Unrealshade wrote:When I clicked on "temporary allow" I was confused, because I found out, temporary does not mean for this visit but until the browser is closed. I thought until I close that tab or visit another website, the temporarily allowed script will not be allowed anymore. Isn't that the most intuitiv and safe way?
It gets much less intuitive when you remember that the scripts you temporarily allow can be from anywhere. If I visit site1.com, temporarily allow Google Analytics, then browse to site2.com, does that mean that Google Analytics is no longer allowed? How about if I browse to www.site1.com
(a subdomain)? Remember, I never visited the Google Analytics site at all. Or how about Facebook? To use it, you'd need to allow fbcdn.net - but you're browsing around facebook.com. NoScript would have to keep track of where you clicked 'Temporarily Allow'
and detect when you browse to anywhere else. And what happens when you're using multiple tabs?
It would add a great deal of complexity, probably a lot of processing overhead, and really, if you've chosen to trust a site at all, then it's already had a chance to run malicious scripts if it's going to. Continuing to allow it until you either close the browser or choose to revoke those permissions doesn't really make you more vulnerable.
However, what you're asking for does exist in a way: if the top-level site, the one in your address bar, is blocked, then everything is blocked, regardless of whether it was otherwise whitelisted. If I haven't allowed site2.com, then Google Analytics will not run there, even if I permanently allowed Google Analytics. So, if you keep the default-deny policy, but temporarily allow sites as needed, you're still safe when randomly browsing around.