NoScript remains one of my favorite browser addons (or plugins or whatever they’re called these days). Look what it just proposed to block while browsing bol.com (one of the big online retailers in BE and NL);
So when does GDPR go in effect exactly and will I be able to opt-out of data-sharing from that moment onwards?
network.cookie.thirdparty.sessionOnly: set to “true” or “false”
privacy.donottrackheader.enabled: set to “false” (default) or “true”, which gently asks sites not to track you
Setting “network.cookie.thirdparty.sessionOnly” to “true” is a low-impact change which should stop tracking-companies (think Media6degrees or Quantcast) from following you around the web.
If you want to stop Facebook, Google & Co to stop tracking you around the web as well, the above setting will not suffice. You should either log out of their sites as soon as you’ve done your business there or set “network.cookie.cookieBehavior” to “1” (which will break their “social widgets”). Or you can install Ghostery or NoScript, off course.
It took some time, digging and soul-searching, but it turned out to work fine for all but me. The reason: NoScript! My favorite Firefox Addon has, so I learned, “Automatic Secure Cookie Management” as a countermeasure against HTTPS cookie hijacking (by setting cookies “secure” if they’re set in HTTPS and if they contain something resembling a session-id?). And that feature indeed can break stuff.
So if you’re using NoScript and you’re running into weird cookie-related problems: try with “Automatic Secure Cookie Management” turned off, or add the site you’re on as an exception and you might be good to go.
# Allow Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com .fbcdn.net .facebook.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
This tells NoScript to allow Facebook scripts (you know, to visit facebook.com), but to stop them from being included in other sites. I guess with NoScript’s surrogate scripts one might even be able to replace Facebook’s Like-widget with one that just shows the old-fashioned (and harmless) share-button. Now wouldn’t that be fun?
The problem apperantly is with another sanitizing component in Venus; html5lib. Sam Ruby, the developer of Venus, wrote on the mailinglist;
There are multiple sanitization passes involved here. […] The html5parser seems to think that noscript is to be parsed as text only, which would result in the behavior that you describe. Looking at the current HTML5 spec, it appears that this does not match the expected behavior — so perhaps that changed too.
So I started looking at html5lib and … well, I’m stuck, html5lib is a pretty complex beast for a smalltime non-developer to dive into. So earlier today I turned to the html5lib discussion list to ask how sanitization can be configured not to escape noscript, let’s hope someone will enlighten me. Because until then those poor Planet Greppers won’t be able to see (a thumbnail of) Al Jarreau’s great version of Take Five way back in 1976:
Being “the computer guy” in the family might be a pain in the ass sometimes, but trying to help out users that are not tech savvy can be very revealing. Yesterday my father-in-law asked me to take a look at his computer, there was something about the browser that was not right. Turned out he let Google lure him into downloading Chrome and making it the default browser. What bothered him most about Chrome was the lack of menu’s (file|edit|…|help), while a lot of the us (the in-crowd) consider the minimal use of chrome a plus. Usability is not only about clean, simple UI’s, but also about not breaking novice users’ expectations of how your application looks and behaves.
Anyway, I showed him IE8 and Firefox 3.5 (both were installed as well) and he recognized Firefox as the browser he was most familiar with. So I uninstalled Chrome, hid IE8, upgraded him to FF 3.6 and also installed the “Vacuum Places improved” and NoScript add-ons.
“Vacuum Places improved” cleans up the places sqlite database where Firefox stores bookmarks and history and which can become very big over time. When tweaking the options (“hide icon” and “auto-vacuum every 20 browser starts”) it was a great way to invisibly tune browser performance, but it turns out Firefox 3.6 vacuums places.sqlite automatically (when idle, every 1 to 2 months). So Pierre, if you ever read this; remind me to uninstall “Vacuum Places improved” next time! :)
Although the first option specifically claims it is dangerous to do so, these changes render NoScript into an add-on that provides a lot of extra security (protecting against clickjacking, cross-site scripting and implementing support for x-frame-options and Strict Transport Security) without bothering users with new UI-elements containing incomprehensible questions, messages or options.
Because web security is not only about protecting against threats, but also about not breaking novice users’ expectations of how your secured browser (and the web) looks and behaves.