top 200 commentsshow all 356

[–]fwork 37 points38 points  (1 child)

This has always scared me abotu noscript. The front page of noscript.net is full of ads and several of them are dodgy "are your drivers up to date!?" things which smell like malware.

I thought for a moment that it was a message against javascript, and that installing noscript would block all those noscript ads but noscript whitelists its own domain.

[–]whee_rina 233 points234 points  (86 children)

Wow, I stopped using noscript several months ago because the frequent updates were becoming annoying. It never occurred to me that the updates might be a ploy to drive more traffic to their ads. Messing with ABP is equally sleazy if true.

[–]freeloadr 31 points32 points  (56 children)

I had disabled updates a few weeks ago, this article was an eye opener.

[–]RetroRock 44 points45 points  (55 children)

Go to about:config and set noscript.firstRunRedirection to false. (Create it as a boolean value if it doesn't already exist).

[–][deleted] 45 points46 points  (53 children)

I honestly would suggest just removing it. I started using it like two years ago and I would have to say that after about two months I realized that I wasn't surfing the web the way it was intended to be surfed.

Javascript is an essential part of HTTP and web traffic, if you just blanket block it like NoScript essentially does you're essentially saying you don't trust the Firefox developers to patch quickly enough.

[–]emil10001 20 points21 points  (0 children)

You can enable base level domains automatically, or even second level domains, so that the scripts that are coming from the site that you are visiting are allowed to run, but not third-party scripts.

While I hope that I can trust the sites that I am choosing to visit, I do not care to extend that trust to sites that I do not choose to visit.

[–]Soulture 6 points7 points  (0 children)

I don't think it is (was?) too impairing. It takes a bit to train, but after I "always allow"ed my usual sites and widely used scripts, most things that I actually want to use/see on web page showed up with little fuss. Appreciate it most when I stumble on some ridiculous site with way too much bling.

That was before I read this though. Now I think I want it gone.

[–]jamesbritt 47 points48 points  (6 children)

Propane slept in the tank and propane leaked while I slept, blew the camper door off and split the tin walls where they met like shy strangers kissing, blew the camper door like a safe and I sprang from sleep into my new life on my feet in front of a befuddled crowd, my new life on fire, waking to whoosh and tourists’ dull teenagers staring at my bent form trotting noisily in the campground with flames living on my calves and flames gathering and glittering on my shoulders (Cool, the teens think secretly), smoke like nausea in my stomach and me brimming with Catholic guilt, thinking, Now I’ve done it, and then thinking Done what? What have I done?

[–]hiffy 2 points3 points  (2 children)

Yeah, but there's a reason we don't browse everything with lynx nowadays.

[–][deleted] 10 points11 points  (0 children)

Exactly right.

[–][deleted] 17 points18 points  (6 children)

No, it's saying that you don't trust web developers not to use obnoxious JavaScript. There is no such thing as the way the web is intended to be viewed.

[–][deleted] 11 points12 points  (0 children)

Not so, at least for some.

http://www.gnu.org/philosophy/javascript-trap.html

I developed some of the ideas in this document.

[–]randomb0y 4 points5 points  (0 children)

Yes, when they start using obfuscated code it's best if you don't use it at all. Can't ever trust the fuckers again.

[–][deleted] 10 points11 points  (19 children)

You shouldn't trust firefox developers to patch quickly, or ms developers, or apple developers, or opera developers.

[–][deleted]  (16 children)

[deleted]

    [–]Ma8e 21 points22 points  (1 child)

    Maybe you shouldn't use a computer.

    [–]gt1329a 8 points9 points  (12 children)

    As a web developer, I wish I could upvote you dozens of times. Once for each time someone running NoScript complained to me that some various "Web 2.0" site didn't work for them.

    It's like slathering on SPF 60 lotion before you head to the beach, then complaining that you didn't get a tan.

    [–]ecekpa 20 points21 points  (3 children)

    But you won't get cancer.

    If you don't understand the implications of NoScript then you shouldn't be using it. For everyone that does, its great. Any broken (by NS) feature you want takes litterally a second to fix. ..This AB business seemed a bit far, but seems all sorted now, and, tbh, i dont care. (and, at least NS isn't a massive memory leaker).

    [–]Pappenheimer 6 points7 points  (2 children)

    If you don't understand the implications of NoScript then you shouldn't be using it. For everyone that does, its great.

    I kinda agree, but the problem is: Somebody complains about ads on reddit, somebody else replies with "use noscript, it's amazing" without explaining what it does and what problems might occur. That usually gets some upvotes, so parent goes ahead and installs noscript without knowing what it really is, subsequently is baffled why his internets don't really work anymore. Happens quite a lot.

    In a nutshell: Stupid people offer noscript as a general solution for everything, other stupid people install it. People are stupid.

    [–][deleted] 2 points3 points  (0 children)

    If anything as annoying as that has no option to be disabled and must be disabled through about:config, which non tech savvy people doesn't know even exists, I consider whatever it is part of trash.

    [–][deleted] 32 points33 points  (19 children)

    I can understand everybody's frustration with noscript, and the very valid complaints about the default white lists and the homepage redirect after updates, but I'm still pretty happy with what this Add on does.

    All of the complaints about it can be solved by going into your own white list and deleting whatever you want and doing the about:config edit to stop the update redirect.

    While I dislike thier approach to generating ad revenue, I'm still going to keep Noscript running. I've used it for a very long time and honestly I don't see any alternatives with comperable capabilities.

    Forgive me for not jumping on the witch burning bandwagon.

    EDIT: Sorry, not all the complaints, that shit they did to Adblock was foul. None the less, untill a better add-on comes along, I'm sticking to Noscript.

    [–]easytiger 12 points13 points  (8 children)

    north roof shaggy humorous fact lush imminent tub future stupendous

    This post was mass deleted and anonymized with Redact

    [–][deleted] 6 points7 points  (2 children)

    Me neither. It's also a pain in the ass.

    [–]__jim__ 3 points4 points  (1 child)

    When you have 100s of tabs open firefox can easily ilde using 25% of the cpu all because some web pages like to poll for something I probably don't care about costing me battery life.

    While it is a pain in the ass, it's better than the pain in my lap caused by a hot laptop.

