feature request: allow scripts at link if source allowed

[marc]

If I click on a link to another site from a site that I Allow scripts, I'd like the destination top-level site to have the scripts allowed completely or temporarily (I'm currently undecided). This would exclude sites such as search engines as no one should trust sites that are listed. What do you think? This would reduce the number of times we allow scripts which quickens our web experience.

[GµårÐïåñ]

I will let the professor field this question but just to add my two cents on this, I believe that it would pose a problem and defeat the purpose of script blocking. Just because you trust the source, doesn't mean the linked page is safe and not hijacked. The fact is that many people have Google.com allowed for whatever reason, think how if this model was effective, every link you got on the search engine, good or bad would be allowed. You might as well browse with NS off in that case, no? I could see a possibly modified OPTION provided for such behavior that in a way mimics "Allow Globally" or "Temporarily allow" and "Allow through bookmark" which are currently a feature but I think its implementation might actually be moot. Let's see what Giorgio thinks about it. JMHO.

[therube]

Well let me put on my (dunce) cap.
Poor idea IMO. There is already the Temporarily allow top-level sites by default (dangerous) option.

There was that thread about Allow Global should act recursively ... Worth a read.

[marc]

Just because you trust the source, doesn't mean the linked page is safe and not hijacked.

Your point about "hijacked" is beyond my understanding. Are you saing that "informaction.com" (for example) could be potentially hijacked?

The fact is that many people have Google.com allowed for whatever reason, think how if this model was effective, every link you got on the search engine, good or bad would be allowed.

In my post, I did say search engines would be excluded. We would need to create a blacklist that would include google, yahoo, msn, digg, stumbleupon, etc. before this idea is implemented. Maybe this is where it gets difficult, since we cannot confidently get them all. Maybe there is some other way that knowledgeable people know about.

[marc]

There is already the Temporarily allow top-level sites by default (dangerous) option.

I consider this an improvement to the Temporarily allow top-level sites by default option. What I am suggesting is this:

If link is from a site that has scripts allowed, and is not a search engine, then temporarily allow scripts at the top level for the destination site. Therefore, it reduces the need for the current option, which is more dangerous since more sites have the 'temporary' setting on.

What I suggest is what I often do anyway simply because many of the sites I visit either need JS to make the site useful or to improve the user experience. I tend to value NoScript when I go from search engines to unknown websites.

There was that thread about Allow Global should act recursively ... Worth a read.

I searched but didn't find the thread.

[GµårÐïåñ]

Just because you trust the source, doesn't mean the linked page is safe and not hijacked.

Your point about "hijacked" is beyond my understanding. Are you saing that "informaction.com" (for example) could be potentially hijacked?

Ok, its clear. No Informaction.com is not hijacked (what an ignorant thing to say) but yes anything can be hijacked, ANYTHING so let me explain and be done with it. If you go to whitelistedsite.com and it is linked to wasteoftime.com, anothersite.com and momandpophtml.com any of the linked sites like wasteoftime.com and anothersite.com and momandpophtml.com could become compromised and hijacked and you are assuming that that whitelistedsite.com has actually vetted and knows for sure they are good safe sites, you really want some faceless joe on the web deciding that for you? if so why not just ride with everything trusted. How do you know that since whitelistedsite.com linked to that site it has not been sold off to someone else who is using it to hose warez and/or it expired and got purchased by a porn provider or it was compromised for bad coding and it now serving malicious content for someone else?

[therube]

I searched but didn't find the thread.

Neither did I. But hoping someone remembers which thread & links to it.

[GµårÐïåñ]

Not sure but this might be what you were thinking about: http://forums.informaction.com/viewtopi ... t=15#p7371

[therube]

You got it, the "i give up" thread .

[GµårÐïåñ]

You got it, the "i give up" thread .

Good. I figured that it might be that

[marc]

How do you know that since whitelistedsite.com linked to that site it has not been sold off to someone else who is using it to hose warez and/or it expired and got purchased by a porn provider or it was compromised for bad coding and it now serving malicious content for someone else?

We must be searching in different circles.

My suggestion is still a better option than "Temporarily allow all top-level sites by default". Maybe we call it "Temporarily allow top-level sites linked from a whitelisted site that is not a search engine".

[GµårÐïåñ]

You can snub it if you want but I run in the same circles as the developer of this extension since I was 14 and so my experience makes me a realist and a pragmatist bordering a paranoid pessimist, occasionally morbidly so. But facts, in ALL my life, I have never had a virus infection, malware, trojan, I get less than 20 pieces of unwanted email per month for 18 email accounts, never had any type of account information for anything compromised, or even ever lost my keys, watch or wallet. Although by nature I try to see the good in everyone, I follow the policy of trust no one, suspect every one until proven otherwise. Not trust everyone until they screw you over. Kept me alive as a Marine and served me well as a hacker and hopefully as an attorney. Hopefully that answers the first part of your post.

Now back to the technical question at hand, the temporarily allow all sites was intended to mitigate some non-techi user frustrations (seeing webpages suddenly not looking right or working, giving them no less protection than they had before while they get acclimated) and the allow globally is basically turn off the blocking I know what I am doing (therube's version of I give up button). What you are suggesting, although I understand perfectly where you are coming from and situations where that would be useful, it could potential cause great harm if misunderstood, or misused by giving a false sense of security and introducing complacency by the users which is security death. The implication is that if you trust one site, everything coming from that site (linked on that site) is also safe and regardless of how I feel with the circles I search, you must admit that is logically flawed. Let's try the inductive reasoning: Wine is a spirit, champagne is a wine, therefore all spirits are wine. Now another problem with, let's not include search engines in this, is that there are more search engines out there than Giorgio can be expected to include in his exception list to make sure links from it are not processed. We don't just have google, yahoo (now bing), msn (now bing), live (now bing) to contend with. There are international versions, other personalized or specialized ones and so on and so forth, the list is virtually endless.

Now all that being said, I can see a possibility of the feature being provided as a "use at your own risk" with responsibility to place exclusion engines (ie: google, this and that) on the user, basically the user needs to decide what WON'T have its links trusted. This would suggest a huge architectural modification and addition to NoScript, so not sure it would be something the professor would want to tackle given higher priority items but should he do it, then I am all for it and I am sure it will make someone happy, like you. Hope you won't take offense to me adding my two cents and maybe Giorgio will have a different perspective on this that I am missing. Cheers.

[therube]

Good example of why this would not be a good idea: http://forums.informaction.com/viewtopi ... 9330#p9330.

So you trust zone-h.org. OK, if you can live with that I can too.

But now, because you've trusted zone-h, you have subsequently also trusted cornetintl.com/, ss.la/, zone-h.net/ etal? I think not.