Firefox NoScript Extension
It seems that more and more lately you see people mentioning NoScript... Every time I mention ads or "fluff" on people's blogs the answer seems to be "Install NoScript". I have a problem with this generic fallback answer... It's not necessarily that I have a problem with NoScript (although I do, and I'll describe it in just a moment) but it almost seems that some people are putting too much reliance on it... that it's being as the safety net of surfing in the same way that in the way that AV and Firewalls were 10 years ago... The "Be All End All" of safety. Maybe I'm misinterpreting people and they just see it as one line in multi-tiered defense.
Anyways... my problem with NoScript is that I see it as the UAC of Browsing... Actually, I find it to be more annoying than UAC (which I actually tolerate and even enjoy). Yet people who support NoScript are some of the same people that attack UAC. I decided that I'd put my annoyance with having to OK every page I visit (even if I do permanently trust it... which is a bit of a security risk in my opinion... given the number of people that probably allow scripts on blogs and forums that they visit). So the other day, I grabbed NoScript and started surfing. Not surprising, given the move to Web2.0, roughly 50% of the pages I visited no longer functioned correctly... Some even gave me messages along the lines of "Your browser doesn't support JavaScript, in order to continue you require a JavaScript Enabled browser".
Given my new found tolerance, I'm (painfully) allowing scripts in order to give NoScript a fair shot... but suddenly I go to click "Mark All Read" in my bloglines and I get the following error:
An error occured:
Traceback (innermost last):
File "cgi.c", line 857, in cgi_init()
File "cgi.c", line 641, in cgi_pre_parse()
File "cgi.c", line 469, in _parse_query()
File "neo_hdf.c", line 770, in hdf_set_value()
File "neo_hdf.c", line 760, in _set_value()
AssertError: Unable to set Empty component Query.
What's this?? It has worked before, so why has it stopped now? I take a look at the NoScript icon... I've allowed bloglines.com and the only other option is to 'Allow Scripts Globally' which even says 'dangerous' next to it. Well, let's test it out. I 'Allow Scripts Globally' and click 'Mark All Read' again. This time, as it has before, it works. So not only is NoScript a royal pain with it's constant 'Allow Script' messages and an large number of sites rendering improperly due to Web 2.0, but even if you're willing to make the sacrifice and use it... it still can't function properly in a Web 2.0 world.
Looks like it's time to uninstall NoScript if I want my sites to work properly at all. Hey... at least when I click Allow/OK with UAC I know it's going to work.
What about reading the NoScript FAQ?
http://noscript.net/faq#qa3_13
It looks like Bloglines is not exactly “every site”, and the fix is pretty easy.
If you’re still wondering why people hating UAC do love NoScript, that’s because NoScript never stops you with a blocking prompt and you can always tweak it at your preferred security level.
Thanks for the link to the FaQ…
As for why people hate UAC and love NoScript… I don’t know how valid of a reason that is… NoScript may not be a full “block” but it does hurt page rendering and page execution and you can tweak UAC via secpol.msc (on higher end versions of Vista) and via regedit (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System) on any version of Vista.
There is not a problem with no script. The problem is that not all sites follow the global standard, but some webdesigner follow the standard Microsoft is trying to set. I have a masters degree in computer systems engineering and I can ensure you that software developers with respect for themselves all use firefox, which is the most secure browser on the marked, and no script function as it should. It is more likely that you ended up at a site, that was not properly designed. And you should never allow global scriptet, because you thereby allow script to execute code on your maschine, and thereby you will be an easy attack for spyware and virus.
Regards
Henrik
M.Sc.Eng.
The point of no script is to stop the execution of scripts by doing this you protect your self against xss and other exploits that my be used in web pages. I would rather deny then decide to allow a script and have to reload the page then lose personal data like user names and password to xss exploits. This is also more convenient then havening to enable/disable these scripts in the options of firefox. I would also like to say I am not to crazy about highly scripted web site the more complex something is the room for error, there is something to be said for simplicity.
Thanks for the link to the FaQ…
As for why people hate UAC and love NoScript… I don't know how valid of a reason that is… NoScript may not be a full "block" but it does hurt page rendering and page execution and you can tweak UAC via secpol.msc (on higher end versions of Vista) and via regedit (HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem) on any version of Vista.
What about reading the NoScript FAQ?
http://noscript.net/faq#qa3_13
It looks like Bloglines is not exactly "every site", and the fix is pretty easy.
If you're still wondering why people hating UAC do love NoScript, that's because NoScript never stops you with a blocking prompt and you can always tweak it at your preferred security level.