Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

Re: Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

by musonius » Mon Dec 30, 2019 2:16 pm

Everything set to UNTRUSTED in NoScript 11.0.11rc2 for HTTPS only is set to UNTRUSTED for HTTP and HTTPS after updating to 11.0.12rc1. Setting a domain (HTTPS) to UNTRUSTED in 11.0.12rc1 sets the domain to UNTRUSTED for both protocols, too.

The new behavior is very welcome. Thank you!

Re: Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

by musonius » Sun Dec 29, 2019 7:33 pm

This commit: https://github.com/hackademix/noscript/ ... 982bc6abf8

Thank you, I am going to test this as soon as 11.0.12rc1 is available.

Re: Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

by Giorgio Maone » Sun Jun 16, 2019 7:54 am

Yes, it's been an implementation overlook.
The right thing to do, IMHO, is setting the whole domain (no matter the protocol) as UNTRUSTED (as the UI would suggest), and let advanced users fine tune if they wish in the "NoScript Options>Per-site permissions" tab.
Putting this in my TODO list, thanks.

Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

by musonius » Sat Jun 15, 2019 10:19 pm

If I trust trusteddomain.com for HTTP, it will also be trusted for HTTPS, which is exactly what I expect. There is the padlock to switch between trusting a domain for HTTPS only (green padlock) or for both protocols (red padlock).

But if I set untrusteddomain.com to UNTRUSTED for HTTPS, the domain untrusteddomain.com will still be set to DEFAULT for HTTP. That is, I have to set a domain to UNTRUSTED for HTTP, if I want the setting to be applied for both protocols. Unfortunately, there is no padlock to do that, which is what I prefer to do, if HTTPS is the current protocol.

Does that work as intended? If it does, what's the reason? I'd expect the UNTRUSTED preset to work the other way round than the TRUSTED preset. If I don't trust untrusteddomain.com for the protocol HTTPS, I won't trust it for HTTP either.

Top