Improvement requests :
K-Meleon Web Browser Forum
Greetings,
I am new to K-Meleon. The past several days I have been seriously learning my way around the browser and overall I am quite pleased.
I'm using K-Meleon 1.02 and NT4 Workstation (SP 6a). I verified all DLLs as described in the Known Problems FAQ. My box is rock-solid stable and I rarely witness BSODs or other types of crashes.
Any chance that the developers can create a JavaScript white list feature? Firefox includes no such feature, but a JavaScript white list is available by using the NoScript extension. In GNU/Linux, Konqueror provides a built-in JavaScript white list---and a Java white list too. (But strangely, Konqueror provides no white list for images).
On a side note, I would love to see a white list for allowing HTTP header referrers.
Consider the philosophy of providing additional white lists---at least providing a JavaScript white list.
K-M is touted as the "little browser that could." I agree. The primary reason I investigated K-M is that with each subsequent release Firefox has become painfully slower for me. Not slower with page rendering, but the XUL interface. K-M is refreshingly snappier on my aging but still very adequate hardware. I actually am starting to enjoy surfing the web once again since I started using K-M. I have grown to detest Firefox and dread even loading the program because XUL has become so slow. Every other program on my NT4 Workstation box is snappy and fast and that now includes K-M.
But "the little browser that could" does not support Firefox extensions---and rightfully so. Thus, I now no longer have a JavaScript white list.
Searching the forum I discovered that a previous version of K-M supported the NoScript extension and (I think) continues to do so. But frankly, although I admire any software developer's ability to adapt software code, I dislike XUL and I want to avoid anything related to XUL, including Firefox extensions adapted to K-M. For example, I find that the K-M adblock.css works just as well as the Adblock Plus extension. Long before all these extensions became popular I used the hosts file to block sites.
I know how to configure the prefs.js options to create a JavaScript white list using the built-in policies feature, but this approach is crippled and not real-time. That is, unlike the NoScript approach I cannot temporarily enable JavaScript for only one site for that browsing session. Additionally, if using this built-in policies approach, users cannot toggle JavaScript at all. This approach is very much all-or-none and terribly static. Adding sites to the policies list also is quite manual and requires restarting the browser. I have experimented with this built-in policies approach and find much is left to be desired.
However, avoiding this built-in policies approach means that users must continually be aware of when they enable JavaScript. I always surf with JavaScript disabled and I developed that habit long ago simply because JavaScript is a primary portal through which the script kiddies achieve their various exploits. Globally disabling JavaScript in no way hampers my overall surfing experience. But on the convenience side of things, with the NoScript extension I was able to configure the handful of sites I trusted to use JavaScript and when necessary or desired, temporarily enable JavaScript for additional sites on a per session basis. More importantly, I no longer had to make any effort to keep track of whether I was enabling JavaScript for malicious people to exploit. All very handy.
With K-M I can enable JavaScript only program-wide. I do not know if I can enable JavaScript on a page-specific basis for the current session. But I also now must make a conscious effort to remember whether I enabled JavaScript and I do not like having to bear this burden. Yes, I have the Privacy toolbar enabled and this does help me, but forgetting the status of JavaScript is easy to do after reading a lengthy web page.
With that all said and done, I notice in my current efforts to learn K-M, that possibly a solution exists using macros. But I am not yet sufficiently familiar with K-M or the macro language to venture further into that possibility. For example, possibly somebody could create a macro that enables and disables the affected JavaScript policy entries in prefs.js. Would this idea succeed as a potential work-around to this problem?
Modifying the prefs.js policies is basically how NoScript functions, but I don't know if the associated K-M macro language can provide the intercepts needed to toggle these preferences keys, nor do I know whether the macro language supports dialog boxes such that users can add sites to the white list, both permanently and temporarily. Using the user.js file would provide a means to ensure the prefs.js policy list is reinitialized correctly upon the next restart of K-M, but does not provide a real-time solution while the browser is active.
Another solution is to revert to an approach I have not used in a long while and that is to use Proxomitron to create a JavaScript white list. But a built-in white list seems more convenient to me because should I want to temporarily allow a site to use JavaScript, I then have to mod another program and then mod again when I want to again restore my original settings. Clunky.
Seems that with the existing white lists for cookies and images, that much of the code needed to support additional white lists probably already exists. Additionally I notice that K-M provides a white list for sites to allow the bane of web surfing---JavaScript pop-ups. So perhaps the base code for a more complete JavaScript white list approach already exists.
Lastly, if such base code already exists, how much work is required to create a white list feature for Java or HTTP referrers?
I would appreciate comments from K-M users and developers.
Please forgive me if I missed any related threads elsewhere in this forum, but I did not find anything that led me to believe the issue is concluded. Is a JavaScript white list on the boards for future releases? I am willing to help test a K-M JavaScript white list.