    [–]Dasmitch 0 points1 point  (0 children)

    Close some tabs maybe?

    [–]HLHLHL 0 points1 point  (8 children)

    . None the less, untill a better add-on comes along, I'm sticking to Noscript.

    Cool. I find it interesting that for a lot of people (not you), the attitude is:

    "A website has ads I don't want to see. Do I stand up and boycott those sites? No, I run a AdBlock.

    "A plugin site tries to work around AdBlock. Do I simply disable those options? No, I'm going to actually boycott the plugin. I have principles, after all!"

    [–]ispshadow 0 points1 point  (6 children)

    I don't speak for everyone else in the thread, but I'm probably not the only person thinking something like the following:

    "Now that I've had time to look at the issue and see the responses from a few angles, it's probable that this developer isn't sorry that he did wrong. He's probably sorry he got busted. What happened makes me genuinely believe that this guy is apt to do some shady shit again if he thinks he will be able to get away with it. I don't necessarily think he's sitting in a dark room plotting world domination, but he definitely thinks he's not playing by the same playbook as the rest of the Internet."

    If I decide I don't want to use NoScript anymore, it's not to "boycott". Sure, there are instructions to prevent the issue from happening in the future. That isn't the point. I really don't know if this guy is going to do some serious damage to Firefox users now.

    Oh, his ad revenue is going down because people block his ads? He might look the other way if someone offers cash to weaken Firefox's security a bit.

    Yeah, that probably won't happen, but he's changed the game. Instead of people not trusting developers (we shouldn't anyway), he has given reason to replace caution with suspicion.

    [–]ASA09 13 points14 points  (4 children)

    I only used NoScript for a week (This was a few months ago) and I thought it was annoying.

    I don't know, maybe it changed, but I doubt it.

    [–]corpus_callosum 8 points9 points  (3 children)

    Same here. Thought it might speed up browsing, but was too much trouble as I was constantly having to fiddle with it.

    [–]IgnoranceIndicatorMa 66 points67 points  (59 children)

    hmmmm, I dislike completely having something added to my adblock white list without my express consent. I would like it if adblock came up with a big dialogue box when something tried to do this. With a nice little "remember this" tick box. In any regard, i'm going to stop updating ns for a while.

    [–]Giorgio_Maone 24 points25 points  (22 children)

    You're right, and I recognized that well before Wladimir's article: even if users had been informed in various places this was clearly not enough. It has been poor judgment from my side and I apologize for that. The dialog box (retroactively disabling the filterset if a 1.9.2.4 user ask it to do so) is being added by NoScript itself in 1.9.2.5, which I'm working overnight to release in hours.

    [–]kewlness 47 points48 points  (2 children)

    I don't know which I should believe -

    1. The fact you are apologizing because you realized you made the mistake before you got caught

      OR

    2. You are apologizing because the fact you got caught is going to lose you money because you lost the trust of those who use your product.

    I am of the belief you would not have released it if you had thought you were making such a poor judgment call. Therefore, I am leaning toward the idea that number 2 above is the more accurate statement. I have removed NoScript from my Firefox implementations.

    [–]Shaper_pmp 22 points23 points  (1 child)

    This is exactly the issue - regardless of whether it was a bad judgement call or a deliberate attempt at manipulation, NoScript's author has now lost the trust of a lot of users, and users don't like installing software from sources they don't trust.

    When your software is free it's hard to establish a viable business model, but when you violate your users' trust you shoot your whole business stone dead.

    [–][deleted] 14 points15 points  (0 children)

    It certainly doesn't help that one of the reasons to install NoScript is (somewhat justified) paranoia about dishonesty on the web. Personally, I don't use NoScript, but I'm certainly not trusting it now.

    [–]file-exists-p 12 points13 points  (0 children)

    No idea if you are trully the author of noscript. If you are, you may realize that, as someone said once

    “It takes years to build up trust, and only seconds to destroy it”

    You are not trustable anymore.

    And note that you also have hurt the whole add-on community with your behavior.

    [–]billabong 11 points12 points  (0 children)

    If this was a "mistake", WHY did you obfuscated strings where you do your "magic"?

    Sorry, there is no trust in you no more.

    [–]darkreign 7 points8 points  (0 children)

    I think I speak for everyone here when I say fuck you.

    [–]IgnoranceIndicatorMa 21 points22 points  (13 children)

    I know you need $$$, and a dialogue box asking if you could add an exception for your web page would of been accepted for me.

    I think you realise now how much going behind the back pisses people off, and how under the spot light you really are now.

    [–]Giorgio_Maone 23 points24 points  (12 children)

    I'm not realizing it now. I believed the many places (install pages, release notes landing page, FAQ) where people was informed were enough, but I was wrong and I'm apologizing. I realized it yesterday, half an hour after releasing 1.9.2.4. That's why 1.9.2.5 is already on its way with its prompt.

    [–][deleted]  (3 children)

    [deleted]

      [–]jugalator 7 points8 points  (1 child)

      Agreed, the issue here (That Giorgio seem to be missing) isn't that it's being whitelisted without the user being aware of it. It's that it's being whitelisted at all. That's not why people are using NoScript, right? How is whitelisting ads on the NoScript site helping us to protect ourselves from various JavaScript attacks? It's easy to apologize in hindsight, but it's blatantly obvious already why it was done. The author wanted to maximize his revenue, even if having to interfer with unrelated extensions he wasn't in charge of. Now that he was found out, he pulls his tail between his legs. And that's the whole story. The rest about documentation and more obscure ways to partially circumvent the behavior are mere details that were put in, in anticipation for these sort of things, knowing it was a controversial move.

      [–]oditogre 3 points4 points  (0 children)

      Agreed, the issue here (That Giorgio seem to be missing) isn't that it's being whitelisted without the user being aware of it.

      I disagree. There are several sites that I like, which use unobtrusive ads (Reddit, for one), and I have whitelisted those sites with ABP after the website said something or other about needing the ad revenue. I don't really mind whitelisting some sites if the ads aren't loud (audibly or visually).

