JavaScript CDNs to add to whitelist

Bug reports and enhancement requests
t3g
Posts: 5
Joined: Tue Sep 17, 2013 5:11 pm

JavaScript CDNs to add to whitelist

Post by t3g » Tue Sep 17, 2013 5:49 pm

In the NoScript whitelist, you have the googleapis.com domain whitelisted which is helpful for accessing fonts and JavaScript on that domain normally since it is a trusted domain. With that in mind, there are a few other domains which serve open source JavaScript from their CDNs. They include:

* ajax.aspnetcdn.com
* cdnjs.cloudflare.com
* code.jquery.com
* yandex.st

I would say those are the top ones for now, but there are some other ones that aren't required but to keep in the back of your mind for the future:

* mootools.net (Libraries from developer site)
* prototypejs.org (Libraries from developer site)
* tinymce.cachefly.net (TinyMCE CDN)
* vjs.zendcdn.net (VideoJS CDN)
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: JavaScript CDNs to add to whitelist

Post by Thrawn » Wed Sep 18, 2013 12:53 am

Giorgio doesn't generally add CDNs to the default whitelist. I'm not sure why he added googleapis.com, except that google.com is already on the default whitelist (so people can use GMail to get support), and googleapis.com is controlled by Google anyway.

I doubt he'll add many others. It's generally up to you to add the ones you trust.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0

t3g
Posts: 5
Joined: Tue Sep 17, 2013 5:11 pm

Re: JavaScript CDNs to add to whitelist

Post by t3g » Wed Sep 18, 2013 9:00 pm

These aren't standard, run of the mill CDNs. They specifically serve free software and open source compliant JavaScript libraries for a big portion of the internet. If this is a JavaScript extension and you can have the option to allow FLOSS JavaScript libraries, then what is big issue?
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: JavaScript CDNs to add to whitelist

Post by Thrawn » Thu Sep 19, 2013 3:07 am

The issue is that Giorgio usually leaves security decisions up to each user. If you trust those sites, then whitelist them. But some people might not choose to, for various reasons, and that's their own business.

The default whitelist is for sites that need to be allowed for some compelling reason - like addons.mozilla.org - plus a couple of Giorgio's own sites (because if you don't trust him, then you shouldn't be installing his software on your computer).
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.71 Chrome/28.0.1500.71 Safari/537.36

t3g
Posts: 5
Joined: Tue Sep 17, 2013 5:11 pm

Re: JavaScript CDNs to add to whitelist

Post by t3g » Thu Sep 19, 2013 7:45 pm

So the googleapis.com CDN is trusted just because it is Google? The developer seems to be very shortsighted in what is right and not. Yes, it is true that you can add sites to your whitelist, but there be some reconsideration on what is there by default.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: JavaScript CDNs to add to whitelist

Post by Thrawn » Fri Sep 20, 2013 1:32 am

Google is trusted so that new users can use GMail to contact Giorgio for support.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0

t3g
Posts: 5
Joined: Tue Sep 17, 2013 5:11 pm

Re: JavaScript CDNs to add to whitelist

Post by t3g » Fri Sep 20, 2013 7:13 pm

NoScript prides itself on being free software, but then in return blocks a lot of it by default.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

User avatar
Giorgio Maone
Site Admin
Posts: 8700
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: JavaScript CDNs to add to whitelist

Post by Giorgio Maone » Fri Sep 20, 2013 7:32 pm

t3g wrote:* ajax.aspnetcdn.com
* cdnjs.cloudflare.com
* code.jquery.com
* yandex.st

I would say those are the top ones for now, but there are some other ones that aren't required but to keep in the back of your mind for the future:

* mootools.net (Libraries from developer site)
* prototypejs.org (Libraries from developer site)
* tinymce.cachefly.net (TinyMCE CDN)
* vjs.zendcdn.net (VideoJS CDN)


Sorry for chiming in so late.
I think I'm gonna add them for new installations and for users who kep googleapis.com in their whitelist (which hints they're not paranoid about JS lib CDNs).

