how can I add URLs in 'blocked objects' to 'untrusted'?

[Armin Haas]

Hi,

I looked at this site: http://schedule2012.rmll.info/?lang=en
and 'Font@http://themes.googleusercontent.com' gets blocked, as I can see in the 'blocked objects' menu.

When I want to mark the site 'themes.googleusercontent.com' as untrusted in the 'untrusted' menu,
I can't find that entry, only the entries for 'rmll.info' and 'schedule2012.rmll.info'

Is there an easy way to add the 'themes.googleusercontent.com' site to the 'untrusted' sites?

My NoScript version: 2.4.2

Cheers

Armin

[Thrawn]

You'll need to check two things:

1. Is googleusercontent.com trusted? If so, you'll need to 'Forbid googleusercontent.com' first before you can blacklist its subdomains.
2. In 'Options - Appearance', under Contextual Menu, you need to check the box to use full domains, if you haven't already, so that themes.googleusercontent.com will show up (not just googleusercontent.com).

Then go to the Untrusted menu and you should be able to 'Mark themes.googleusercontent.com as Untrusted'.

[Tom T.]

@ Thrawn: I didn't see any Google scripting in the main menu at all. Only after temp-allowing googleapis > reload > googleusercontent in RequestPolicy did the Blocked Objects show. But still not in the main menu. So no, it cannot be done directly from the menu. (Note that Objects are treated differently from scripts.)


@ Armin Haas: Since it is not a script being called, there really is no need to do anything. All such objects are blocked by default. Only if you allow them will they be allowed to load on the page, and you'll notice that "Temporarily allow" is the only option. So even if you do TA it, that permission is revoked either when you click "Revoke temporary permissions" or when you close the browser.

Since they can never run without your express permission, that is pretty much "Untrusted".

Please ensure that no site related to googleusercontent has been added to your Whitelist. (NoScript Options > Whitelist)

[Thrawn]

@ Thrawn: I didn't see any Google scripting in the main menu at all. Only after temp-allowing googleapis > reload > googleusercontent in RequestPolicy did the Blocked Objects show. But still not in the main menu. So no, it cannot be done directly from the menu. (Note that Objects are treated differently from scripts.)

You're right. I was on my phone, so didn't get a chance to explore the site in question, just gave general advice.
Incidentally, since themes.googleusercontent.com will show up in the Recently Blocked Sites menu and not the main menu, this could add ammunition to another thread...

@ Armin Haas: Since it is not a script being called, there really is no need to do anything. All such objects are blocked by default. Only if you allow them will they be allowed to load on the page, and you'll notice that "Temporarily allow" is the only option. So even if you do TA it, that permission is revoked either when you click "Revoke temporary permissions" or when you close the browser.

Since they can never run without your express permission, that is pretty much "Untrusted".

Please ensure that no site related to googleusercontent has been added to your Whitelist. (NoScript Options > Whitelist)

I agree. @Armin: If you really feel the need to blacklist it, and you're comfortable editing about:config, then you can add it to the noscript.untrusted property. If you're not familiar or not comfortable with about:config, then as Tom T. said, you can safely leave it as-is.

[Tom T.]

Incidentally, since themes.googleusercontent.com will show up in the Recently Blocked Sites menu and not the main menu, this could add ammunition to another thread...

Indeed! ... although that part got a bot O/T from the original topic of the thread. The actual RFE for being able to *copy* all sub-menus is here.

BTW, that one has drawn no response since it was posted almost two weeks ago. Care to add your support for it? (and bump in the process )

.... @Armin: If you really feel the need to blacklist it, and you're comfortable editing about:config, then you can add it to the noscript.untrusted property. If you're not familiar or not comfortable with about:config, then as Tom T. said, you can safely leave it as-is.

There is one other way which is a more familiar, text-based method, exposing far more than that small box in the about:config string values.

At the bottom of the NS Options > Whitelist tab, click "Export". Choose your desired location, e. g., desktop, and an easy name -- maybe "whitelist".
The default file type in Windows is .txt, so whatever your Linux distro does with such things will be fine.

In Windows, it is much better to open this file with Wordpad (.rtf-style) than with Notepad. Sorry that I'm not *nix-friendly, but the point is that in Notepad, it's one huge blob, with concerns for separation, line-wrapping, etc. Wordpad puts one entry on each line, which is much easier. It actually works well with Open Office Writer (= MS Word), but the page breaks can be annoying. No page breaks in Wordpad.

After the Whitelist entries, you'll see [UNTRUSTED]. Just add your entries there, one per line. Don't worry about order; they'll be alphabetized when you import them. When done, save the file, then click "Import" on the same NS Whitelist tab. OK > Done.

This is also much easier than using the Export/Import buttons that are at the very bottom of the NS GUI regardless of tab, which would export *all* NS settings (Appearance, Notification, etc.). More complex file; need to be more careful of format, etc. So use the ones above those, which appear specifically on the Whitelist tab.

All of this should become much easier in NoScript 3.x for the desktop, which is expected to have a GUI for Untrusted as well as Whitelist.
**************************

Couple of minor clarifications:

1. Is googleusercontent.com trusted? If so, you'll need to 'Forbid googleusercontent.com' first before you can blacklist its subdomains.

Actually, just removing it from the whitelist, leaving it in the default-deny zone, would be sufficient.
Also, if OP does want all of googleusercontent to be Untrusted, simply forbidding that base domain name would automatically forbid all sub-domains.

In fact, using full domain names, you can blacklist the parent while whitelisting the sub-domains, as I've done with Yahoo.

www dot yahoo.com is blacklisted.
mail.yahoo.com is whitelisted.

That could be reversed, if I wished: whitelist www dot yahoo.com while blacklisting mail.yahoo.com. So long as there is the www to distinguish the parent, this works. If it were http:// yahoo.com, then of course the full address, including protocol (http) would be used to w/l one and b/l the other.

However, you're quite correct that if OP wishes to allow googleusercontent in general, except for themes dot, then using at least full domain names, or else full addresses, would be necessary - as in above example with Yahoo.

'Options - Appearance', under Contextual Menu,

I'm pretty sure that you intended this just as a geographical way to locate the "Base/Full Domans/Addresses" blocks, but just to ensure that OP doesn't misread it: All of the above applies even if "Show contextual menu" is unchecked. (Better to be too cautious than to assume too much... )


ETA: One clarification of my own previous: Objects are blocked by default if either the source or destination is not whitelisted. If both are trusted, then they are default-blocked only if you check "Apply these restrictions to whitelisted sites too". Else, trusted sources can load on trusted sites.
This was why I said,

Please ensure that no site related to googleusercontent has been added to your Whitelist.

... in case OP did *not* check "Apply To Whitelisted".

So if OP does add googleusercontent, with or without "themes", to Untrusted, then there are no worries on trusted sites (or any other), even if "Apply to Whitelisted" is not checked.

Clear as mud, eh?