Thank you.
P.S. In related topics, I have searched the K-M web site for links to 1) beta-test versions of K-M and 2) a road map of future plans for K-M (features to be added, etc.). I would appreciate any links.
AFAIK there is only the privacy bar for real time toggling of some potential anoyances. KKO made a fine tune for java script event permissions but that is all.
Some FFox extensions work but they are slowing the browser (as You have noticed).
Noscript and adblock were used in 0.9.13 and can be potentially used again.
Adblock plus is use in new k-meleon CCF.
At the moment devs add new functions
(C codeed managers, modular macros, easier plugin translation... ).
Newest dev version is @ http://kmeleonbrowser.org/forum/read.php?1,68634
Dorian is core dev. Home page: @ http://boisso.free.fr/kmeleon/
p. s. thx for the macro that You posted.
Thanks for the links. I'm still new to K-M although I've been around computers for 25 years. I'm learning K-M quickly, and hopefully I eventually can help test beta versions.
Regarding the JavaScript white list request, I suspected that NoScript was one of the extensions that slowed Firefox. I never performed any quantitative tests, however. Regardless, I think K-M would truly benefit with a JavaScript white list. Considering that a primary means of exploiting comes through JavaScript, such a feature would be a fine feather in the cap.
I'm a new user to K-M, but from the little I have studied the macro support, I'm thinking that the manner in which NoScript functioned can be duplicated. To mimic NoScript:
1. Provide a status bar icon that allows users to change the configuration on-the-fly.
2. Allow users to temporarily add sites their white list.
3. Store the permanent data as a user_pref policy.
4. Provide a Preferences interface to add sites to the white list, as already done in the existing white list configurations.
5. Store the data in hostperm.1 like the other white lists and when starting K-M, simply update the user_prefs policy from that list.
I'm available to help test this idea should somebody take a crack.
It would be small surprise if NoScript had slowed.
I switch out JS with toggle button unless i come to a page where i need it.
This is after i found/had been told that JS slows the browser on my old p500.
So i assume that k-m would benefit from the whitelist.
Already existing white lists are from c+ not XUL - & i do not know whether that is as easy as it sounds.
p. s. Virtual age - i first touched a PC on the Cebit when the 1. Lazy Larry game episode was all the rage - as far as i remember the game was for DOS 3 or so :-).
1.) create a kmm file with the following.
# K-Meleon Macros (http://kmeleon.sourceforge.net/wiki/index.php?id=MacroLanguage)
# ---------- noscript Extension (Noscript Protector) -------------------------------------------------------------------
#
# Dependencies : main.kmm (OpenURL)
# Resources : -
# Preferences : -
#
# ------------------------------------------------------------------------------------------------------------------
noscript{
$OpenURL="chrome://noscript/content/noscriptOptions.xul"; &OpenURL_InNewWindow;
}
# ----- PRIVATE
_noscript_BuildMenu{
# edit menu
setmenu(KMAbout,macro,"Nostript Configuration",noscript);
}
$OnInit=$OnInit."_noscript_BuildMenu;";
# ------------------------------------------------------------------------------------------------------------------
$macroModules=$macroModules."noscript;";
2. ) copy noscript.kmm to the other kmm which are in ./macros/
3.) download & extract Noscript xpi. & add files You find to the same/appropriate k-meleon folders. ( e.g. files in chrome folder to k-m chrome folder )
4.) delete chrome.rdf and overlays.rdf in chrome folder.
5.) add/catenate the following lines to installed-chrome.txt.
content,install,url,jar:resource:/chrome/noscript.jar!/content/noscript/
locale,install,url,jar:resource:/chrome/noscript.jar!/content/noscript/en-US/
skin,install,url,jar:resource:/chrome/noscript.jar!/skin/classic/noscript/
6.) Start browser and test. I used German version of noscript and it works.
The refinements he is proposing for the white list system are the same ones I am suggesting, my particular annoyance is having to type host names into a dialog box to enable their cookies. We would benefit from hooks between the macro system and the code that the whitelist dialog boxes use to update the whitelist so that a simple macro can enter the host name. I tried adding it to hostperm.1 file, but it seems that file is only read at startup, so no dice.
I don't think that globally toggling permissions is all that useful, what is really needed is to toggle the permissions of a particular host. so I concur with most of Peabody's suggestions, provided it can be done without a security compromise, actually, I think a security exploit of this would be rare and in the case of cookies, basically harmless, so for cookies I would say it's worth it no matter what.
thankyou
Use this forum to talk about a feature you're missing.
JavaScript and Other White lists
Posted by:
Peabody
Date: November 21, 2006 03:31AM
Greetings,
I am new to K-Meleon. The past several days I have been seriously learning my way around the browser and overall I am quite pleased.
