Feature Requests: https://*.domain.tld, Access by site

[adamhotep]

First, I want to thank you for a very nice product. I feel far more comfortable as a security researcher knowing that it's far harder to pwn me.

I have three requests here.

SSL roll-up (https:∕∕*.domain.tld): I'd like to be able to bless an entire domain but for HTTPS only. Take a look at https://www.icloud.com for example; it's got a few of each of icloud.com, cdn-apple.com, and apple.com. I'd have loved to be able to globally allow all of those with the condition of their using SSL. (I can already do it without that requirement). I'd like https:∕∕domain.tld to be included in a https:∕∕*.domain.tld whitelisting as well. If the wildcard is a UX impediment, consider "domain.tld with SSL" instead.

Access by site: I'd like to be able to say "https://d3tglifpd8whs6.cloudfront.net is allowed from slashdot.org" and be satisfied that that Cloudfront host will not be allowed from outside Slashdot (unless I also grant that permission in a separate action). I'd like to be able to specify this as the default action (I understand that you don't want it to be the out-of-the-box default because that might confuse existing users). If this is configured to be the default, a host that is allowed on other sites but not the current site would offer the ability to allow it just on the current site or else globally. I think it's okay to hide the "global" option for an item that has never been allowed anywhere. When you look at the permissions for the current site, "forbid" and "make global" would be available for any site-restricted permission.

Setup wizard – "Usable" vs "Strict": I don't mind reloading a new site a dozen times in order to get all of the JS working just right, but others do. I belong in "Strict" mode (preferring security over usability, which is how NoScript currently operates) while entry-level users that merely want a better minimum bar (preferring set-and-forget usability at the cost of some security) would be best suited in "Usable" mode, which merely enables Preferences → General → Temporarily allow… → Base 2nd level Domains (noscript.net) and similar settings that make NoScript transparent. Maybe it'd trigger a more aggressive whitelist as well.

I think "Usable mode" is a key missing feature barring entry for most potential users. I certainly can't recommend NoScript to friends and family unless I'm there to install it for them with these settings so they don't call me asking why "nothing works."



Thank you so much for the wonderful work. Keep it up!

[barbaz]

SSL roll-up (https:∕∕*.domain.tld):

Should be possible. NoScript Options > Advanced > ABE, add this rule somewhere

Code: Select all

Site ^https://(?:[^/:]+\.)?domain\.tld[/:]
Accept
Site .domain.tld
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox

Then Allow domain.tld

Access by site:

https://noscript.net/faq#qa8_10
or wait for noscript 3

Setup wizard – "Usable" vs "Strict":

This idea has been discussed on these forums before, using the term "presets", but I don't seem to remember enough to find it in a search.

[adamhotep]

Barbaz: That's great and all, but I'm looking to improve the UI, not to crack it open and set things up that will be harder to troubleshoot further down the line. It's also easier to merely go through the motions re: https. I'll wait for NS 3.0 for the access-by-site feature (though I'll keep your link in my back pocket in the event I need that sort of thing sooner). It's good to see the devs are thinking along the same lines as I am.

Hopefully the access-by-site feature will have a way of converting existing configs to be limited in this manner; I'm not sure I want to start from scratch.

Do you have a link handy for the expected features in NS 3.0 and a projected release timeframe?

BTW, regexes for URIs are better off following TLDs with this just in case (it additionally supports a query, an anchor, and an ending):

Code: Select all

\b(?![.-])

Thanks!

[barbaz]

Do you have a link handy for the expected features in NS 3.0 and a projected release timeframe?

No, sorry. I'm not sure if even Giorgio has that atm.

Actually, I've already said here nearly everything I know about NoScript 3.x for desktop. NoScript 3.x for mobile is alpha stage though - https://noscript.net/nsa/