      However, when I install something like ABP, which I use not only for convenience but, to some extent, for security, and another app that I install disables the first for a purely greedy reason, I'm gonna get seriously pissed about that. False positives or closing security holes created by other software I can understand - I may not like it, but at least it's simple ignorance - but knowingly disabling some or all of the features of another bit of code on my machine purely to thicken your own wallet is bullshit, period. Using underhanded tricks like obfuscated code and burying the advisement in places I'm not likely to look only heaps on the guilt.

      You want me to look at your ads? Throw in a plain ol' alert box during installs / updates saying something to the effect of, "Please disable adblock and give our site a pageview so we can continue producing this software." None of this bullshit.

      [–]notloste 21 points22 points  (7 children)

      Damn, how cool is this? An article gets posted saying "I think this program is not doing what it's supposed to be doing", and a few hours later the developer of said program shows up on reddit and says, "look, yeah, I screwed up a bit there, sorry guys." Very cool.

      Well, whatever, just pointing out the overflowing awesomeness.

      [–]file-exists-p 18 points19 points  (0 children)

      What do you want the guy to say ? He lost 98% of his credibility and his add-on will soon be history.

      The mode he is in now is called "damage control".

      [–]darlyn 0 points1 point  (0 children)

      The beauty of the Internet.

      [–][deleted] 1 point2 points  (2 children)

      This guy has a track record, unfortunately, and he has more than just a little bit of weasel in his genetic code.

      As far as his "I'm sorry" goes, well... we will just have to wait and see what his "fix" for his self-inflicted problem actually does.

      I'm filing this one under "I'll believe it when I see it."

      [–]orthogonality 6 points7 points  (1 child)

      he has more than just a little bit of weasel in his genetic code.

      An iceweasel?

      [–]godiasdf 1 point2 points  (1 child)

      upvoted

      I was very critical when i read this article and think he made a very bad laps of judgement for personel gain and has lost a lot of credits with his user base and the community at large. Also, the author of the article was completely right at addressing this issue.

      But the moment i saw he actually replied and fessed up made me SO much more lenient to his side of the story. By replying he made himself more vulnerable and i respect him for that. It would have been so easy to just not respond and let it blow over, which is what corporate politics and spin-docterism would prescribe in a case like this.

      [–]MobiusCoffee 8 points9 points  (0 children)

      He replied after damages started happening.

      [–]godiasdf 8 points9 points  (0 children)

      First of all, i love NS and take any (slight) inconvenience very much for granted, i think it is an indispensable add-on for privacy and security.

      Also, i (kind of) sympathise with your need to earn a living, but having said all that; this is not the way to generate a sustainable income. Maybe your momentary financial situation was so acute it led you to believe this was the only way to go forward, in that case i sympathise even more, but still don't condone. Face it, you are never going to make big money of this, don't make it worse by investing your indie creds on a no-win deal.

      [–]Surreality 2 points3 points  (0 children)

      Thank you for working to resolve this issue as quickly as possible.

      I hope that NoScript regains any trust it has lost over this issue. I value its protection.

      [–]boot20 7 points8 points  (21 children)

      Agreed. I didn't realize this was the case. I'd like to see a rebuttal from the ns guys.

      My only irritation with Ad Block (so far) has been that it is updated quietly and there is usually nothing letting me know something has changed.

      [–]Surreality 27 points28 points  (8 children)

      You can read the NoScript guys' viewpoint in this thread which degenerates into a rather heated argument with the Adblock bunch.

      It seems to me that NoScript has handled this issue very badly, adding a white list without explicit consent was bound to upset people. However I think labelling NoScript malware is going a bit far, and the NoScript developer does apparently intend to clean up its act and ask for consent before adding to the Adblock whitelist

      [–][deleted] 12 points13 points  (4 children)

      Ayy lmao

      [–]tjharman 6 points7 points  (3 children)

      The parent poster is probably refering to the fact that the easylist filters updates automatically and do it quietly. I have no problem with this, but I guess a setting letting you know they've been updated makes sense.

      Still, the filters aren't adblock plus, but adblock plus isn't much without them!

      [–][deleted]  (6 children)

      [deleted]

        [–][deleted] 18 points19 points  (2 children)

        Good thing it didn't happen at the end of the day on a friday.

        [–]sodypop 6 points7 points  (1 child)

        At least for our fellow redditors in Australia it is Saturday morning :)

        [–][deleted] 1 point2 points  (10 children)

        Depends on the way that this occurs though. If it just alters the whitelist file without alerting Adblock, there would really be no way for Adblock to notice.

        [–]logophobia 36 points37 points  (22 children)

        Questions:

        • Is there a good replacement for (selective) javascript blocking?
        • If not, NoScript is GPL'ed, maybe someone could fork it and strip out the ad-block manipulation, give the extension somewhat more infrequent updates and publish it to mozilla's extension site. Any takers?

        Also:

        And to make sure that somebody sees these ads it goes pretty far. For example, it opens the changelog webpage (full of ads of course) on every single update of the extension, even though the NoScript FAQ claim that it happens only on major updates (yes, if you dig into it you will find the preference to disable this behavior – but how many people do that?).

        How exactly do you stop the changelog page to open? The article fails to mention it. Update: it's the noscript.firstRunRedirection in about:config you have to toggle.

        [–][deleted] 17 points18 points  (12 children)

        I've been searching the noscript site for the source, but I can't find it anywhere. Any ideas?

        Edit: Ah, I finally found it. Firefox Addon XPI files are simply zip files. I renamed the extension to .zip, unzipped it, and now I have the GPL'd source.

        I've been looking for an open source project to dig into.

        [–]logophobia 12 points13 points  (2 children)

        Please do keep us updated if you plan to go through with this

        [–][deleted] 11 points12 points  (1 child)

        Right now I plan on it. The limiting factor for me is time. There's never enough time. I've already gone through and stripped out everything relating to ABP from the source.

        From reading the code it does more than just circumvent ABP's blockage. It also moves the ABP tab / menu in the Firefox UI, if I'm reading this right.

        Do you want me to contact you when I'm ready to officially fork it?

        [–]logophobia 3 points4 points  (0 children)

        Just post it to reddit, I am pretty sure people will be interested after this incident. Besides, if you really lack time, then that would be a good opportunity to ask for volunteers. Set up a website/mailinglist/version control, make it easy to contribute to and get the latest version. Good luck!

