Want to talk about NoScript? Post here. Topic is solved

General discussion, compatibility and contributed extensions.

Moderators: Lootyhoof, FranklinDM

KlarkKentThe3rd
Lunatic
Lunatic
Posts: 364
Joined: 2018-04-20, 20:31

Re: Want to talk about NoScript? Post here.

Post by KlarkKentThe3rd » 2020-05-01, 08:31

Thank you will look into this tomorrow.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 28168
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Want to talk about NoScript? Post here.

Post by Moonchild » 2020-05-01, 11:04

Off-topic:
Pallid Planetoid wrote:
2020-05-01, 07:22
I personally just keep using my add-on (mentioned above) to get to a working Citibank login as opposed to changing this setting which appears to me to be globally allowing "insecure requests" by considering them as "secure"
You misunderstood the option, I'm afraid. It's not lowering security by considering insecure requests as secure; instead, it is enabling a mechanism that allows requests to be encrypted opportunistically that otherwise would not be. So, it is in fact the other way around: you have more encrypted connections than without that option (if the site responds to this request) but it might not show in the browser that they are encrypted if they have been "upgraded" to an encrypted state.

As said before this shouldn't even be a problem if you talk about on-line banking because banks should have had full-site encryption for many years already; in fact ever since they would have started offering on-line banking with logins. So it is extremely telling for Citibank's security that this is even a problem.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
Andrew Herbert
Fanatic
Fanatic
Posts: 161
Joined: 2019-11-25, 21:46

Re: Want to talk about NoScript? Post here.

Post by Andrew Herbert » 2020-05-01, 13:04

Pentium4User wrote:
2020-05-01, 05:31
With nMatrix no problem, but I don't like the new concept, I prefer the old one when I allow a domain it is allowed on all other domain.
It's also possible with uMatrix/eMatrix: https://github.com/gorhill/uMatrix/wiki ... by-default

User avatar
Pentium4User
Lunatic
Lunatic
Posts: 465
Joined: 2019-04-24, 09:38

Re: Want to talk about NoScript? Post here.

Post by Pentium4User » 2020-05-01, 13:08

Andrew Herbert wrote:
2020-05-01, 13:04
Pentium4User wrote:
2020-05-01, 05:31
With nMatrix no problem, but I don't like the new concept, I prefer the old one when I allow a domain it is allowed on all other domain.
It's also possible with uMatrix/eMatrix: https://github.com/gorhill/uMatrix/wiki ... by-default
Thx, already did that.
Powerline adapters (dLAN) hardly interfere shortwave radio, so stop using them.

Yes, I still use a 64 bit capable Pentium 4 670 processor with Pale Moon.

User avatar
Pallid Planetoid
Knows the dark side
Knows the dark side
Posts: 3796
Joined: 2015-10-06, 16:59
Location: Los Angeles CA USA

Re: Want to talk about NoScript? Post here.

Post by Pallid Planetoid » 2020-05-01, 15:36

Moonchild wrote:
2020-05-01, 11:04
Off-topic:
Pallid Planetoid wrote:
2020-05-01, 07:22
I personally just keep using my add-on (mentioned above) to get to a working Citibank login as opposed to changing this setting which appears to me to be globally allowing "insecure requests" by considering them as "secure"
You misunderstood the option, I'm afraid. It's not lowering security by considering insecure requests as secure; instead, it is enabling a mechanism that allows requests to be encrypted opportunistically that otherwise would not be. So, it is in fact the other way around: you have more encrypted connections than without that option (if the site responds to this request) but it might not show in the browser that they are encrypted if they have been "upgraded" to an encrypted state.

As said before this shouldn't even be a problem if you talk about on-line banking because banks should have had full-site encryption for many years already; in fact ever since they would have started offering on-line banking with logins. So it is extremely telling for Citibank's security that this is even a problem.
Off-topic:
Thanks Moonchild -- for the clarification. I do recall that now -- that is "... but it might not show in the browser that they are encrypted if they have been "upgraded" to an encrypted state." ["that" being "encryption" is "designated" as not in place when in reality it really is] and that was something I thought might confuse me if I'm possibly going to be observing a bank w/out the "lock" icon in the address bar [which I assume is what you mean by what I quoted above]. That said, it's good that you have once again clarified that regardless of the potential of "false" or "misleading" results as far as security "notification" is concerned to say that in reality security is not compromised in the least using the pref setting.

As to your reference to "So it is extremely telling for Citibank's security that this is even a problem." -- it is extremely odd to me that this issue is a relatively "new" development starting back in February it appears because it makes no sense that Citibank's security would have devolved from what it was before since before around February this has not been an issue with login. I'm thinking that as opposed to the bank's security devolving from what it was but rather it's something that Citibank changed in their code that causes this problem that is likely irrelevant to security at all -- but for some reason this pref that we are discussing that allows the login to work acts as a "workaround" to what it is that Citibank changed to cause the login issue in the first place.

