Advice Request NoScript breaking Chromium Browsers

[Gandalf_The_Grey]

I believe the latest update broke NoScript in Chrome. My Chrome is fully updated. As of today, NoScript has completely broke Chrome. No scripts will load on any page regardless of the state of NoScript. I cleared cache and did all the normal troubleshooting steps. Even when I set NoScript to be disabled globally, no scripts will load. Sites marked as Trusted will not load scripts and run. I uninstalled NoScript and reinstalled it. NoScript still will not allow any scripts to run. I had to completely disable NoScript before browser functionality would return.

What happened?
It appears to have been removed from the chrome web store, returning a 404 error.

NoScript update broke browser - Chrome - InformAction Forums

Thank you for your reports.

I'm extremely upset and sorry for what's happening, but unfortunately that's not something I could test in advance: it appears that the bug happens only when the extension is installed in packaged form from the stores!

If installed in developer mode ( chrome://extensions > Developer mode ON - Load unpacked) it works normally.

I've just tried to unpublish the 11.2.16 version (hoping the Chrome Store would rollback to previous published version 11.2.11), but this actually caused the whole extension listing page to disappear (there's no NoScript in the chrome store at this moment, it gives 404).

I've also pushed a 11.2.17 version which is just 11.2.11 with the bumped version number, but there's no guarantee of when it will be actually published because it has to pass the Google editorial review (there's no sane way to automatically roll back users to a previous version, like you can do with Mozilla add-ons).

At this moment the only way to have a working NoScript on Chromium browser is downloading the noscript-11.2.16 zip file from the GitHub NoScript 11.2.16 release, extracting it to a local directory, and installing it with "Load unpacked" ( chrome://extensions > Developer mode ON - Load unpacked).

In the meanwhile I'm trying to understand what the hell is creating this mess.

[UPDATE]
The culprit seems Chromium not giving file:/// access by default to packed extensions anymore.
So the easy work around is turning this on (useful also to make NoScript work on local HTML files) in
chrome://extensions/?id=doojmbjmlfjjnbmnoijecmcbfeoakpjm

I'll soon publish a 11.2.18 with all the benefits of 11.2.16 and a work-around for this problem.
In the meanwhile I've asked the Chromium editorial board to speed up the publishing of the ad-interim bumped-up 11.2.11 as 11.2.17.

[FIXED] NoScript breaking Chromium Browsers - Page 2 - InformAction Forums

 

[ForgottenSeer 92963]

I have enabled strict extension restrictions flag and forced the WriteGuard to block file access through browser policy. Another example of a piece of software that potentially increases your browser security, but before doing so, it first shoots a big hole in the overal security of your browser

 

[Jan Willy]

Another example of a piece of software that potentially increases your browser security, but before doing so, it first shoots a big hole in the overal security of your browse

Do you especially mean Noscript or extensions in general? Are uBlock Original or Adguard extension more reliable?

 

[ForgottenSeer 92963]

Do you especially mean Noscript or extensions in general? Are uBlock Original or Adguard extension more reliable?

Yes and No

Years ago when Firefox had to challenge IE6, adding NoScript was a huge security improvement. My personal preference at that time was to sandbox the browser (GeSWall, DefenseWall and Sandboxie like solutions) in stead of crippling it by disabling JavaScript. Nevertheless NoScript was and (today) still has security advantages.

Because browsers got internal sandboxes and the Windows OS got better exploit protection, the added benefit of client side restricting the browser with NoScript, uMatrix (and uBlock 3rd-party blocking) has reduced substantially.

With that in mind, kernel patch protection, UAC, core virtualisation, hardware based stack protection and internal browser sandboxes and . . . . . Google's ManifestV3 are logical steps on a path to a better and more balanced protection. After all it has little use to increase the security of a browser and allow extensions to create large holes in it.

So the solution proposed by NoScript is 'old school' thinking (like claiming that we have to patch the kernel to better protect it). So YES it was a specific reaction to NoScript, but NO, in the greater picture I intended to project this on security solutions (and extensions increasing security) in general which require extra permissions to protect you (that is why I preferred GeSwall and DefenseWall over Sandboxie in the past).

I did not intend to insinuate that NoScript is less reliable.

Hope this explains.