I have JavaScript globally enabled. In Script Permissions, I have set "www.google.com" to BLOCK. However, JavaScript is still enabled.

I have JavaScript globally disabled. In Script Permissions, I have set "www.google.com" to ALLOW. However, JavaScript is still disabled.

Any suggestions?

Version?

Javascript permissions have turned into a complicated science with recent Mozilla/Firefox versions
And it's really over my head now:

There is the traditional, global pref "javascript.enabled" which is used in KM for the global setting. It affects external script files + page inline scripts, and seems to have the highest priority - but might remember wrong?

There are also new additional commands in KM called "navToggleJS" and "pageToggleJS":
http://kmeleonbrowser.org/wiki/CommandIds#JavaScriptControls
since I'm not using KM7X online myself, I keep forgetting what exactly that's affecting and how it's interacting with the others.

There is also a global setting "permissions.default.script" (INT 1-2-3).
This one only affects the loading of external style sheets, NOT in-page-script lines.
(no interface for this one in KM to my knowledge, made macros for it: priv3buttons and blockeria)

In newer KM-versions users can also BLACK-WHITE-LIST domains, in F2/javascript.
Those permissions are stored in the file "permissions.sqlite" in the profile folder, along with other (automatic) stuff.
There exists a very handy extension ExExPermissions/ExExceptions to make input easier, highly recommand: http://kmeleonbrowser.org/forum/read.php?9,124407

Hopefully anyone knows better, so far can only suppose this WHITE-list can only overrule a blocked "permissions.default.script" setting??
In general it is said, "domain.com" acts like "*.domain.com", but "www.domain.com" means only URLs really starting with "www", not subdomains

But there's yet more traps, sigh.
This old "bug" (secret feature?) sounds rather interesting for the more experienced among us:
https://bugzilla.mozilla.org/show_bug.cgi?id=950485

Quote

I discovered a workaround, in permissions.sqlite add:
ajax.googleapis.com script 1

This issue seems to be due to the "fix" introduced for bug 816956 - the whole premise of the bug seems wrongheaded. I would expect that a permission set for googleapis.com would apply to ajax.googleapis.com as well.

----------------------------
Jonas Sicking 2013-12-19 21:04:41 PST

The problem is that for some reason googleapis.com is listed as an eTLD. I have no idea why that is.
The idea with bug 816956 was simply to forbid adding rules for "com" and "co.uk". No idea why "googleapis.com" is listed in the database as belonging to those.

----------------------------
asmpgmr 2013-12-19 22:05:29 PST

Some of the eTLDs listed in the private domains section near the end of the file "effective_tld_names.dat" are unacceptable to exclude from permissions. It should be up to the user to decide whether they want to allow or block them.

For example under Google:
appspot.com
blogspot.com
codespot.com
googleapis.com
googlecode.com

This breaks permissions in an unexpected fashion.

Am really not sure what that means exactly - sounds suspiciously like yet another evil trick by google...
At any rate: whether something is considered a domain or a subdomain does NOT depend from the number of dots, but from some hardcoded dat-list?!
They say that the domains above, like "googleapis.com", are NOT considered "domains", but rather as something ignored like "co.uk", so a permission does NOT work for "*.googleapis.com", instead every subdomain must be defined extra: "ajax.googleapis.com"
Just great...



Edited 1 time(s). Last edit at 04/13/2016 08:43PM by siria.

Let's hope this is the last explanation for javascript behavior and permissions




Preferences and actions

• javascript.enabled and command id navToggleJS
  
  Since K-meleon 75.0 javascript.enabled works using, internally, the command id navToggleJS since a change in Gecko core by Mozilla and after implementation of a secondary routine by K-meleon developer, Dorian.
  
  Before the change, and after the change, the behavior of the browser is to enable or disable javascript execution.
  
  Toggling it after a page load, loaded this with javascript disabled first, won't enable javascript execution on that page and must be reloaded again, with the preference changed to let it run javascript code.

• command id pageToggleJS
  
  This command id works as the above, but only in the page loaded in the tab/window (depending on if you are using tabs or windows to browser the net) where you call the command, allowing the rest of pages in tabs/windows to continue executing javascript.
  
  The same as above, if javascript is disabled globally (with the above preference), this command won't make the affected page to run javascript.