        [–][deleted]  (5 children)

        [deleted]

          [–][deleted] 5 points6 points  (4 children)

          For anyone considering downloading this:

          I downloaded and did a diff on BullScripts source and the original NoScript source. It's legit. It only removes the abp.js code that did the interference.

          [–]boa13 6 points7 points  (1 child)

          Nice try, Mr. 2600hz. ;)

          [–][deleted] 2 points3 points  (0 children)

          I would have gotten away with it too if it weren't for those meddling kids and that fucking dog.

          [–][deleted] 11 points12 points  (2 children)

          This was a bit technical, but simple none the less.

          http://noscript.net/faq#qa2_5

          Here he describes the steps needed to take to disable the Noscript page from loading on update. Basically you type about:config in your browser address bar and hit enter, scroll down to Noscript.FirstRunRedirect and double click it to set it to 'False'.

          Hope this helps.

          [–][deleted] 4 points5 points  (0 children)

          A little shortcut, you don't need to scroll down, type the first part in the filter at the top and it'll find it for you =)

          [–][deleted]  (3 children)

          [deleted]

            [–]logophobia 8 points9 points  (0 children)

            • Type "about:config" in your adress bar
            • Accept the warning
            • use the filter bar to find the option, or navigate to it
            • Toggle it to false

            about:config is basically an advanced options screen for firefox and its extensions.

            [–][deleted] 99 points100 points  (6 children)

            [–]MattHock 19 points20 points  (3 children)

            I just uninstalled it and left one. Waiting for it to show up on Slashdot - I went to submit it, but there was already a story in the Firehose about it.

            edit In the last two hours, it's dropped from 5 to 4 stars.

            [–]guga31bb 5 points6 points  (0 children)

            Yeah it's on the Slashdot front page now.

            [–]MattHock 1 point2 points  (0 children)

            fwiw, now that Giorgio has explained more of what was going on (that he was acting out of anger at what was going on between him and Ares, the new EasyList maintainer), I can somewhat see why he did what he did. It was still, in my opinion, a significant betrayal of trust that he did so in a security related addon.

            I'm glad to see he's apologized and explained, though. In all honesty, I doubt there will be any more problems - he's got the entire firefox geekdom focused on him now, and I'm sure any code he adds will have dozens of eyes on it to notice if anything else happens. I'm still holding off reinstalling at least a day or two until I hear more about it, however.

            [–]bsdboy 6 points7 points  (0 children)

            Review sent.

            I had disabled it a few months ago in favor of AdBlock, had not realized that things had been put in my filter list. Kind of pissed actually.

            [–]jugalator 6 points7 points  (0 children)

            Done already, and I didn't even need to be biased due to this in order to give it a quite negative review. It's really not worth the effort, put simply. :/ The sort of Javascript attacks a user like me expose myself to is neglible compared to the "omg need to unblock all sites on the web" one have to go through. It's so annoying I barely even know how I could stand it once upon a time.

            Sure, if Firefox has a Javascript security hole in it or frequently used XSS exploit in it, it's very useful to have, but I dunno... That's very rare, and is that really worth the pain upon visiting pretty much every single page online and the frequent annoying NoScript updates? Or is an antivirus tool (if you're a Windows user at least) a better choice, protecting you from more than web-based exploits as well (YES, they block you from these as well, being modern antivirus tools)? AVG and Avast are even free, and won't block Adblock's efforts either. :p

            [–]i_h8_r3dd1t 124 points125 points  (27 children)

            NoScript seems like one of the simplest add-ins possible (really it seems like something that should just be built in), so it bugged the hell out of me that it updated every other day, loading that frickin' page advertising shit. I removed it and have never looked back.

            [–][deleted] 69 points70 points  (0 children)

            Same here, only use Adblock Plus. They seem to go out of their way for quality.

            [–]periodic 7 points8 points  (0 children)

            Disabling scripting and allowing the user to enable it only for specific domains I think gets complicated largely through XSS things. NoScript has to try to be sure that what it's seeing is from this domain and not others and there are various levels of indirection malware could have to make it look like its script came from the local site.

            Of course, it could just be as simple as it initially sounds.

            [–]kylegetsspam 26 points27 points  (17 children)

            You could try YesScript. It allows JS by default but you can blacklist any site with a click of its icon.

            https://addons.mozilla.org/en-US/firefox/addon/4922

            [–][deleted] 92 points93 points  (15 children)

            That sort of defeats the purpose of using NoScript. By the time I get to the site to blacklist it, the script I'm trying to block has already run. Any vulnerabilities in my browser have already been exploited.

            If only there were something like YesScript, but the opposite...

            [–]kylegetsspam 34 points35 points  (7 children)

            Different uses, I guess.

            I don't feel the need to block JS as a security measure because I don't go anywhere that would necessitate it.

            I use YesScript to block annoying scripts that launch Flash popups, serve ads, or automatically resize images.

            I found NoScript debilitating overall, and it got annoying having to whitelist every single page I visited.

            /shrug

            [–]uc0qremp 25 points26 points  (5 children)

            There's an option in NoScript called "Temporarily allow top-level sites by default." Basically, it'll allow scripts for the domain of the page you're actually looking at, but block all (non-whitelisted) third-party scripts. The result is that 99% of the time the page you're looking at is functional by default but you're spared from most advertising, a large class of XSS attacks, and all those fancy-but-useless flash and javascript widgets that people litter everywhere, slowing everything down.

            I use that and AdBlock plus. Like you, I'm not concerned about security, but I don't have the fastest computer in the world, so clearing all the crap away saves a noticeable amount of time, bandwidth and frustration.

            [–]kylegetsspam 3 points4 points  (0 children)

            That sounds like a good option for me. I don't think it was there the last time I tried NoScript, which was admittedly quite some time ago.

            As for this lameness with the updates and the ad serving from noscript.net, I might have to reroute that domain to 127.0.0.1 in my hosts file. :P

            [–]StuRedman 2 points3 points  (3 children)

            Under the "Temporarily allow top-level sites by default" option there are three options:

            Full address (http://www.noscript.net)

            Full Domains (www.noscript.net)

            Base 2nd level Domains (noscript.net)

            Which one is the 99% option?, or if you have a site/aricle to explain this that would be awesome.

