Firefox NoScript Plugin Problems: Unclear Documentation, bad UI

Firefox Noscript plugin 10.1.5.9 trust a site. Note that I hit the large S for google.com and now it says trusted. Click the large clock and it will turn into a small clock, which means it is now permanent and will be retained when the browser closes.

After a couple of sites I visit decided to use overly aggressive javascript I decided to try the NoScript plugin v10.1.5.9. This plugin, standard on the Tor browser, works quite well. Unfortunately when I close the browser my settings are all lost and I have to redo them. I tried to read the documentation, which is badly written and even tried to find the solution in a Google search. Finally I stumbled upon the FAQ from within the Firefox plugin area, from my browser and found a solution. I wrote some NoScript Plugin: Simple Instructions for myself.

In particular one Canadian news site disabled right mouse click, opting instead to do a left mouse click for the action. I was unable to see the URL, nor source html, unless I clicked into the page, forcing me to leave their home page. I am sure that smartphone users will not notice, but when I read their site on my laptop, this was frustrating to me. The NoScript plugin disables their javascript and allows me more normal behaviour.

It is not that the software does not do the job, but that the user interface UI is really bad, and documentation is not clear.

Save Trusted Setting Permanently

For those who are complaining that they lost settings after restarting Firefox, when you first click the “Trusted” field, you’re only setting it temporarily. That’s when the clock icon is still big. Click it a second time, and the icon becomes smaller, and it’s permanent. It’s not very intuitive, but once I figured it out, all was well.
source

Firefox Noscript plugin 10.1.5.9 trust a site. Note that I hit the large S for google.com and now it says trusted. The large clock means it is temporary and will be removed when the browser closes.

Firefox Noscript plugin 10.1.5.9 trust a site. Note that I hit the large S for google.com and now it says trusted. Click the large clock and it will turn into a small clock, which means it is now permanent and will be retained when the browser closes.

Developer response
The clock icon

By default you set the TRUSTED preset as temporary (big clock icon displayed on the button). Just click the clock to make it fade and the preset become permanent.

“Temporary allow xyz.com” maps to clicking the TRUSTED preset on the xyz.com row.
“Allow xyz.com” (permanently) maps to clicking the clock-shaped icon onto the TRUSTED preset (which means “Temporary”), to disable it (and make the preset assignment “Permanent”)…

What about the “Match HTTPS only” green/red lock toggle? If green (locked), the toggle makes base domain entries (e.g. “..google.com”) match themselves and all their subdomains, but only if their protocol is HTTPS (and therefore the traffic encrypted and not easily tampered with). Otherwise, if red and unlocked, both HTTP and HTTPS match: this has bad security implications especially on “hostile” networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy, but is unfortunately needed for some sites to work. NoScript tries to gives you the “smartest” default for each site, i.e. green if the page is already served on HTTPS, red otherwise. source

I an certain the development team has put in significant time into the plugin, because it all seems to work well, but the UI really spoils it. The plugin is too complex to understand without documentation, and the documentation is not complete.

When I need to read a plugin’s documentation a couple of times, not understand, then do a google search a couple of times and not find an answer, there is a big documentation issue. I have stuck with NoScript because I see that it clearly works. Having to do this much work for a plugin is time consuming. Most people would simply give up.

In the end NoScript gives me an added layer of protection from aggressive sites that manipulate javascript to their benefit. By default for any new site that I visit, javascript is turned off. This is a good thing. If and when the site earns my trust I can progressively test their javascript to see if there is something malicious or annoying. This makes browsing safer. Javascript unblocking is temporary by default, so you only permanently unblock all javascript when you really trust the site. I like that.