Permissions

• permissions.default.script
  
  This preference doesn't have a direct control from K-meleon interface for the 3 options. Just toggles between 1 and 2.
  
  Set to 1, allow javascript load.
  Set to 2, block javascript load.
  Set to 3, block javascript load, from third party hostings.
  
  When said load, means load from an external source and being executed depending of previous preferences.
  
  What is a third party hosting? It is any hosting that the second level domain doesn't match the one from the main page.
  
  A second level domain is the text between the dot before .com, .net, .org, etc, and the previous dot or, in absence, the first bar /.
  
  Examples:
  http://www.hello-world.com ----> second level domain hello-world
  http://hello-world.com ----> second level domain hello-world
  http://hello.world.com ----> second level domain world
  
  The preference set to 3, therefore, will block any script trying to load from outside those second level domains. For example, if there is a widget in the page for twitter.com, it won't load as it is outside the main page.
  
  But if it is loaded from twitter.hello-world.com, it will load.

• Whitelisting and Blacklisting javascript resources
  
  Accessed through preferences panel or Tools>Privacy>Permissions menu.
  
  Understood the above and that this is dependent too from the above preferences, these settings will allow or disallow javascript resources for the domains set.

And now, lets go with the www.google.com example requested by you, anontemp123.

www.google.com loads scripts from:
www.google.com
www.gstatic.com
apis.google.com
clients1.google.com
(at least, if no more depending on some factors)

Learned the above if we...

... blacklist scripts from www.google.com we will be blocking scripts on www.google.com ONLY

... set permissions.default.script to 3, we will be blocking www.gstatic.com

What if we want to block everything?

Toggle javascript to disable.

Or blacklist www.gstatic.com, www.google.com, apis.google.com and clients1.google.com

Why not only google.com for the latest?, because it must be set the correct source domain. Usually you will need to dig a ”little” to find out the original sources.

Note: this text above, is something that I don't have really clear. Sometimes, only the domain works, sometimes, doesn't. Might be related or to CNAMEs, or redirects or some kind of confusion. I cross out, but just because I'm not really sure. But, also, have in mind that blacklisting individually has less undesired effects.

Whitelisting, in the other hand, is more user friendly, as just adding the second domain level, will allow subdomains for that domain.



Edited 4 time(s). Last edit at 04/14/2016 01:20AM by JohnHell.

I'm using K-Meleon 75.1 on XP SP3. I originally found K-Meleon through PortableApps.com, but now I am using the regular release.

Thanks for all the replies. I'm still sorting through what was written. I'm not a complete beginner; however, it's a lot to take in and the other threads I found weren't very clear to me. In my mind, I was thinking Script Permissions would work like the Firefox extension YesScript. I guess YesScript looks only at the address in the URL bar, and not the actual source of the JS. Thanks again.

Quote
anontemp123
I was thinking Script Permissions would work like the Firefox extension YesScript. I guess YesScript looks only at the address in the URL bar, and not the actual source of the JS. Thanks again.

I have not tested YesScript - except whether it installs without complication and whether it throws an JSError when its basic functions are tested.

But it is an addon that's XUL is constructed in a way that works with K-Meleon 76b3 and probably Your version also.

So You might install and test whether that works with Your K-Meleon to suit Your needs.





Edited 1 time(s). Last edit at 04/14/2016 03:37AM by guenter.

Quote
anontemp123
I'm using K-Meleon 75.1 on XP SP3. I originally found K-Meleon through PortableApps.com, but now I am using the regular release.

Thanks for all the replies. I'm still sorting through what was written. I'm not a complete beginner; however, it's a lot to take in and the other threads I found weren't very clear to me. In my mind, I was thinking Script Permissions would work like the Firefox extension YesScript. I guess YesScript looks only at the address in the URL bar, and not the actual source of the JS. Thanks again.

I see what is your point now.

Have in mind that the description I made above of how javascript control works it is applicable to Firefox or Seamonkey out of the box.

The control you need, it is in Firefox achieved with an add-on, because, actually, there is not other way.

I haven't tested either (maybe very later today), but, after having a little look, and what guenter pointed above me, that add-on should work installed on K-meleon. And if for any reason doesn't work the installation, looking how it works, that may be said that it is similar to refcontrol, it could be adapted as this one without any troubles, as both add-ons aren't interacting with the browser window but with the network "talk".

