InformAction Forums

Hey,

wow, the spamfilter just ate my whole post.
So, I don't know if it's a bug, a missing feature or if it's me missing something, so this is more a description of the problem. It relates to NoScript version 2.6.8.31.

When using some websites (e.g. kickstarter, example: the videos on https://www.kickstarter.com/projects/ai ... ports-dron ) parts of them are hosted on cloudfront, so the domain is like yyyyyyyyy.cloudfront.net, where the y-part is dynamic on page reload. That means to use the site I would like to temporarily allow the whole second-level domain (cloudfront.net). But in the context menu only the complete domain is shown. NoScript is configured to offer second-level-domains only.

I then tried to manually add a temporary entry to the whitelist, but the configuration dialogue only offers you to add permanent permissions. This could be improved to also offer temporary addition, maybe even switching an entries life san between permanent and temporay (e.g. via extra-button or even better context menu).

Thanks for feedback and or correcting the problem.

anyone wrote:That means to use the site I would like to temporarily allow the whole second-level domain (cloudfront.net).

Don't do that. Cloudfront is a hosting provider. Their subdomains could be hosting anything at all. Only allow the specific domains that you need.

I then tried to manually add a temporary entry to the whitelist, but the configuration dialogue only offers you to add permanent permissions. This could be improved to also offer temporary addition, maybe even switching an entries life san between permanent and temporay (e.g. via extra-button or even better context menu).

I can't see a strong use-case for temporarily allowing something via the Options dialog. Temporary permissions are really only useful when you aren't yet sure what you'll need to make a site work. Or if you're really paranoid and never permanently allow anything - in which case, you definitely won't want to allow all of cloudfront.net.

Thrawn wrote:Don't do that. Cloudfront is a hosting provider. Their subdomains could be hosting anything at all. Only allow the specific domains that you need.

I agree that the permission is far too wide, but as the prefix I described above is neither descriptive nor spefific for the content provided (almost guid-style, e.g. fnm1138hgcm1.cloudfront.net) and changes on page reload and following links on a page. Therefore I cannot permit only a specific subdomain. So allowing the whole second-level-domain (and revoking that permit when leaving the site) is the only option imho. Or do I miss something here?

Still there is no explaination why the context menu won't offer me to add a second-level-temp-permit when it is configure to give that option. Could you please elaborate on that?

Thanks in advance.

There are some second-level domains that are treated as top-level domains, for exactly this kind of reason. Blogspot is one, eg the Google blog; you won't be offered the option to whitelist all of Blogspot. Different blogs are essentially different sites - they are owned by different people - so they are treated that way. Cloudfront is the same.

I would be surprised if there is no pattern at all to the Cloudfront domains that are used. If you refresh a few times, I suspect you'll find that they start to repeat. But if not, then you can use an ABE rule to protect yourself. You would need to allow cloudfront.net via the Options dialog, then add to ABE (in the USER ruleset):

That sounds reasonable. Ty very much!

anyone wrote:switching an entries life san between permanent and temporay (e.g. via extra-button

+1 to this feature. I've just run into a valid use case for it:
1) You give temporary permissions to a site, to see what works and what doesn't. You intend to go back to that site later.
2) You figure the correct permissions, and want them to be permanent, but you forget to click "Make page permissions permanent". You leave the site, but you can't go back there right away to correct your mistake, or the site changes in a rotating way and you don't want to reload and reload.
3) So to try to fix your mistake, you go to NoScript Options -> Whitelist, where you can see that the entry has temporary permission, but it turns out that isn't what you wanted. The GUI offers no way to copy the domain name to (eventually) paste into the box to Allow it, and there's no way to say "make this permission permanent"...

Not relevant as of NoScript 2.6.9.

If you use sticky menus, then you should be able to return to the site, then forbid and permanently allow each domain without reloading. NoScript is smart enough to recognise that the effective permissions haven't changed and skip the reload. (Or you could just disable auto-reloading completely, like I do.)

Thrawn wrote:If you use sticky menus, then you should be able to return to the site, then forbid and permanently allow each domain without reloading. NoScript is smart enough to recognise that the effective permissions haven't changed and skip the reload.

Yes, I use the sticky menu, and that's exactly how I handle it most of the time. This was a bit of an edge case.
Not relevant as of NoScript 2.6.9.

Hmm. Maybe the simplest solution to this is: when you click 'Revoke Temporary Permissions' in the Whitelist tab, NoScript could put the removed domain name in the input field. What do you think?

Thrawn wrote:Hmm. Maybe the simplest solution to this is: when you click 'Revoke Temporary Permissions' in the Whitelist tab, NoScript could put the removed domain name in the input field. What do you think?

Good idea, except in this case it was more than one domain.
Not relevant as of NoScript 2.6.9.

Yet another use case for being able add temporary permissions manually through NS Options -> Whitelist: viewtopic.php?f=7&p=71217#p71208