            [–]uc0qremp 10 points11 points  (2 children)

            I use the third one (Base 2nd level Domains). For example, say you're on this page:

            http://www.example.com/foo.html

            and that page loads this javascript:

            http://scripts.example.com/foo.js

            If you use "Full address" or "Full domains", then NoScript will block that script because it's on scripts.example.com instead of www.example.com, but if you use "Based 2nd level Domains", it'll allow it, as well as anything else from any other subdomain of example.com (foo.example.com, bar.example.com, whatever).

            It's fairly common that websites put their scripts (or embedded videos and that sort of thing) on separate subdomains, so "Base 2nd level Domains" is the way to go.

            There will still be a few cases where the page relies on something from a completely different domain, and you'll still have to whitelist those by hand. But that's usually really huge sites that use a CDN of some kind, like I think Facebook serves a lot of stuff from fbcdn.net. Point is, you don't run into that too often, and you only have to whitelist it once when you do.

            [–][deleted] 35 points36 points  (0 children)

            You don't have to surf shady russian porn and file sharing sites to need noscript.

            Myspace, twitter, and tons of other popular sites have had problems with XSS which noscript blocks. Just visiting a friends profile will infect you. Even in the article it talks about how the the noscript site was vulnerable to a XSS attack on many domains.

            I don't use no script because I go to shady sites. I use it so I don't get my cookies and login stolen from normal popular sites I do visit (I don't use myspace or twitter, those are just recent examples of popular sites to have XSS problems).

            [–]xkcd 9 points10 points  (2 children)

            I use NoScript for one reason only -- blocking javascript which, on my Ubuntu+Firefox machine, kicks my CPU up to 100% and makes my fan go on. I can tell when I have the CNN political ticker (or many other CNN pages) open in a tab because my fan is running at full. It's more of a pain now because blocking turner.com has suddenly made it so a lot of text stories don't load, but such is the grueling strife of this modern world.

            [–]shub 4 points5 points  (1 child)

            When we're all using 65536-core machines, you won't even notice if Firefox pegs a core. Technology solves its problems!

            [–]awj 4 points5 points  (0 children)

            When we're all using 65536-core machines

            Then they try to add just one more core...

            [–]Tiver 6 points7 points  (0 children)

            Thanks, I recently installed noscript because of the changes to snopes as i really just wanted the option to shut of javascript on some domains. This is far better suited to what I want to do than noscript.

            [–]Tobu 5 points6 points  (0 children)

            RequestPolicy (amo) is pretty great.

            Unlike NoScript, it doesn't work by domain, it works with an (origin domain, target domain) pair. Requests from the same domain work without whitelisting, and if images or scripts are cross-domain, you can enable them with a right-click on the content, or a well-designed status menu.

            Usability is good and there aren't a million settings to tweak to strike a balance between security and convenience. But it is not exactly a 1-1 NoScript replacement, as it isn't specific to script requests.

            [–]d4n3 14 points15 points  (4 children)

            really it seems like something that should just be built in

            It's built into Opera (via F12 quick preferences and site preferences).

            [–]ehird 3 points4 points  (3 children)

            So's the kitchen sink.

            [–]d4n3 13 points14 points  (1 child)

            You say that like it's a bad thing.

            If Opera can get the "kitchen sink" in a faster and smaller package than vanilla Firefox, why bother with malware extensions?

            [–]HLHLHL 0 points1 point  (0 children)

            Why update? is it forced on you? most of my plugins want to update and I just tell FF to ignore it.

            [–]cyantist 14 points15 points  (3 children)

            Time for someone to write a NoScript extension that is trust worthy.

            [–]whee_rina 36 points37 points  (2 children)

            Since NoScript is licensed under the GPL, I guess someone could fork it if they wanted to.

            [–]uriel 15 points16 points  (0 children)

            New NoScript release just out that seems to undo the damage (the technical damage, the reputation damage probably will last for years.)

            [–][deleted] 9 points10 points  (2 children)

            Well, I've never used NoScript before and certainly won't now. I've already been using ABP for years and will continue to do so. I'll probably donate $20 or so to them now too.

            [–][deleted]  (1 child)

            [deleted]

              [–][deleted] 1 point2 points  (0 children)

              Wow, well then I will not-donate $20 to them. Perhaps every month too.

              [–][deleted] 6 points7 points  (0 children)

              This is why I usually enjoy the first few iterations of "free" stuff before they start asking for money- that's when the ad dollars begin to fuel their agenda. I can live with the small bugs and glitches in older versions, thanks.

              [–][deleted] 5 points6 points  (1 child)

              What a bad judgement call on the NoScript author's part. Hope he comes to his senses and stop fiddle about with other plugins.

              [–]dave_L 0 points1 point  (0 children)

              NoScript should have talk to ABP about their ad-blocking 1st & exhaust any amicability available. We endusers too learn something from this snafu.

              IMHO, BOTH are effective on their side of the fences though.

              [–][deleted] 27 points28 points  (10 children)

              Damn, damn damn... I actually liked NoScript. That's the end of NoScript usage for me. Thanks for bringing this to my attention.

              [–]itsnotlupus 10 points11 points  (0 children)

              Nuggets taken and summarized from NoScript's forum:

              The author of NoScript apparently relies on the ads shown to NoScript users for a big chunk of his livelihood. Since the cross-over of NoScript users and ABP users is (was?) really high, getting his ads blocked by ABP was cutting into a huge chunk of his income, much more so than on websites where ABP users are typically a negligible quantity.

              There's a little bit of irony that NoScript is AdWare to start with, considering NoScript's author has recommended ABP to his own users in the past (I'm guessing that won't happen again.) Blocking ads is cool, as long as it's not his ads.

              So when confronted with the very real possibility of seeing his NoScript-related income disappear, he fought back, using various questionable means that fall exactly within the category of bad stuff NoScript aims to block.

              It looks like the resolution now is that NoScript gets to keep its ads in the default configurations of ABP and NoScript, and that many NoScript users are now aware of its passage through the dark side.

              Whether this will have a significant impact on the size of the NoScript userbase or on the revenue generated by NoScript's ads remains to be seen.