Works correctly under 75.0 without installation as add-on.

But there is a little interaction with the interface to create a button and to call the blacklist manager.


The button can be created, as well the call to open the manager, even a menu with two options to blacklist and whitelist.

BUT, you won't have an indicator if the site is blacklisted. Here I need the opinion of others if a toolbar icon can be changed after an onload check. Or maybe place a checkmark on the menu items to tell if it is blacklisted or whitelisted to "mimic" the original behavior of the add-on.


@guenter, does 76 create the button in K-meleon interface? (I ask from what I read to cookiekeeper that I understood that now was possible :-? through jsbridge)



Edited 1 time(s). Last edit at 04/14/2016 10:14PM by JohnHell.

Great info and looks like a very interesting addon
As usual the prob is to learn and remember everything, sigh, but have it bookmarked now.

Toolbar buttons can be changed OnLoad, but not on switching tabs, so doesn't help in this case.

(UPDATE 2 YEARS LATER:
There is now an event called "$OnSwitchTab" in KM76RC2, but so far only half-impletemented, var missing in main.kmm yet)



Edited 1 time(s). Last edit at 12/01/2017 09:36PM by siria.

Quote
siria
Great info and looks like a very interesting addon
As usual the prob is to learn and remember everything, sigh, but have it bookmarked now.

Toolbar buttons can be changed OnLoad, but not on switching tabs, so doesn't help in this case.

Ummm dammit.

My eyes are closing while I write this, so I can't research anymore, but if we could have an action similar to "OnActivateWindow" for tabs, could be a workaround, if the toolbars or menus could be changed on other events.

I go to sleep

Quote
JohnHell

@guenter, does 76 create the button in K-meleon interface? (I ask from what I read to cookiekeeper that I understood that now was possible :-? through jsbridge)

Creating a button is above my skills. I did nor pay attention to new coding posts.

If I want a way to call a XUL interface I simply bookmark the code path.

Examples:

chrome://cookiekeeper/content/cookiekeeper.xul

chrome://httpfox/content/HttpFoxWindow.xul

chrome://livehttpheaders/content/LiveHTTPHeaders.xul


or bookmark reserved names:


about:about

about:addons

@guenter I thought it created by itself the button

I don't know if the actual advances by Dorian have been so far.

Quote
anontemp123
In my mind, I was thinking Script Permissions would work like the Firefox extension YesScript.

Actually, I've found that KM's Script Permissions feature works better than YesScript. In fact, I tried YesScript in Firefox, and it had absolutely no effect, aside from making FF take even longer to launch. I was using the same URLs there as were in KM's script permissions, but only KM seems to have blocked the JavaScript. I'm referring to KM75, not 75.1 or the 76 beta versions, none of which I've tried.

---
Gerry

Quote
foliator
I'm referring to KM75, not 75.1 or the 76 beta versions, none of which I've tried.

:-?

I'm on 75.0 too and for me works (without installation as add-on, that might be the difference).

I use chrome://yesscript/content/manage.xul to set a page.

For example, I went to http://store.steampowered.com/ a page with loads of scripts. And was ok without blacklisted.

I blacklisted by add http://store.steampowered.com and then no actions requiring javascript worked on the page.

Success!

From its README.md:

Quote
YesScript
## Details

- You are blocking a *site* from running scripts. You are not blocking any given *script*. In other words, if example.com is running a script from annoying.org, you need to block example.com.
- You cannot selectively allow a site to run some scripts and disallow it from running others.
- The block is based on the protocol and domain of the site. Blocking `http://example.com` will not block `https://example.com` or `http://www.example.com`.
- The block does not take effect immediately - it must be in effect when the page loads to work.

What does YesScript is, instead add to the default Gecko permissions every external link to a .js resource of a page, just add the page that loads them, blocks every script for that page. In fact, domain, not page. All pages under a domain.



Edited 1 time(s). Last edit at 04/15/2016 06:53PM by JohnHell.

@JohnHell: Well, I've never been able to get any FF extensions to work in KM, despite following the rather complex instructions. However, many of the functions for which extensions are required in FF already exist in KM with the macros provided in the download package, and I've finally tweaked KM to the point where there's nothing left to be desired (famous last words - ).