[EDIT]
Done in latest development build 2.6.8, thanks.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

barbaz
Senior Member
Posts: 9173
Joined: Sat Aug 03, 2013 5:45 pm

Re: JavaScript CDNs to add to whitelist

Post by barbaz » Fri Sep 20, 2013 11:06 pm

Giorgio Maone wrote:I think I'm gonna add them for new installations and for users who kep googleapis.com in their whitelist (which hints they're not paranoid about JS lib CDNs).


Sorry Giorgio but for users who have changed the whitelist at all, I really don't think NoScript should be tampering with the whitelist behind their backs with basically no notice. I was quite unhappy when I found extra sites in my whitelist after updating to the latest RC. Once users configure their whitelist we expect it to stay as is, we don't expect it to change on us, and we *especially* don't expect NoScript to randomly add sites, no matter how "safe" they are, without asking us first.

Please, back out the changeset that modifies the whitelist for users who have already changed it but just happened to leave googleapis, or at the very least add a dialog asking the user to confirm such automatic modifications, including this, to the whitelist, thus keeping the philosophy NoScript was built on: informing the user what is going on and giving control back to the user. Thanks in advance.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21

User avatar
Giorgio Maone
Site Admin
Posts: 8700
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: JavaScript CDNs to add to whitelist

Post by Giorgio Maone » Fri Sep 20, 2013 11:38 pm

barbaz wrote:Please, back out the changeset that modifies the whitelist for users who have already changed it but just happened to leave googleapis

Fair enough, done.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

barbaz
Senior Member
Posts: 9173
Joined: Sat Aug 03, 2013 5:45 pm

Re: JavaScript CDNs to add to whitelist

Post by barbaz » Sat Sep 21, 2013 1:29 am

Thanks Giorgio, I really appreciate that you are willing to listen to your users and keep NoScript on a good pathway. :)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: JavaScript CDNs to add to whitelist

Post by Thrawn » Sat Sep 21, 2013 5:49 am

I'd still be OK with adding them for new installations.

t3g wrote:NoScript prides itself on being free software, but then in return blocks a lot of it by default.

That was a cheap shot, and unworthy of the free software movement.

Besides, you should know that the whole point of free software is that the end user is in control of what the software does. If you trust those sites, then whitelist them, and encourage your friends to do likewise. But don't criticise Giorgio if he doesn't impose your choice on everyone.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0

t3g
Posts: 5
Joined: Tue Sep 17, 2013 5:11 pm

Re: JavaScript CDNs to add to whitelist

Post by t3g » Sat Sep 21, 2013 12:40 pm

Thanks for the consideration of those CDNs! I love NoScript and I think its great that you listen to your users for future updates. Especially the adding of http://cdnjs.cloudflare.com which has a lot of libraries the Google one doesn't like Modernizr, html5shiv, and Respond.js. They also host fonts like the excellent Font Awesome .
Mozilla/5.0 (Android; Mobile; rv:24.0) Gecko/24.0 Firefox/24.0

barbaz
Senior Member
Posts: 9173
Joined: Sat Aug 03, 2013 5:45 pm

Re: JavaScript CDNs to add to whitelist

Post by barbaz » Sat Jun 27, 2015 4:25 am

t3g wrote:* vjs.zendcdn.net (VideoJS CDN)

Image This domain appears to be a typo. The real VideoJS CDN is located at vjs.zencdn.net
(ref: https://github.com/videojs/video.js/blob/stable/docs/guides/setup.md)

@Giorgio: please replace the vjs.zendcdn.net with the vjs.zencdn.net in all users' whitelists with the next NoScript update, for both dev channel and release channel, thanks.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8700
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: JavaScript CDNs to add to whitelist

Post by Giorgio Maone » Sun Jun 28, 2015 9:30 pm

Sorry for the difference with the beta channel, but AMO's signing process is still quite buggy and among other bugs there's one which makes pushin betas for automatic updates way more difficult than doing this for stable versions (quite the opposite of what should be).
Anyway, latest development build with the whitelist-related changes is on noscript.net, and I've asked AMO admins to manually push it for automatic update, but since many are traveling from their Whistler work-week I'm not sure it's gonna happen immediately.
Thanks for your patience.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0

Post Reply