Let us shove emotions aside and let us look at the facts as they are presented to us. Browser security can be adopted in two ways by settings and automatically so using specific knowledge about what threats there are around the corner, when you use this insecure tool by default on the Internet.
The developers of these tools have been making tools with a lot of features, but security came into the bargain at a very late onset, so to say. Concluding the contents of this thread and listening to and knowing the lines of his contemplation, I think this is the line in which darth-mikey would operate to establish browser security. That is the model that suits him best.
On the other hand this is not the model that can be used for the average user. They lack the insight to take security measures on the OS level into their own hands (limited rights, checks for what is allowed to run (ActiveX, BHO’s, toolbars, handling of messages etc. etc.) and here the use of NoScript and/or Abe can be helpful, where in the old days we had things like Privoxy and other external filtering systems, limiting of insecure redirects etc. can enhance security. This is another model alltogether and if that could be achieved on the fly and in the background like for instance an extention like Firekeeper does it, it could help a lot of users. It is a pity I tell this only for a fraction of the general user community, because the larger part of them are not aware and have the opinion a browser is only for fun and security should be provided by others. I think therefore as you listen here carefully to what is being told, there really aren’t that many conflicts only the methods to achieve this secure situation may differ, but they can also enhance each other,
these numbers (likely estimated by defect) come from the analysis of the update pings to Mozilla’s update service (which is performed only by active non-disabled add-ons) and of the web server logs for the “thanks for updating” release note page on noscript.net,
My policy with NoScript actually is deadly simple, I block all with default settings, yes all, and only temporarily allow where I am in need of some functionality to run, in practice that is when I use web applications like webmail or a known page asks to run javascript, and for video etc. A double click on the NoScript logo is just fine. Anyone can do this, it is just the nuisance of the extra click if that is holding one back. On the other hand I do not know now how many times NoScript must have saved me, and actually NoScript has a blacklist/whitelist for what you permanently allow/disallow…
I too have it set to block all and for the most part that is fine and I only ever have to interact an either temporarily allow or allow a site (one I will regularly visit) if it doesn’t display properly, e.g. uses javascript.
So for me it isn’t so much of a hassle, however, besides the whitelisting (remainder blacklisted by default) there is a means of ‘importing’ and exporting a whitelist, which could make that a little less onerous, if you already have a list of domains you trust.
these numbers (likely estimated by defect) come from the analysis of the update pings to Mozilla's update service
Thanks for the update. I picked this up too from one of the NoScript threads in the Mozillazine forum. Pretty obvious really, it should have occurred to me before.
I’m on dial-up, I haven’t found that too much of a pain in the rear, I guess my patience threshold is fairly high ;D ;D
If you have a whitelist in some other software, perhaps you could export that, edit those not applicable to the functionality NoScript is looking after and import that list.