I'm using K-Meleon 1.02 and NT4 Workstation (SP 6a). I verified all DLLs as described in the Known Problems FAQ. My box is rock-solid stable and I rarely witness BSODs or other types of crashes.
Any chance that the developers can create a JavaScript white list feature? Firefox includes no such feature, but a JavaScript white list is available by using the NoScript extension. In GNU/Linux, Konqueror provides a built-in JavaScript white list---and a Java white list too. (But strangely, Konqueror provides no white list for images).
On a side note, I would love to see a white list for allowing HTTP header referrers.
Consider the philosophy of providing additional white lists---at least providing a JavaScript white list.
K-M is touted as the "little browser that could." I agree. The primary reason I investigated K-M is that with each subsequent release Firefox has become painfully slower for me. Not slower with page rendering, but the XUL interface. K-M is refreshingly snappier on my aging but still very adequate hardware. I actually am starting to enjoy surfing the web once again since I started using K-M. I have grown to detest Firefox and dread even loading the program because XUL has become so slow. Every other program on my NT4 Workstation box is snappy and fast and that now includes K-M.
But "the little browser that could" does not support Firefox extensions---and rightfully so. Thus, I now no longer have a JavaScript white list.
Searching the forum I discovered that a previous version of K-M supported the NoScript extension and (I think) continues to do so. But frankly, although I admire any software developer's ability to adapt software code, I dislike XUL and I want to avoid anything related to XUL, including Firefox extensions adapted to K-M. For example, I find that the K-M adblock.css works just as well as the Adblock Plus extension. Long before all these extensions became popular I used the hosts file to block sites.
I know how to configure the prefs.js options to create a JavaScript white list using the built-in policies feature, but this approach is crippled and not real-time. That is, unlike the NoScript approach I cannot temporarily enable JavaScript for only one site for that browsing session. Additionally, if using this built-in policies approach, users cannot toggle JavaScript at all. This approach is very much all-or-none and terribly static. Adding sites to the policies list also is quite manual and requires restarting the browser. I have experimented with this built-in policies approach and find much is left to be desired.
However, avoiding this built-in policies approach means that users must continually be aware of when they enable JavaScript. I always surf with JavaScript disabled and I developed that habit long ago simply because JavaScript is a primary portal through which the script kiddies achieve their various exploits. Globally disabling JavaScript in no way hampers my overall surfing experience. But on the convenience side of things, with the NoScript extension I was able to configure the handful of sites I trusted to use JavaScript and when necessary or desired, temporarily enable JavaScript for additional sites on a per session basis. More importantly, I no longer had to make any effort to keep track of whether I was enabling JavaScript for malicious people to exploit. All very handy.
With K-M I can enable JavaScript only program-wide. I do not know if I can enable JavaScript on a page-specific basis for the current session. But I also now must make a conscious effort to remember whether I enabled JavaScript and I do not like having to bear this burden. Yes, I have the Privacy toolbar enabled and this does help me, but forgetting the status of JavaScript is easy to do after reading a lengthy web page.
With that all said and done, I notice in my current efforts to learn K-M, that possibly a solution exists using macros. But I am not yet sufficiently familiar with K-M or the macro language to venture further into that possibility. For example, possibly somebody could create a macro that enables and disables the affected JavaScript policy entries in prefs.js. Would this idea succeed as a potential work-around to this problem?
Modifying the prefs.js policies is basically how NoScript functions, but I don't know if the associated K-M macro language can provide the intercepts needed to toggle these preferences keys, nor do I know whether the macro language supports dialog boxes such that users can add sites to the white list, both permanently and temporarily. Using the user.js file would provide a means to ensure the prefs.js policy list is reinitialized correctly upon the next restart of K-M, but does not provide a real-time solution while the browser is active.
Another solution is to revert to an approach I have not used in a long while and that is to use Proxomitron to create a JavaScript white list. But a built-in white list seems more convenient to me because should I want to temporarily allow a site to use JavaScript, I then have to mod another program and then mod again when I want to again restore my original settings. Clunky.
Seems that with the existing white lists for cookies and images, that much of the code needed to support additional white lists probably already exists. Additionally I notice that K-M provides a white list for sites to allow the bane of web surfing---JavaScript pop-ups. So perhaps the base code for a more complete JavaScript white list approach already exists.
Lastly, if such base code already exists, how much work is required to create a white list feature for Java or HTTP referrers?
I would appreciate comments from K-M users and developers.
Please forgive me if I missed any related threads elsewhere in this forum, but I did not find anything that led me to believe the issue is concluded. Is a JavaScript white list on the boards for future releases? I am willing to help test a K-M JavaScript white list.
Thank you.
P.S. In related topics, I have searched the K-M web site for links to 1) beta-test versions of K-M and 2) a road map of future plans for K-M (features to be added, etc.). I would appreciate any links.
