Pale Moon team disables NoScript by default, faces backlash, blocks discussion

[ShadeOfBlue]

Within the past couple days the Pale Moon team have flagged the popular script-block extension NoScript as being "known to cause stability or security problems."

 

Related Pale Moon forum topics include this and this.

 

Many users are upset at the decision, that the default setting is to disable it (which is extremely dangerous, as any malicious scripts on open tabs.. originally opened under the assumption NoScript would be running...  would run), and by the rudeness and "arrogance" of the admins.

 

Posts from the team indicate that they don't like spending time supporting issues that were ultimately caused by scripts being disabled. They also claim that NoScript can cause issues with some sites even if the extension is completely disabled in the browser options. However, despite repeated requests for more information/examples of the latter, they have yet to provide any. Instead, admins have threatened users that even discussing the subject will not be allowed.

 

Personally, I've never once encountered the claimed issues with NoScript in all my years of running it. But more importantly, it's hard to believe that developers who treat users so poorly on their forum wouldn't continue to do so behind the scenes as they develop the software and security/privacy policies related to it. I don't think I'll be recommending Pale Moon to anyone going forward.

[Matt A. Tobin of BinOC]

The original Mozilla phrasing for a "softblocked" item at level 1 severity has been revised to better reflect how we are using the blocklist and to soften the obviously paranoid string. It will now simply read "X is known to cause issues". Expect to see the revised string in the next version of the software.

 

Also, do note that level 1 severity will not prevent your use of the extension. It is meant only as a warning that.. It is known to cause issues.

[ZakO]

Reading through the thread it doesn't seem like the devs are being particularly rude or arrogant. I absolutely sympathize with them about getting false bug reports from users that don't understand what they're doing with NoScript, even as a web dev the amount of "bug reports" I've had in the past from people who have misconfigured their browsers is frustrating. It's not like they're silently disabling it without notifying you, it shows a box and you only have to untick a single checkbox one-time to keep it enabled forever. If you're not happy with the way an open source project is being run you're more than welcome to fork it.

 

One thing does concern me though...

Quote

Switching NoScript to "allow all", disabling NoScript in the add-on manager, or any other attempt at fixing these issues without performing a full uninstall of the extension are, on top, usually met with failure.

Why is the browser allowing an add-on that has been disabled in the add-on manager to in any way influence anything? Surely that's a security issue in itself.

Edited May 15, 2018 by ZakO

[Randolph]

On 5/11/2018 at 9:53 PM, ShadeOfBlue said:

Within the past couple days the Pale Moon team have flagged the popular script-block extension NoScript as being "known to cause stability or security problems."

 

Related Pale Moon forum topics include this and this.

 

Many users are upset at the decision, that the default setting is to disable it (which is extremely dangerous, as any malicious scripts on open tabs.. originally opened under the assumption NoScript would be running...  would run), and by the rudeness and "arrogance" of the admins.

 

Posts from the team indicate that they don't like spending time supporting issues that were ultimately caused by scripts being disabled. They also claim that NoScript can cause issues with some sites even if the extension is completely disabled in the browser options. However, despite repeated requests for more information/examples of the latter, they have yet to provide any. Instead, admins have threatened users that even discussing the subject will not be allowed.

 

Personally, I've never once encountered the claimed issues with NoScript in all my years of running it. But more importantly, it's hard to believe that developers who treat users so poorly on their forum wouldn't continue to do so behind the scenes as they develop the software and security/privacy policies related to it. I don't think I'll be recommending Pale Moon to anyone going forward.

I haven't used no script in years. Sometimes it is about just paying attention to what you click on.

[ShadeOfBlue]

On 5/15/2018 at 5:02 AM, Matt A. Tobin of BinOC said:

The original Mozilla phrasing for a "softblocked" item at level 1 severity has been revised to better reflect how we are using the blocklist and to soften the obviously paranoid string. It will now simply read "X is known to cause issues". Expect to see the revised string in the next version of the software. 

 

Also, do note that level 1 severity will not prevent your use of the extension. It is meant only as a warning that.. It is known to cause issues.

From the release notes:  "We changed the language strings for softblocked items so people will cry less when we do our job."

 

Well, the tone certainly does match the juvenile one in the forum, so at least it's consistent. But the reason given in the quote has nothing to do with the recognition that it was an "obviously paranoid string". The official Pale Moon team position appears to be that there was nothing wrong with the original text and that anyone who thinks so is, well.. worth insulting. Again.

 

For an extension that supposedly causes problems on "a large (and growing) number of websites", you'd think the devs could offer up more details to the people asking questions. Instead, it's all personal attacks. How is anyone supposed to gauge whether they should disable it, if the devs refuse to explain any particulars of the problem?

 

And this whole thing about not supporting the browser if NoScript is installed is just so farcical. What does that even mean? Let's think this through...

 

If it were still supported, a reasonable person would first provide a link to instructions that request the user to perform some simple tasks (e.g. clear cookies and cache, remove newly-installed extensions, remove NoScript or other similar invasive extensions, change certain settings to defaults, etc.), and then tell them to report back if the problem persists. But, now that it's not supported, the users are going to be turned away until they.. umm.. do the exact same thing. So please do explain how this changes the support situation one iota. Because it shouldn't. Not unless support is being done in a haphazard manner in the first place.

 

And yes, everyone knows you can untick the box. That's irrelevant. The problem is both the wording of the warning (supposedly now changed), as well as the initial state of the checkbox. In adware-esque fashion, the box is checked by default, in hopes that most people will leave it checked whether they truly wanted to or not. That's the power of defaults. Specifically, this is a massive security issue for existing installs. One slip of the enter key or a mouse button on that window and scripts will run in open tabs after a browser restart.... tabs that were opened under the assumption NoScript was running. I cannot stress enough how bad this is.

 

I can understand people making mistakes. But good devs fix problems once they are made aware of them. And then there's the Pale Moon team... who are completely irresponsible and unprofessional, I don't know if there's some bad blood between the Pale Moon devs and the NoScript dev, or what the problem is. But nothing makes sense here. And devs who are this clueless about security issues either need to clean their act up, or maybe think about not being devs.

 

On 5/15/2018 at 5:54 AM, ZakO said:

Reading through the thread it doesn't seem like the devs are being particularly rude or arrogant. I absolutely sympathize with them about getting false bug reports from users that don't understand what they're doing with NoScript, even as a web dev the amount of "bug reports" I've had in the past from people who have misconfigured their browsers is frustrating. It's not like they're silently disabling it without notifying you, it shows a box and you only have to untick a single checkbox one-time to keep it enabled forever. [...]

We must have very different definitions of rude and arrogant. Or perhaps you read a different thread. The devs have repeatedly insulted people (now even in the official release notes.. which just boggles my mind) instead of answering simple questions/suggestions, as well as refusing to allow users to even dare discuss the issue amongst themselves (which they have, in the days since, graciously allowed in the single unlocked and undeleted thread that remains).

 

Imagine if a site prompted users with a box that space was running out for new photos, below that it had a box checked next to "Delete all photos", and the "Accept" button had the focus. That is terrible design (how terrible depends on how good your legal team is I suppose). Defaults should never be destructive or dangerous. My example involves user data. The real issue involves security (and user data as well). But, the rule is the same in all cases.

 

And, being personally familiar with writing and supporting software, it's even worse than what you say. Outside of major new bugs, the vast majority of all reports are user error. That's why you are supposed to consider that when providing support (as I detailed above). This excuse does not hold water in the slightest.