Last Comment Bug 388963 - CookieSafe and NoScript should be part of the core Firefox product
: CookieSafe and NoScript should be part of the core Firefox product
Status: VERIFIED WONTFIX
:
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: unspecified
: x86 Linux
: -- enhancement with 4 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-20 09:08 PDT by mathew
Modified: 2011-08-23 16:01 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description mathew 2007-07-20 09:08:30 PDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 (Ubuntu-feisty)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 (Ubuntu-feisty)

I think that the combination of the CookieSafe and NoScript extensions is exactly how cookie and script security should work in Firefox:

* No scripts and no cookies by default.

* If I want to allow cookies for a site, I go to the site, and it's two clicks (and no typing!) to allow cookies for that site, and that site only.

* If a site needs JavaScript, again it's two clicks to enable script for that site, and only that site.

The default when Firefox is installed could be "cookies for everyone / script for everyone" to make advertisers and newbies happy. Then a couple of checkboxes marked something like "Restrict cookies to sites you trust" and "Restrict JavaScript to sites you trust" could switch to secure mode and turn on the UI controls equivalent to NoScript and CookieSafe.

Reproducible: Didn't try




I wrote up some <a href="http://meta.ath0.com/2007/02/02/firefox-hint/">notes</a> on NoScript and CookieSafe on my web site for anyone who doesn't know how they work.
Comment 1 Ash-Fox 2008-02-08 23:57:58 PST
I would vote against this if I could. Unfortunately I don't see the option.

I don't see why these should be part of the core at all when anyone (a small segment of users) can just install those extensions if they want it.

The only reason why I comment here is because of signature spamming this feature request on Slashdot.
Comment 2 Jesse Ruderman 2008-02-09 00:28:52 PST
We're obviously not going to disable JavaScript or cookies by default, but it would be nice if the options to enable them on a per-site basis worked better.

The option for cookies works pretty well: you can set Firefox to throw away most cookies at the end of the session.  If you want Firefox to keep cookies from a certain site, you can go to the Page Info "Permissions" pane and select "Allow".  This takes a few more clicks than with the extension, but it does the right thing.

The option for JavaScript unfortunately requires editing hidden prefs.  I'm not sure why this isn't part of the Page Info "Permissions" pane already; it would fit perfectly there.
Comment 3 mathew 2008-02-09 08:45:25 PST
"I don't see why these should be part of the core at all..."

Because you shouldn't have to install extensions to get a simple, usable UI.

The functionality is already in Firefox. However, it's really awkward to use. All I'm asking for is the UI to be as simple as it is if you add the two extensions.
Comment 4 Paul Harrison 2008-05-29 13:27:00 PDT
I can see something akin to YesScript (a simple on/off switch on the toolbar) being a viable option to integrate with Firefox, but NoScript is one of the most convoluted add-ons I've ever come across, a classic geek-mentality tool that would frighten anything but the most hardened Firefox user.

CookieSafe I can't comment on because I've never used it. But certainly, as written, this is one of those bugs that makes you wish you could vote against it instead of only for it.
Comment 5 Dave Garrett 2008-05-30 02:33:13 PDT
JavaScript and cookies are never going to be disabled by default.  That would break everything and confuse the most users who aren't going to have a clue what's going on.  If you like it that way, then just install the aforementioned extensions.  Though, just installing Adblock Plus gets rid of the vast majority of BS scripts and wiping cookies on close is usually more than sufficient.

See something like bug 251688 for the per-site JavaScript option, which I do agree would be nice to have.  That plus per-site cookies and the new page info dialog in Firefox 3 should actually give most of this requested functionality.

Closing as WONTFIX.  Probably could also dupe this to half-a-dozen other reports.
Comment 6 mathew 2009-02-20 12:33:22 PST
'JavaScript and cookies are never going to be disabled by default.'

That's not what the request said. Quote:

'The default when Firefox is installed could be "cookies for everyone / script
for everyone" to make advertisers and newbies happy.'
Comment 7 mathew 2010-03-23 13:12:00 PDT
Here's a news story with several million more reasons why NoScript functionality is an essential security feature which belongs in the core product:

http://news.cnet.com/8301-27080_3-20000898-245.html
Comment 8 mathew 2011-03-23 12:35:06 PDT
I see you've added the per-site cookie blocking, in spite of claiming WONTFIX.

Now all you need is the same thing for scripts.
Comment 9 Dave Garrett 2011-03-23 15:20:18 PDT
(In reply to comment #8)
What "in spite of"? I said point blank in comment 5 that I think per-site cookie and JS options are a good thing, just not blocking everything by default. (though I think blocking 3rd party cookies by default would be good, but probably not going to happen anytime soon) Fundamentally, this bug requests them all off by default, which as already stated isn't going to happen.

I suggest you not bother playing with the status and just leave this WONTFIXed, as nobody is going to fix it. The average user either won't put up with prompts for every page to use basic web functionality and those who would, frankly, wouldn't know when to allow or not.

The part you want that may get done at some point is per-site JS blocking. If there's no bug for that yet file a new one for just that. (though, there is probably one somewhere, but I can't find it at the moment; I just see the dupes to the SeaMonkey bug)
Comment 10 Jesse Ruderman 2011-03-23 15:41:39 PDT
I reopened bug 320522 from being marked as a dup of a seamonkey bug.

Note You need to log in before you can comment on or make changes to this bug.