I might try the pref after all -- and if I'm not seeing the "unlock" or "lock" icon for websites that I would otherwise expect this -- I'll likely leave the pref that way. ;)
Current Pale Moon(x86) Release | WIN10 | I5 CPU, 1.7 GHz, 6GB RAM, 500GB HD[20GB SSD]
Formerly user Pale Moon Rising - to provide context involving embedded reply threads.
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers
Knowing Pale Moon is indisputably #1 is defined by knowing the totality of browsers. - Pale Moon Rising

User avatar
Pallid Planetoid
Knows the dark side
Knows the dark side
Posts: 3796
Joined: 2015-10-06, 16:59
Location: Los Angeles CA USA

Re: Want to talk about NoScript? Post here.

Post by Pallid Planetoid » 2020-05-01, 15:45

Hmm -- I decided to try setting "network.http.upgrade-insecure-requests" from default "false" to "true" but the setting isn't there any more.

I have a question Moonchild; I had found that "network.http.upgrade-insecure-requests" pref setting before (back when it was mentioned) but do not find it now in about:config.

Please advise as to what happened to this pref setting?

I'm assuming I could simply add it -- but I'm kind of curious why it's no longer available. I have to assume that at some point a Pale Moon update has removed it -- am I correct to assume this? And if so -- wouldn't you want to address this?

Oh wait -- let me check out the "Preferences" GUI (what's it called? Oh Yea "Pale Moon Commander") -- yep so I checked the "Enable upgrade Insecure requests" (I sure don't like that reference to "Insecure" ;)) so will the pref be there -- hmm still not there. Wait--yes it is :thumbup: just needed another about:config started to see it.
Last edited by Pallid Planetoid on 2020-05-01, 16:00, edited 2 times in total.
Current Pale Moon(x86) Release | WIN10 | I5 CPU, 1.7 GHz, 6GB RAM, 500GB HD[20GB SSD]
Formerly user Pale Moon Rising - to provide context involving embedded reply threads.
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers
Knowing Pale Moon is indisputably #1 is defined by knowing the totality of browsers. - Pale Moon Rising

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 28168
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Want to talk about NoScript? Post here.

Post by Moonchild » 2020-05-01, 15:50

use the preferences window like any normal user :)
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
Pallid Planetoid
Knows the dark side
Knows the dark side
Posts: 3796
Joined: 2015-10-06, 16:59
Location: Los Angeles CA USA

Re: Want to talk about NoScript? Post here.

Post by Pallid Planetoid » 2020-05-01, 15:59

Moonchild wrote:
2020-05-01, 15:50
use the preferences window like any normal user :)
I wish I could be more "normal" :mrgreen: (I love your wry since of humor :lol:) -- Yep that's what I did (your quick!!) thanks!

If I don't see an inordinate number of "unlocked" or missing lock icons on sites I'd be expecting otherwise -- I'm a happy camper :D and I won't be following up. It I find that's not the case then maybe I'll followup after all (if you don't mind). :)

ADDENDUM: I'm still contemplating what I'd consider a valid question I posed -- it would (as I've assumed) be correct to say a Pale Moon update must have removed that setting at some point subsequent to the day I found that it was present in about:config? (I can't think of another explanation) And as such -- maybe something you'd not prefer to be the case?.... Just saying... (maybe something worth looking into me thinks) That said, it's cool that we have the convenience of access via Pale Moon Commander to the setting. As I've always said -- Pale Moon is unequivocally hands down the greatest, period!!

ADDENDUM: Just thought I'd add for the benefit of users in general that in my case I find a rate of about 20% of presumed secure sites that are missing the expected "lock" icon using this pref setting discussed. In the knowledge that security is in place regardless of whether the icon is present or not this is not something that should be a concern imho (what matters is security is not in any way compromised as reflected by Moonchild's clarification in the matter :thumbup:).
Current Pale Moon(x86) Release | WIN10 | I5 CPU, 1.7 GHz, 6GB RAM, 500GB HD[20GB SSD]
Formerly user Pale Moon Rising - to provide context involving embedded reply threads.
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers
Knowing Pale Moon is indisputably #1 is defined by knowing the totality of browsers. - Pale Moon Rising

User avatar
Pallid Planetoid
Knows the dark side
Knows the dark side
Posts: 3796
Joined: 2015-10-06, 16:59
Location: Los Angeles CA USA

Re: Want to talk about NoScript? Post here.

Post by Pallid Planetoid » 2020-05-01, 17:55

KlarkKentThe3rd wrote:
2020-05-01, 08:31
Thank you will look into this tomorrow.
Please see my edited remarks in the post at the bottom of the previous page that you are replying to (regarding the "workaround" to get Citibank's login to work in Pale Moon) and my comments above on the subject... as well as Moonchild's additional remarks on this page to help clarify in what way my conclusions were incorrect regarding the pref setting discussed.
Current Pale Moon(x86) Release | WIN10 | I5 CPU, 1.7 GHz, 6GB RAM, 500GB HD[20GB SSD]
Formerly user Pale Moon Rising - to provide context involving embedded reply threads.
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers
Knowing Pale Moon is indisputably #1 is defined by knowing the totality of browsers. - Pale Moon Rising

Post Reply