Most of the sites I visit regularly don't require JS, so I usually keep it globally disabled, except for login pages, or sites where I want to load streaming videos, such as YouTube or Canada's public affairs channel (cpac.ca). Same goes for streaming webcams, like those offered by earthcam.com. Google Street View no longer uses Flash, but it won't work without JS, so that's another exception.

If I encounter other pages that won't function without JS and really want to view them, I can enable JS very quickly by pressing Alt J. This runs my little macro, which enables JS and then automatically reloads the page. The same shortcut toggles it back off.

---
Gerry

@foliator I do almost exactly what you do since years, but this add-on is interesting as well.

Instead have JS disabled by default, as we do, have it enabled by default, and blacklist those annoying sites.

It is another point of view. If our behavior browsing the net were the same, the world would be less interesting


@anontemp123 if you are following the thread, would you have any problem if how control and interact with the extension is not as visual as in Firefox?

I haven't code anything yet, but before start I would like to know your opinion (even the result won't change), as with the macro coding wouldn't be possible, unless you browse with windows instead tabs.

(Looks like I'm the only human out there that hasn't switched to tabs yet )

Thanks for the explanations. Some things I didn't understand, but it's becoming clearer. I imagine a lot of folks expect Javascript blocking to work with coarse granularity like YesScript, and are confused when it doesn't. (Although I understand why the finer granularity is correct-er.)

Aside from viewing HTML, is there any quick way to determine that, for example, www.google.com loads scripts from 4 different domains?

This is why I stopped using NoScript for Firefox. Maybe recent versions are more user-friendly, but before it would take too long to figure out which domains I could block while still retaining core functionality. I always wished there was a dialog that could pop up and list all domains for Javascript on that page and I could just click which domains I wanted to block.

@foliator
I am using an older version of Firefox, maybe that's why YesScript still works for me.

@JohnHell
What do you mean by "without installation as add-on"? If I create a "plugins" folder and drop the YesScript file in there, isn't that regarded as an add-on?

As far as the interface, ideally I would prefer just two items:

1) Some sort of visual indication if Javascript is blocked or not.
2) Something I can click to bring up the dialog to enter blocked domains. Entering chrome://yesscript/content/manage.xul will get tedious.

I don't need to be able to click the icon to block the domain for the currently loaded web page. And I can refresh to update the visual indicator, too.

I appreciate all the assistance. The quality of answers on this forum is amazing.

To 1) visibility: Tough one. Just glad John is volunteering (way too complicated for me)

@JohnH: if you really manage to figure out a way to have a macro know if a page is blocked or not, here just random ideas for visibility (aside from the obvious menu checkmark): perhaps a button that by default indicates "?", but when clicked checks the state and shows it (either pressed or "Y" or "N"?). Just for 1-2 seconds, and then switches back to "?" (macrocommand settimer). And/or perhaps renaming blocked pages with a prefix, that would stay permanently after OnLoad, but not sure if that still works in KM76 (js: d.title="!!"+d.title) Or if possible a red dotted stripe by css on the left screen border, but afraid on some pages that may mess something...

Quote
anontemp123
Thanks for the explanations. Some things I didn't understand, but it's becoming clearer. I imagine a lot of folks expect Javascript blocking to work with coarse granularity like YesScript, and are confused when it doesn't. (Although I understand why the finer granularity is correct-er.)

That is true, but also is true that, in that way, a lot of people around this forum, just directly block Javascript and only enable it when needed.

But I see what you expect and others could too.

It is an interesting point of view that, here, as said above, a few of us don't even consider. Lets say we prefer to browse clean of any script.

Quote
anontemp123
Aside from viewing HTML, is there any quick way to determine that, for example, www.google.com loads scripts from 4 different domains?
[...]

I always wished there was a dialog that could pop up and list all domains for Javascript on that page and I could just click which domains I wanted to block.

I have kinda what you are talking about as a personal macro for developing purposes. About a couple of months I updated to show [almost] every external resource of a page set in the HTML code of a page.

It is very similar, as it is an adaption, to the one for viewing images and an update to a previous one to show unsecure elements from a secure page.
http://kmeleonbrowser.org/forum/read.php?9,123209


But, it is not for public use. I could make it public, but lets do this one first.

Quote
anontemp123
@JohnHell
What do you mean by "without installation as add-on"? If I create a "plugins" folder and drop the YesScript file in there, isn't that regarded as an add-on?

