Closed Bug 388963 Opened 15 years ago Closed 12 years ago

CookieSafe and NoScript should be part of the core Firefox product


(Firefox :: Security, enhancement)

Not set





(Reporter: meta, Unassigned)


User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20061201 Firefox/ (Ubuntu-feisty)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20061201 Firefox/ (Ubuntu-feisty)

I think that the combination of the CookieSafe and NoScript extensions is exactly how cookie and script security should work in Firefox:

* No scripts and no cookies by default.

* If I want to allow cookies for a site, I go to the site, and it's two clicks (and no typing!) to allow cookies for that site, and that site only.

* If a site needs JavaScript, again it's two clicks to enable script for that site, and only that site.

The default when Firefox is installed could be "cookies for everyone / script for everyone" to make advertisers and newbies happy. Then a couple of checkboxes marked something like "Restrict cookies to sites you trust" and "Restrict JavaScript to sites you trust" could switch to secure mode and turn on the UI controls equivalent to NoScript and CookieSafe.

Reproducible: Didn't try

I wrote up some <a href="">notes</a> on NoScript and CookieSafe on my web site for anyone who doesn't know how they work.
I would vote against this if I could. Unfortunately I don't see the option.

I don't see why these should be part of the core at all when anyone (a small segment of users) can just install those extensions if they want it.

The only reason why I comment here is because of signature spamming this feature request on Slashdot.
We're obviously not going to disable JavaScript or cookies by default, but it would be nice if the options to enable them on a per-site basis worked better.

The option for cookies works pretty well: you can set Firefox to throw away most cookies at the end of the session.  If you want Firefox to keep cookies from a certain site, you can go to the Page Info "Permissions" pane and select "Allow".  This takes a few more clicks than with the extension, but it does the right thing.

The option for JavaScript unfortunately requires editing hidden prefs.  I'm not sure why this isn't part of the Page Info "Permissions" pane already; it would fit perfectly there.
"I don't see why these should be part of the core at all..."

Because you shouldn't have to install extensions to get a simple, usable UI.

The functionality is already in Firefox. However, it's really awkward to use. All I'm asking for is the UI to be as simple as it is if you add the two extensions.
I can see something akin to YesScript (a simple on/off switch on the toolbar) being a viable option to integrate with Firefox, but NoScript is one of the most convoluted add-ons I've ever come across, a classic geek-mentality tool that would frighten anything but the most hardened Firefox user.

CookieSafe I can't comment on because I've never used it. But certainly, as written, this is one of those bugs that makes you wish you could vote against it instead of only for it.
JavaScript and cookies are never going to be disabled by default.  That would break everything and confuse the most users who aren't going to have a clue what's going on.  If you like it that way, then just install the aforementioned extensions.  Though, just installing Adblock Plus gets rid of the vast majority of BS scripts and wiping cookies on close is usually more than sufficient.

See something like bug 251688 for the per-site JavaScript option, which I do agree would be nice to have.  That plus per-site cookies and the new page info dialog in Firefox 3 should actually give most of this requested functionality.

Closing as WONTFIX.  Probably could also dupe this to half-a-dozen other reports.
Closed: 14 years ago
Resolution: --- → WONTFIX
'JavaScript and cookies are never going to be disabled by default.'

That's not what the request said. Quote:

'The default when Firefox is installed could be "cookies for everyone / script
for everyone" to make advertisers and newbies happy.'
Resolution: WONTFIX → ---
Here's a news story with several million more reasons why NoScript functionality is an essential security feature which belongs in the core product:
I see you've added the per-site cookie blocking, in spite of claiming WONTFIX.

Now all you need is the same thing for scripts.
(In reply to comment #8)
What "in spite of"? I said point blank in comment 5 that I think per-site cookie and JS options are a good thing, just not blocking everything by default. (though I think blocking 3rd party cookies by default would be good, but probably not going to happen anytime soon) Fundamentally, this bug requests them all off by default, which as already stated isn't going to happen.

I suggest you not bother playing with the status and just leave this WONTFIXed, as nobody is going to fix it. The average user either won't put up with prompts for every page to use basic web functionality and those who would, frankly, wouldn't know when to allow or not.

The part you want that may get done at some point is per-site JS blocking. If there's no bug for that yet file a new one for just that. (though, there is probably one somewhere, but I can't find it at the moment; I just see the dupes to the SeaMonkey bug)
Closed: 14 years ago12 years ago
Resolution: --- → WONTFIX
I reopened bug 320522 from being marked as a dup of a seamonkey bug.
You need to log in before you can comment on or make changes to this bug.