message when scripts are (supposed to, but not actually) blocked:

[NoScript] Failsafe <meta> CSP inserted in the DOM: "script-src 'none';worker-src 'none';media-src http: https:;object-src http: https:"

It has always been working fine before and I am not entirely sure when it stopped working - I may simply not have noticed - but I think it's only been a day.

Any thoughts on how I can check what is going on?

Steps to reproduce:
Open the NoScript Options page and click the NoScript icon.

Current behavior:
The Popup show unusually a small window, after leave the pop up, a extended NoScript extension window appears.

Expected behavior:
The popup shows the privileged page warning message, and no extended window will appear.

NoScript version: 10.1.8.22

The detail is here: open-source-ideas/ideas#60

After searching all over, I managed to find the new shortcut for opening the popup: alt-shift-n. However, this does not help at all, since I can't change anything other than the top-level site. I can press left and right to change the settings for top-level, but up and down behave exactly like left and right instead of moving up and down the list of domains like I would expect. I tried every key I can think of, and nothing allows it to select another domain.

It looks like there is no way to use NoScript without a mouse. This is a major accessibility problem for anyone who has difficulty using a mouse or other pointing device.

Suggest changing:

High contrast appearance

To:

High contrast

Its under Appearance so the user knows its about appearance.

This was inspired by Internet Explorer 11's Content Advisor in which I always block sites that contain malicious things.

Instead of always targeting website names (which is not bad and should be set as default), let the user manually configure the sub-sites that they want to block in the main menu or etc.

If this is already possible then this can be closed.

Apparently NoScript was updated transparently to version 10.1.9.3 this morning, and now my browser has trouble to load legitimate JavaScript. I get this error on every website:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”).

These errors disappear when I disable NoScript.

EDIT: I am not really sure about these CSP errors, but some JavaScript gets blocked nonetheless.

It is possible for privileged pages to load unprivileged content. Most obvious example that comes to mind is a web page served over file protocol. It can contain anything so it can load unprivileged content. Noscript should be able to act on unprivileged content and notify the user that there is privileged content that is always enabled. As of v10.1.8.16 there is no way to enable unprivileged content on privileged pages via popup.

Sample testcase:
test.zip

Extract the testcase and open it in Firefox. If https://content.jwplatform.com and https://ssl.p.jwpcdn.com are not trusted, the embedded player won't load and there is no easy way to unblock it because the popup doesn't offer a way to unblock unprivileged content. Interestingly enough for this testcase https://pal1000.github.io can be unblocked via NoScript blocked object dialog so it looks this is fixable and it's not a Firefox webextension API hard limitation.

The screenshot image used for the Firefox extension seem really old.
It says "Mozilla Firefox 1.x" in the image and the context menu in the image does not seem to be the way NoScript works anymore from what i can tell.

So i suggest updating it once in a while.

Using Windows 7 and Firefox 60.4.0esr and NoScript 10.2.1.

If i just keep clicking the NoScript icon alot on the tool bar in Firefox sometimes a new moz-extension:// window will open.

Reloading the window many times with F5 will also cause new windows to appear.

Using Windows 7 and Firefox 60.4.0esr and NoScript 10.2.1.

It would be nice to get the possibility to set keyboard shortcuts for "temporarily allow all scripts" and "revoke all temporarily permissions"

This is a feature request for ABE being added to NoScript 10.x / quantum.

Use case (example):
I'm using firefox containers to ensure that e.g. twitter.com only has access to a pre-defined scope (cookies, local storage, ...). (Actually I'm redirecting twitter.com -> mobile.twitter.com). Now I want to allow JS for *.twitter.com and *.twimg.com but only if I'm on mobile.twitter.com.
So the current state is that I'm redirecting any twitter.com link to mobile.twitter.com and firefox containers ensure that all tabs are running the same "twitter" container. The only two options at the moment are:

• allowing twitter.com / twimg.com scripts permanently. That would also allow e.g twimg.com JS on <some-domain.com>.
• always enable twitter.com / twimg.com scripts temporally when I visit mobile.twitter.com (which is kind of annoying). But even worse as soon as I've visited mobile.twitter.com once the twimg.com JS on <some-domain.com> would also e loaded.
  So to ensure that specific JS is only loaded in certain situations (e.g. I'm on a specific host) ABE would be the right tool.

BTW: Thank you for this amazing addon which makes the web a lot safer and increases peoples privacy 🎉

Since Firefox Sync only permits 16384 byte objects to be saved, NoScript whitelists can quickly become unsyncable.

Quoting myself from https://forums.informaction.com/viewtopic.php?f=7&t=6056&p=96391#p96391

Workaround idea:

1. serialize data-to-be-synced to json
2. compress it ( see e.g. http://forums.mozillazine.org/viewtopic.php?p=14111285#p14111285 )
3. base64 encode it
4. split into 16384 B chunks (minus a few bytes for a sync timestamp + part number headers)
5. when reading, combine chunks based on headers
6. decompress
7. deserialize.

That should get at least a few hundreds of kilobytes of worth of uncompressed config synced.

If there is interest in something like this, but no time to implement, I would be interested in contributing.

Is there a way to block a domain in all tabs except one specific container Firefox container? That way, I could have a Youtube container with google scripts activated, and finally ditch chromium.

FirstPartyIsolate (FPI) (about:config: privacy.firstparty.isolate) is a very cool firefox feature and I would be very happy if NoScript would get support for it. I imagine that if FPI is turned on, NoScript will also bind all permissions for web pages to the domain where they were granted.

For Example:

1. Pages A with third party B: Both get temp. trust.
2. I open Pages C with third party B: Here B hast default because it is a other first party page.

Until https://bugzilla.mozilla.org/show_bug.cgi?id=1477696 is not solved you should make sure that NoScript is the last WebExtension that modifies the CSP-Headers.
Since you provide the most amount of protection your headers should be used. Also NoScript gets stuck in a reload loop if that's not the case: kkapsner/CanvasBlocker#222

My suggestion is to remove and re-add the listener for onHeadersReceived on some interval (maybe every minute or so). This ensures that the NoScript-Listener is the last one called which wins if the headers clash (CSP headers only clash if the web site does not provide one by itself.

What's the meaning?
automate change version number many times every day.

I discovered that NoScript, additionally to blocking the execution of javascript, by default also blocks the loading and display of web-fonts.

Now I wonder what the threat behind this default setting might be: Do we want to protect against the actual loading of the web font file, as they often come from 3rd party CDNs and this introduces tracking? Or is there another reason

I can only speak for myself that one important reason for setting a page to "temporary trusted" is that I want to see the icon-fonts used on that page. Thus I also enable javascript, although that's not needed for the fonts to be displayed. Protection against other 3rd party trackers is handled by other add-ons for me, like PrivacyBadger.
Another issue: Even if webdevs want to provide a javascript-free version of their page for NoScript users, this default setting forces them to also rethink their whole page layout as small icons from a web-font cannot be used.

To conclude, I argue for allowing the loading and display of web fonts by default, unless there is another tracking vector/ threat I am not aware of.

versions used: NoScript 10.2.1 in Firefox 64.0