Extensions in K-meleon are not installed as add-ons, and you don't have an extensions manager.

To be adapted and used in K-meleon, YesScript must be "converted" to an extension, what is nothing but a mix of the add-on itself with macros to help access the add-on interface and other features.

Quote
anontemp123
As far as the interface, ideally I would prefer just two items:

1) Some sort of visual indication if Javascript is blocked or not.
2) Something I can click to bring up the dialog to enter blocked domains. Entering chrome://yesscript/content/manage.xul will get tedious.

I don't need to be able to click the icon to block the domain for the currently loaded web page. And I can refresh to update the visual indicator, too.

The 1) won't be possible, as I said. For me, that I'm using windows instead tabs to browse, yes, and would be fancy as in Firefox, but using tabs... sorry, but that won't be possible.

About 2), no, you don't need to type the URL , those are the insights of YesScript and how to access directly from K-meleon, as in K-meleon YesScript can't install a button by itself. So, until the extension is done, would be the only way to access the list manager.


Actually, I already thought what Siria was suggesting above me.

The idea is to have a button that, when clicked, prompt you if you want to blacklist, if it is not already blacklisted, or whitelist, if it is already. You could click no/cancel and forget about it. The button will have a right click menu to access the list manager.

It will work to inform you the current status and take actions or not.

You would say, well, after blacklist or whitelist, I still would need to reload the page. True, but, what happens when you load a page in a background tab? Would you reload again that tab just to see how a button in a toolbar changes? or would you prefer to click that button and we warned if it is blocked or not?

They aren't question to actually searching for an answer, it is to show you that, in case of K-meleon and tabbed browsing, would be the most acceptable.

Quote
siria
To 1) visibility: Tough one. Just glad John is volunteering (way too complicated for me)

@JohnH: if you really manage to figure out a way to have a macro know if a page is blocked or not, here just random ideas for visibility (aside from the obvious menu checkmark): perhaps a button that by default indicates "?", but when clicked checks the state and shows it (either pressed or "Y" or "N"?). Just for 1-2 seconds, and then switches back to "?" (macrocommand settimer). And/or perhaps renaming blocked pages with a prefix, that would stay permanently after OnLoad, but not sure if that still works in KM76 (js: d.title="!!"+d.title) Or if possible a red dotted stripe by css on the left screen border, but afraid on some pages that may mess something...

Tough for both of us. I was scratching my head how and I ended more of less with your ideas.

Mmmmmm. I scratched my head again and maybe that renaming of the title is not a bad idea. I guess the title is treated independently from tab to tab and when switching tabs. GOOD IDEA Siria!

Yep... I like the idea. Replace the "title of a page" to "YESCRIPTED -- title of a page".

Forget the said above @anontemp123.



Edited 2 time(s). Last edit at 04/16/2016 11:37PM by JohnHell.

Quote
anontemp123
2) Something I can click to bring up the dialog to enter blocked domains. Entering chrome://yesscript/content/manage.xul will get tedious.

The standard KM-way of getting this is creating a simple macro that adds menu item and/or keyboard accelerator for needed option.

So, let my people go:

# K-Meleon Macros (http://kmeleon.sourceforge.net/wiki/index.php?id=MacroLanguage)
# ----- YesScript for K-Meleon
# ----- adds command to open Yesscript addon management GUI -----
# ----- Forum thread: http://kmeleonbrowser.org/forum/read.php?1,138148

yesscript{
opentab("chrome://yesscript/content/manage.xul");
} 

yesscript_setaccel{
setaccel("SHIFT CTRL Y",yesscript); #please, set your own accel if don't like mine
} 

yesscript_BuildMenu{
setmenu(Tools,macro,"Open YesScript GUI",yesscript);
}

$OnInit=$OnInit."yesscript_setaccel;yesscript_BuildMenu";
# ---------------------------------------------------------------------------
$macroModules=$macroModules."yesscript;";

Save this very basic code as macros\yesscript.kmm and reload KM

Also the button can be made by macro but you should read about the syntax ('toolbars' part) first to understand what every parameter is for.



Edited 5 time(s). Last edit at 04/16/2016 11:41PM by rodocop.

Quote
JohnHell
Extensions in K-meleon are not installed as add-ons, and you don't have an extensions manager.