Re: JavaScript and Other White lists
Posted by:
guenter
Date: November 21, 2006 06:18AM
AFAIK there is only the privacy bar for real time toggling of some potential anoyances. KKO made a fine tune for java script event permissions but that is all.
Some FFox extensions work but they are slowing the browser (as You have noticed).
Noscript and adblock were used in 0.9.13 and can be potentially used again.
Adblock plus is use in new k-meleon CCF.
At the moment devs add new functions
(C codeed managers, modular macros, easier plugin translation... ).
Newest dev version is @ http://kmeleonbrowser.org/forum/read.php?1,68634
Dorian is core dev. Home page: @ http://boisso.free.fr/kmeleon/
p. s. thx for the macro that You posted.
Re: JavaScript and Other White lists
Posted by:
Peabody
Date: November 22, 2006 04:50AM
Thanks for the links. I'm still new to K-M although I've been around computers for 25 years. I'm learning K-M quickly, and hopefully I eventually can help test beta versions.
Regarding the JavaScript white list request, I suspected that NoScript was one of the extensions that slowed Firefox. I never performed any quantitative tests, however. Regardless, I think K-M would truly benefit with a JavaScript white list. Considering that a primary means of exploiting comes through JavaScript, such a feature would be a fine feather in the cap.
I'm a new user to K-M, but from the little I have studied the macro support, I'm thinking that the manner in which NoScript functioned can be duplicated. To mimic NoScript:
1. Provide a status bar icon that allows users to change the configuration on-the-fly.
2. Allow users to temporarily add sites their white list.
3. Store the permanent data as a user_pref policy.
4. Provide a Preferences interface to add sites to the white list, as already done in the existing white list configurations.
5. Store the data in hostperm.1 like the other white lists and when starting K-M, simply update the user_prefs policy from that list.
I'm available to help test this idea should somebody take a crack.
Re: JavaScript and Other White lists
Posted by:
guenter
Date: November 22, 2006 07:13AM
It would be small surprise if NoScript had slowed.
I switch out JS with toggle button unless i come to a page where i need it.
This is after i found/had been told that JS slows the browser on my old p500.
So i assume that k-m would benefit from the whitelist.
Already existing white lists are from c+ not XUL - & i do not know whether that is as easy as it sounds.
p. s. Virtual age - i first touched a PC on the Cebit when the 1. Lazy Larry game episode was all the rage - as far as i remember the game was for DOS 3 or so :-).
Whitelisting Javascript etc. for K-Meleon 1.1
Posted by:
guenter
Date: December 07, 2006 05:55PM
1.) create a kmm file with the following.
# K-Meleon Macros (http://kmeleon.sourceforge.net/wiki/index.php?id=MacroLanguage)
# ---------- noscript Extension (Noscript Protector) -------------------------------------------------------------------
#
# Dependencies : main.kmm (OpenURL)
# Resources : -
# Preferences : -
#
# ------------------------------------------------------------------------------------------------------------------
noscript{
$OpenURL="chrome://noscript/content/noscriptOptions.xul"; &OpenURL_InNewWindow;
}
# ----- PRIVATE
_noscript_BuildMenu{
# edit menu
setmenu(KMAbout,macro,"Nostript Configuration",noscript);
}
$OnInit=$OnInit."_noscript_BuildMenu;";
# ------------------------------------------------------------------------------------------------------------------
$macroModules=$macroModules."noscript;";
2. ) copy noscript.kmm to the other kmm which are in ./macros/
3.) download & extract Noscript xpi. & add files You find to the same/appropriate k-meleon folders. ( e.g. files in chrome folder to k-m chrome folder )
4.) delete chrome.rdf and overlays.rdf in chrome folder.
5.) add/catenate the following lines to installed-chrome.txt.
content,install,url,jar:resource:/chrome/noscript.jar!/content/noscript/
locale,install,url,jar:resource:/chrome/noscript.jar!/content/noscript/en-US/
skin,install,url,jar:resource:/chrome/noscript.jar!/skin/classic/noscript/
6.) Start browser and test. I used German version of noscript and it works.
Re: JavaScript and Other White lists
Posted by:
snuz2
Date: January 18, 2007 07:10AM
The refinements he is proposing for the white list system are the same ones I am suggesting, my particular annoyance is having to type host names into a dialog box to enable their cookies. We would benefit from hooks between the macro system and the code that the whitelist dialog boxes use to update the whitelist so that a simple macro can enter the host name. I tried adding it to hostperm.1 file, but it seems that file is only read at startup, so no dice.
I don't think that globally toggling permissions is all that useful, what is really needed is to toggle the permissions of a particular host. so I concur with most of Peabody's suggestions, provided it can be done without a security compromise, actually, I think a security exploit of this would be rare and in the case of cookies, basically harmless, so for cookies I would say it's worth it no matter what.
thankyou
English