Granularity of Temporarily set top-level sites to TRUSTED

tancrackers · Post by **tancrackers** » Wed Mar 28, 2018 3:52 am

I have checked off: Temporarily set top-level sites to TRUSTED

This should allow the top-level domains, which it does, but I noticed some sites here and there suffer from a bug. Some sites have two domains with the same name, but not both are honored by the Trusted permission.
If we have a site www.example.com we might have:
...example.com
and
http://www.example.com

One of these will be Trusted by NoScript, but the other will not. To me, both should be Trusted by NoScript since they're the same site IMO.

Example site:
http://www.city-data.com/

Temp trusted: http://www.city-data.com

Set to Default: …city-data.com

I have encountered a bunch of sites where this happens. I will supply a list if you want.

Here are my specs:
NoScript Version: 10.1.7.5
Firefox: 59.0.2 x64 on Windows 10

Post by **barbaz** » Wed Mar 28, 2018 3:59 am

That's expected behavior. http://www.city-data.com is a subset of ...city-data.com, trusting the former should *not* automatically trust the latter.

tancrackers · Post by **tancrackers** » Wed Mar 28, 2018 4:02 am

barbaz wrote:That's expected behavior. http://www.city-data.com is a subset of ...city-data.com, trusting the former should *not* automatically trust the latter.

Is there a way to trust *.example.com then?

Post by **barbaz** » Wed Mar 28, 2018 6:55 am

"...example.com" trusts both "example.com" and *.example.com

tancrackers · Post by **tancrackers** » Wed Mar 28, 2018 2:02 pm

barbaz wrote:"...example.com" trusts both "example.com" and *.example.com

That's the way I wanted the feature to work. I never had a problem with NoScript before Firefox 57 with this.

Post by **barbaz** » Wed Mar 28, 2018 3:49 pm

tancrackers wrote:
barbaz wrote:"...example.com" trusts both "example.com" and *.example.com
That's the way I wanted the feature to work. I never had a problem with NoScript before Firefox 57 with this.

So to be clear, does it work that way for you or not?

Post by **Giorgio Maone** » Wed Mar 28, 2018 4:47 pm

Notice also that if the lock icon is closed and green, only the HTTPS (secure) version of the site(s) will be trusted, so https://www.city-data.com will work but http://www.city-data.com won't.
For ...citydata.com to match http://www.city-data.com you'll net to set the lock icon to open/red.

tancrackers · Post by **tancrackers** » Wed Mar 28, 2018 5:35 pm

barbaz wrote:
tancrackers wrote:
barbaz wrote:"...example.com" trusts both "example.com" and *.example.com
That's the way I wanted the feature to work. I never had a problem with NoScript before Firefox 57 with this.
So to be clear, does it work that way for you or not?

It does not currently work the way that I was expecting.

Giorgio Maone wrote:Notice also that if the lock icon is closed and green, only the HTTPS (secure) version of the site(s) will be trusted, so https://www.city-data.com will work but http://www.city-data.com won't.
For ...citydata.com to match http://www.city-data.com you'll net to set the lock icon to open/red.

In my settings, they are both red.

Code: Select all

https://i.imgur.com/iNIlZrS.png

Forgive me if I misinterpreted the setting, but my thought was that the setting was that *.city-data.com would be matched as the top-level domain. Therefore, I wouldn't have to worry about whitelisting virtually every site that I would visit, the setting would just temporarily whitelist it automatically. In NoScript before Quantum, this is how it behaved for me. Now, this is not the case?

Essentially, one can look at ScriptSafe on Chrome. Their option: "Allow the same domain and subdomains" is more what I was looking for.

Post by **barbaz** » Wed Mar 28, 2018 11:06 pm

I am sorry, I totally misunderstood the problem! Let me try to summarise it.

Current state: NoScript Options > General > "Temporarily set top-level sites to TRUSTED" sets full addresses to TRUSTED.

What you want: Ability to make that setting act on base 2nd-level domains instead of full addresses. i.e. a proper equivalent of NoScript Classic's "Temporarily allow top-level sites by default", where the granularity was configurable.

Do I have it right this time?

tancrackers · Post by **tancrackers** » Thu Mar 29, 2018 8:47 pm

barbaz wrote:I am sorry, I totally misunderstood the problem! Let me try to summarise it.

Current state: NoScript Options > General > "Temporarily set top-level sites to TRUSTED" sets full addresses to TRUSTED.

What you want: Ability to make that setting act on base 2nd-level domains instead of full addresses. i.e. a proper equivalent of NoScript Classic's "Temporarily allow top-level sites by default", where the granularity was configurable.

Do I have it right this time?

Yes! Exactly.

Post by **barbaz** » Fri Mar 30, 2018 1:40 am

Thanks for confirming. I've changed the thread title to better reflect the issue at hand.

tancrackers · Post by **tancrackers** » Fri May 04, 2018 6:58 am

Is this a legitimate feature that would be considered for a future release?

InformAction Forums

Granularity of Temporarily set top-level sites to TRUSTED

Granularity of Temporarily set top-level sites to TRUSTED

Re: Top-level domains not working properly

Re: Top-level domains not working properly

Re: Top-level domains not working properly

Re: Top-level domains not working properly

Re: Top-level domains not working properly

Re: Top-level domains not working properly

Re: Top-level domains not working properly

Re: Top-level domains not working properly

Re: Top-level domains not working properly

Re: Granularity of Temporarily set top-level sites to TRUSTE

Re: Granularity of Temporarily set top-level sites to TRUSTE