To be adapted and used in K-meleon, YesScript must be "converted" to an extension, what is nothing but a mix of the add-on itself with macros to help access the add-on interface and other features.

Partly wrong:

we definitely CAN install xpi-addons (FF genuine) like in Firefox and we definitely HAVE addon manager at about:addons

But we also need to remember:

1) check whether pref kmeleon.install_firefox_extension is present and set to true - otherwise autoinstall of XPIs wouldn't work

2) create helper macros mentioned by JohnHell (and written for Yesscript by me in previous post) and place them in macros folder.

It's not obligate to install xpi sure but we definitely need to place XPIs under extensions folder in order for KM to read manifests and understand chrome:-protocol links for that addon GUIs...



Edited 1 time(s). Last edit at 04/17/2016 12:04AM by rodocop.

Quote
rodocop

Quote
JohnHell
Extensions in K-meleon are not installed as add-ons, and you don't have an extensions manager.

To be adapted and used in K-meleon, YesScript must be "converted" to an extension, what is nothing but a mix of the add-on itself with macros to help access the add-on interface and other features.

Partly wrong:

we definitely CAN install xpi-addons (FF genuine) like in Firefox and we definitely HAVE addon manager at about:addons

Yes, I'm not going to start a discussion here , but I'm not referring to how can be possible to install original Firefox add-ons and manage them since K-meleon 74, but as has been almost all the life of K-meleon to date.

I was making a distinction between add-ons that work out of the box (this one could be one) and those that need yes, or yes, a macro to work, that I would call extensions. That are almost all, true, but also most only need a menu entry, not more coding beyond that, as could need this.

Also, when using the term extension, I'm trying to avoid the process of install an xpi as your well guided steps.

Extensions would need steps too, but without fiddling with prefs and other insights. Just drop this and this there and run.



Edited 3 time(s). Last edit at 04/17/2016 12:20AM by JohnHell.

Not discussing too here - just try to give the new user the most full info about how it's handled here...

So both you and me we complement each other in this task and the User saw it was good!

Ok, so dropping the XPI in the extensions folder is enough to make KM load it on startup. However, to access the user interface for the extension, you need the macros. Does that sound right?

Yes it does. But there is one thing not clear for me: it's about renaming XPI into that crazy {alphanumeric} codename. I haven't sorted out whether it's mandatory or not...

Quote
rodocop
Yes it does. But there is one thing not clear for me: it's about renaming XPI into that crazy {alphanumeric} codename. I haven't sorted out whether it's mandatory or not...

And that is the reason I'd answer "No, not exactly only drop".

I prefer to distribute it with the xpi unzipped and request the user a very simple task: extract extensions files and add a line to extensions.manifest that consists only in a copy&paste from the readme installation guide of the extension to that file.

For me it is, or this, or use the add-on manager and then add the macro.

I just go the old way. Sorry, if it works, don't touch it LOL.

If I have to be fair, I try to avoid the add-ons installations (in fact I don't have much, but none of them are installed that way).


Anyway, it is not rocket science.



Edited 2 time(s). Last edit at 04/17/2016 01:02AM by JohnHell.

Well, and copepaste also can be automated by macro with readfile and writefile commands...

I should think about it...

It isn't a bad idea either, but that also would require a second K-meleon restart.

What would be less annoying?

Quote
anontemp123
Aside from viewing HTML, is there any quick way to determine that, for example, www.google.com loads scripts from 4 different domains?

Not familiar with it myself, but guenter is using an extension called livehttpheaders. And there are a few "HTTP" extensions in this archive:
http://kmext.sourceforge.net/ext5.htm
Cannot help with those, sorry. Perhaps others. Otherwise you'll have to experiment yourself.

Quote
anontemp123
@foliator
I am using an older version of Firefox, maybe that's why YesScript still works for me.

Which version of FF are you using? I only tried YesScript in version 43. Up until a few months ago I still had version 15.0.1; it ran OK, but then a few important sites I visit started making changes, resulting in certain essential scripts no longer functioning.

Also, using any Flash plugin newer than 10.3 locked up FF, so very reluctantly I installed FF 43, only to discover that all of those problem sites worked just fine in KM75, even though the Gecko version is outdated. Never had a problem with any version of Flash in KM, either.

---
Gerry