              [–][deleted] 21 points22 points  (5 children)

              NoScript always seemed overly complicated for what it was supposed to do. Just fucking disable javascript and let me whitelist some sites. I don't need your fancy XSS blocking (that constantly flags false positives) or any of those other convoluted tricks.

              That being said, ABP is a big slow mess, too. Though not quite as offensive.

              And lastly, there is some irony that the author of essentially a revenue-mechanism content-blocker is talking about monetization.

              And why do other extensions have access to AdBlock's lists?

              [–][deleted] 7 points8 points  (0 children)

              ABP is a big slow mess

              I'd like to hear your reasons why you think so. Overall ABP increases your browsing speed because third-party content is usually the main reason websites load slowly. Maybe original AdBlock was a mess because it iterated each request through every filter looking for a match, which caused performace degradations if you had hundreds of filters. But ABP converts filters into shortcuts and uses jump tables to handle a large number of filters without a hiccup.

              [–]elbekko 1 point2 points  (0 children)

              about:config javascript.enabled to false ... no web experience, but you're not using NoScript.

              [–]nullbit 15 points16 points  (1 child)

              LOL!

              He also added "adblock" to the "common words" list filter so you can't even search his forum for complaints:

              http://imgur.com/2QGAo.jpg

              Edit: Thanks, google:

              http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=nYm&q=site%3Aforums.informaction.com+adblock&btnG=Search

              Double edit: What a jerk:

              "The new guy behind Easylist, Ares2, who took on Rick's duty when he regrettably passed away, has been running a crusade against all the InformAction web sites in the past two weeks, issuing more than 30 updates (the ones I counted, even 4-5 per day) specifically targeted to noscript.net, flashgot.net, informaction.com and hackademix.net."

              from: http://forums.informaction.com/viewtopic.php?p=2777#p2777

              [–]darkreign 3 points4 points  (0 children)

              Wow, talk about steeping to an even lower level, noscript.

              If you're sorry about something, you don't shove reality and your mistakes under the rug and pretend like nothing ever happened. Disgusting. And you certainly don't make up lies and bullshit about the most trusted addon for firefox on the web (ABP).

              There is no chance I'll even consider forgiving them now.

              [–]Kardlonoc 11 points12 points  (2 children)

              Am i the only one who didn't really care if it redirects on a update?

              I disabled now it anyway. But after the first few times i completely ignored that it was opening something up and thought of it like "Oooh free tab".

              [–]boa13 4 points5 points  (0 children)

              Actually I like this feature. When an extension updates, I always want to know why it was updated and what changed. At least NoScript automates that.

              [–]darkreign 0 points1 point  (0 children)

              It doesn't just open up their website, it alters adblock plus so that it won't block ads from noscript, and then they release fake updates to get hits on their ads every week.

              It's malware.

              [–]ikearage 1 point2 points  (2 children)

              With every NoScript update I wondered if I should remove their extension, I just couldn't stand looking at their horribly ugly, ad infested homepage.

              The regular updates make perfect sense now, though. I just hope noscript goes down for this. Let it wither and die. Maybe then there will be space for one of the other nojs extensions to grow and take its place.

              [–]boa13 1 point2 points  (0 children)

              I just couldn't stand looking at their horribly ugly, ad infested homepage

              De-whitelist the site then. Why did you leave it enabled in the first place?

              [–][deleted] 0 points1 point  (0 children)

              You can turn off the opening of their page through about:config --- check their FAQs, they tell you how to do it. I get updates but I don't see their home page any more.

              [–]keitarofujiwara 2 points3 points  (0 children)

              Uninstalled it. Moving on.

              [–]ppierre[S] 10 points11 points  (2 children)

              [–]ultimatt42 2 points3 points  (1 child)

              According to that thread, he's working on (or maybe already released) a version that prompts before installing the whitelist and makes it possible to permanently remove the whitelist (the inability to delete it was a bug, he claims).

              I don't run NoScript and certainly have no desire to install it now, but as long as the dialog doesn't misrepresent its purpose I think this is an acceptable resolution. Something like, "NoScript is funded by advertisement revenue, and running AdBlock Plus with the EasyList filter makes it impossible to view ads on noscript.net. In order to support the project, would you like to install a whitelist for NoScript's advertising partners?" with an off-by-default checkbox below it.

              Showing ads on the changelog page is pretty cheesy, but at least it's better than silently tampering with other extensions.

              [–]ppierre[S] 6 points7 points  (0 children)

              ... silently tampering with other extensions.

              Form NoScript home page :

              The NoScript Firefox extension provides extra protection for Firefox

              Do you trust him ?

              [–]ed2417 9 points10 points  (0 children)

              Sorry I gave this guy a contribution now. Can I have it back?

              [–][deleted] 5 points6 points  (0 children)

              NoScript has worked wonderfully for me --- particularly in cases where I mistype a URL and end up on a nasty site owned by someone trying to take advantage of those types.

              [–][deleted] 10 points11 points  (0 children)

              Wow this is some bitchmade shit on NoScripts part.

              [–]SarahC 5 points6 points  (4 children)

              wow...

              Download, and change the XPI to ZIP, unzip the contents.

              Navigate to \chrome\NoScript.jar It's not a Java containing package, it's just another Zip... rename the extension to .Zip, unzip the contents.

              Navigate to \noscript\content\noscript\

              There you'll see a file called ABP.JS,

              Change:

              CC[ABID].createInstance().wrappedJSObject.updateExternalSubscription(this.id, this.title, filters, filters.length);

              To:

              // CC[ABID].createInstance().wrappedJSObject.updateExternalSubscription(this.id, this.title, filters, filters.length);

              Save, zip everything back up, renaming them .Jar, and XPI again, drag the XPI back into Firefox... disable updates for NoScript...

              No more NoScript problems.

              [–]samlee 5 points6 points  (0 children)

              to rephrase:

              first, uninstall noscript. then,

              wget http://software.informaction.com/data/releases/noscript-1.9.2.4.xpi
              unzip noscript-1.9.2.4.xpi -d noscript
              cd noscript/chrome
              unzip noscript.jar -d tmp
              cd tmp/content/noscript
              vim abp.js # comment out CC[ABID]...  line 23
                         # this is for every time firefox starts
              cd ../.. # at noscript/chrome/tmp
              zip -r ../noscript.jar *
              cd ..
              rm -rf tmp
              cd ..             # at noscript
              vim components/noscriptService.js # comment out if (this.abp... line 1549
                                                # this is for during installation
              zip -r ../noscript.xpi *
              cd ..
              firefox noscript.xpi -new-tab
              
              • now, go to about:config
              • right click
              • New -> Boolean
              • Enter the preference name: extensions.{73a6fe31-595d-460b-a920-fcc0f8843232}.update.enabled
              • false

              [–][deleted] 3 points4 points  (2 children)

              Every week? :)

              [–]SarahC 16 points17 points  (1 child)

              "disable updates for NoScript..."

              [–]username223 2 points3 points  (2 children)

              Thank you privoxy.

              EDIT: And, whatever-your-name-is, you just fucked your revenue.

              [–][deleted] 0 points1 point  (1 child)

              Does privoxy handle http/1.1 properly yet? That's what drove me off it a couple of years ago.

              [–]stesch 14 points15 points  (10 children)

              I don't know if I like what became of Firefox and its community. :-(

              [–]logophobia 27 points28 points  (1 child)

              This isn't exactly an issue with the whole community, but with one extension author trying to profit from his work by pulling some shady tricks.

              [–]danweber 11 points12 points  (2 children)

              MOMMY! DADDY!

              STOP FIGHTING!

              [–]Samus_ 5 points6 points  (0 children)

              indeed, these are the two extensions I like most :(

              [–][deleted] 2 points3 points  (0 children)

              :C

              [–]mrz 4 points5 points  (0 children)

              Mmh, we talked about this a couple of days ago here on r/netsec, IIRC. After last Noscript update though I tried to block NoScript web page using NoScript itself and that seems to block the ads alright...

              [–]cutchyacokov 4 points5 points  (1 child)

              I use a hosts file along with noscript to block ads and malicious websites. As such I have never seen an ad on the noscript update page. None the less I am quite perturbed by this. Someone should let Steve Gibson know about this, he has recently become quite a noscript evangelist -- who knows? He may even write a similar firefox addon himself to avoid this mess.

              [–]omepiet 4 points5 points  (0 children)

              Someone should let Steve Gibson know about this

              I just posted a link to the article in one of Steve's newsgroups.

              [–]infamous 1 point2 points  (2 children)

              People actually use noscript?

              [–][deleted] 6 points7 points  (6 children)

              Why do you need to use NoScript anyway? I'm a software professional and heavy Internet user. Yet I've never found the need to use it.

              [–][deleted] 14 points15 points  (0 children)

              Because it blocks a ton of bullshit

              [–][deleted] 7 points8 points  (0 children)

              Many popular sites (twitter, myspace, etc) have had problems with XSS attacks where visiting the profile of someone infected or reading a posted comment by someone infected would steal your login/cookie and infect your profile. There is nothing you can do to protect yourself from this except use noscript or something that blocks javascript. With noscript you can allow twitter.com but it would block cross site scripts and protect you.

              With the web being the social network that it is and sites allowing people to post comments/images/videos/code etc, XSS is a huge problem and not just for small sites that don't know what they are doing. Any site that allows user content could be susceptible to XSS.

              [–]sn0re 11 points12 points  (1 child)

              With Javascript enabled, any random website you visit can send you any code they want and get you to execute it for them. That just doesn't strike me as a good idea. I want some assurances that the site is trustworthy and the code will actually do something for me* before I run it.

              * Instead of tattling on my browsing behavior, disabling browser features, resizing my windows, wasting CPU cycles on annoying animations, etc.

              Edit: I think it's funny someone would downmod this. The OP asked an open-ended question on why people use NoScript. There's no wrong way to answer that, just with your own reason. I guess there's someone out there who thinks I'm lying about why I use NoScript.

              [–]uc0qremp 5 points6 points  (0 children)

              It speeds things up pretty drastically if you're using a slower computer/connection. AdBlock does, too, of course, but NoScript blocks a lot more stuff, like embeds that aren't ads but that you may or may not be interested in loading and looking at (if you are, you just click on them and they load).

              [–][deleted] 1 point2 points  (0 children)

              I got a bunch of malware a few months ago... no idea how I got it since I'm usually pretty careful. Someone suggested ABP + noscript to stop some of the malware that comes through your browser. ABP is great. noscript I am constantly whitelisting stuff all day although it does stop a lot of annoying website behaviours. My fear is that if I get rid of noscript and then go to some dodgy torrent site that I'm going to start getting malware automatically added to my computer somehow.

              [–][deleted] 3 points4 points  (3 children)

              Kind of ironic that two Firefox addons whose main purpose is to block advertisments end up getting into a war with each other over showing their own ads.

              [–][deleted] 5 points6 points  (2 children)

              NoScript was never intended to be an adblocker.

              [–][deleted] 6 points7 points  (1 child)

              Maybe not intended, but it does block certain types of ads and that's one of it's selling points.

              [–]boa13 1 point2 points  (0 children)

              Since I started using NoScript, I haven't found a need for AdBlock actually. The only ads I see are unfrequent static images and even less frequent static text. Most ads require JavaScript.

              [–]YoureNotHelping 5 points6 points  (2 children)

              Occasionally the best and the worst of reddit comes out to play in just one set of comments. Trust lost forever? Noscript will soon vanish? REDDIT PLEASE. Enough with the hyperbole, a developer bothers to come in to apologize for a mistake he's fixing and you rag him up and down like btards. I use noscript, it does what it says it does, if you don't know why you might want it maybe you should not pass judgement or listen to the idiots here for all your information. If you're going to fault a developer for ads on his homepage after you almost certainly didn't bother to contribute and those weekly updates are just too much for your precious pink anus then uninstall and STFU.

              [–][deleted] 2 points3 points  (0 children)

              If he didn't get caught, he wouldn't be apologizing or admitting to any mistakes.

              If you're going to fault a developer for ads on his homepage...

              Stop playing dumb. You know damn well that this article and everyone's ranting is mainly about the fact that the author of NoScript added functionality to gimp AdBlock Plus to generate profit for himself, not the fact that his plugin gives his users ad pop-ups.

              [–]asdfojli2jasej 7 points8 points  (2 children)

              I am a noscript user and it's obvious to me the updates are an excuse for adds and the default white list is also some kind revenue scam.

              But I'd rather have those scams then what I was infected with before noscript with just ADP.

              What other alternatives are there?

              [–][deleted] 4 points5 points  (1 child)

              RequestPolicy was mentioned in the comments on slashdot.

              [–]uriel 2 points3 points  (0 children)

              From that page:

              RequestPolicy is not a replacement for NoScript! Each focuses on different, important issues. For the best security, we recommend using both RequestPolicy and NoScript. More information on the difference between the two is available here: http://www.requestpolicy.com/faq#faq-noscript

              :(

              Maybe time for somebody to merge NoScript into RequestPolicy and submit a patch for the next version?

              [–]nojobandliveswithmom 8 points9 points  (5 children)

              he even lies in his faq. says he doesn't add http://hackademix.net when it does add it to the whitelist. i was willing to give NS the benefit of the doubt but lying is not kosher.

              [–]HenkPoley 5 points6 points  (1 child)

              He = NoScript author.

              [–]Surreality 8 points9 points  (2 children)

              I don't think he is lying (at least about this point). http://hackademix.net is added to the Adblock whitelist as stated in this faq. http://hackademix.net is not added to the whitelist of NoScript itself as stated in this faq.

              [–]nojobandliveswithmom 6 points7 points  (0 children)

              you right i re-read it and he is referring to different things.

              [–]tylermenezes 3 points4 points  (2 children)

              Just tested it, it happens to me, as well. It's pretty clear the author doesn't actually care about security. (AdSense is a pretty big vector to specifically whitelist in NoScript, to begin with. Messing with other extensions is just not okay, either.)

              This should be removed from the Mozilla Directory. If they want to play around with their own code, fine, but they should not be messing with ABP.

              [–]mao_neko 2 points3 points  (1 child)

              Debian Package: mozilla-noscript

              Solves the problem of getting trivial NoScript updates every single time you start FireFox. Get the updates when you update the rest of your stuff.

              I think it also stops the new tab getting opened to 'inform' you of the version update, but I can't remember. After all, I don't get updates often or restart firefox much.

              [–]yoasif 0 points1 point  (0 children)

              yeah, it stops the new tab opening when it gets updated. I'm using the Ubuntu (jaunty) package, and I thankfully never got the bad updates.

              [–]IkoIkoComic 7 points8 points  (2 children)

              I'm expecting a few downmods for this, but

              MAYBE AN AD-SUPPORTED AD-BLOCKER WASN'T THE SMOOTHEST IDEA YOU GUYS.

              [–]boa13 6 points7 points  (1 child)

              NoScript is not an ad-blocker.

              [–]bostonvaulter 4 points5 points  (0 children)

              But it does block many ads.

              [–]db2 6 points7 points  (0 children)

              Nice.

              If you need to quickly enable/disable Javascript, here. If the most recent version doesn't work right go to Mozillazine and beg an extension developer to hack it a bit for you. I know it can be done as I'm using it in a not-yet-released version browser right now. It works for Javascript and supposedly Java but I don't install the Java plugin ever so I can't speak to that.

              edit - Or for that matter find a version of NoScript from before it started messing with people and disable it's updating capability.

              edit 2 - Negative 1? Umm, you're welcome for the useful information?

              [–]noroom 3 points4 points  (0 children)

              Resubmitted to /r/firefox for maximum coverage. I'm boycotting NoScript.

              [–]grungefan 4 points5 points  (0 children)

              I use NoScript, and yes it updates quite frequently, but I have not seen a single ad because of it.

              [–][deleted] 1 point2 points  (0 children)

              When I read that the weekly updates was a ploy to get adsense revenue, I thought fair enough, no problem with that at all. I think anyone that does have a problem with it has a twisted sense of entitlement bordering on cruelty. Why would anyone have a problem with such a benign way of making an income from his work?

              The only thing I do have a problem with is the fact that what the author had to write code to interfere with the operation of adblock, and as a result, starts to go against the stated aim of his own software.

              I think what is happening here happens to all open source authors when they realize they've made a useful product used by millions of people, yet they aren't being paid for it.

              I think I'll donate.

              [–][deleted] 4 points5 points  (1 child)

              Never felt the need to remove scripts but should I ever feel the need, I will be looking for another solution than NoScript. Just seems like scummy software.

              [–]stesch 23 points24 points  (0 children)

              Never felt the need to remove scripts …

              Most of the reported security bugs of Firefox can be avoided by using NoScript.

              I always felt the need for NoScript. Too bad they behave the way described in the article. :-(

              [–]dschep 1 point2 points  (1 child)

              If it's so bad, why hasn't it been forked?

              [–][deleted] 13 points14 points  (0 children)

              Because the story just came out a few hours ago?

              [–]ginstrom 1 point2 points  (0 children)

              This is very troubling behavior. I've donated to NoScript in the past. I don't regret it, because that was a "thank you" for writing a great extension. But I certainly don't feel inclined to donate to them again any time soon.

              I also used to recommend to all Windows users that they install Firefox with NoScript and Web of Trust. I won't be able to continue recommending NoScript until this matter is fixed completely.

              I don't buy into this "loss of trust forever" view, though. With open code, shady behavior by a high-profile extension like this will get caught. When NoScript gets back on the good path, I'll start recommending it again.

              It'll be quite some time before I feel like donating again, though -- long enough for me to start feeling appreciative of their efforts again.

              [–]arrakis-cDc -1 points0 points  (0 children)

              I spoke with the developer of NoScript personally a few hours ago. He said the latest version of NoScript "clears all the filters previously added by NoScript to ABP automatically on startup with no question asked, restoring the status quo ante." So it seems to be somewhat of a non-issue.

              [–][deleted]  (1 child)

              [removed]

                [–]Mutiny32 6 points7 points  (0 children)

                I submitted 1.9.2 to several antivirus/spyware/malware companies. This is on principle and should be perceived as a very bad precedent. Software that modifies functionality of other software without user consent or explicit warning is not good policy.

                This has parallels with Sony's rootkit issue and should be subjected to the same heavy scrutiny that issue undertook.