The latest development version of the Tor Browser includes NoScript Quantum and I have found a rather interesting rule there which sets HTTP to UNTRUSTED by setting "http:" accordingly. I like that and added the rule to my Firefox customization. I am fully aware, that this is something like an undocumented feature and therefore don't complain, that I failed doing that using the GUI. At the moment it is impossible to see the blocked domains or to set exceptions (which I would welcome for internal pages at work). One has to disable all restrictions for the current tab or something like that, which isn't necessarily what one wants to do too often.
I therefore think, it is great to set HTTP to UNTRUSTED and it would be even greater to be able to treat HTTPS and HTTP differently in a more general way. Wouldn't it be nice to have two versions of the presets, one for HTTP and one for HTTPS? This would offer full flexibility. Alternatively, there may be an additional option analogously to "Temporarily set top-level sites to TRUSTED" which treats HTTP as UNTRUSTED, unless the user has defined a rule or sets the domain to Temp. TRUSTED.
Preset customizations: treating HTTPS and HTTP differently
Preset customizations: treating HTTPS and HTTP differently
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Preset customizations: treating HTTPS and HTTP different
That's interesting, but I need some time to wrap my head around it, especially from the UX perspective, and in the meanwhile the Tor Browser guys are likely to come with similar ideas as well.
Just to be sure, would the green/red lock near each site entry, locking privileges to the HTTPS version of the site only, fit your use case?
Just to be sure, would the green/red lock near each site entry, locking privileges to the HTTPS version of the site only, fit your use case?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Re: Preset customizations: treating HTTPS and HTTP different
I think what they're asking for is ability to do something like this:
Plain HTTP sites Default -> nothing checked
HTTPS sites Default -> check only frame, fetch
Individual trusted sites -> all checked, green lock set
Basically the option to have two Default presets, one for plain HTTP sites and a separate one for HTTPS sites, and set different permissions for each one. The green/red lock only applies to individual sites, so it does not seem to cover this.
@musonius Do I have it right?
Plain HTTP sites Default -> nothing checked
HTTPS sites Default -> check only frame, fetch
Individual trusted sites -> all checked, green lock set
Basically the option to have two Default presets, one for plain HTTP sites and a separate one for HTTPS sites, and set different permissions for each one. The green/red lock only applies to individual sites, so it does not seem to cover this.
@musonius Do I have it right?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Preset customizations: treating HTTPS and HTTP different
It's about breaking as few pages as possible and still being safer than without NoScript. On the other hand, I want to be able to easily switch to a much more restricted mode, for examply by unchecking script of the DEFAULT preset. I have not found a way to trust everything besides object and media per default and distrust http globally except some particular pages by using the red/green locks. The Tor Browser settings do the job apart from the failure to define exceptions for http.Giorgio Maone wrote:Just to be sure, would the green/red lock near each site entry, locking privileges to the HTTPS version of the site only, fit your use case?
Why do I want to define exceptions for http? We use a bug tracking system at work whose url looks like
Code: Select all
http://bugtracker:8080/...
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Re: Preset customizations: treating HTTPS and HTTP different
Yes indeed. Your explanation is simpler. It's about the defaults, when there is no explicit rule for a given domain. I want them to be different for HTTPS and HTTP.barbaz wrote:@musonius Do I have it right?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Re: Preset customizations: treating HTTPS and HTTP different
With the latest update (10.1.9.8) I can finally do that: I have set "http:" to UNTRUSTED and can customize http sites, if necessary.
@Giorgio Maone: I am very happy with this update, many thanks!
@Giorgio Maone: I am very happy with this update, many thanks!
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Preset customizations: treating HTTPS and HTTP different
You're welcomemusonius wrote:With the latest update (10.1.9.8) I can finally do that: I have set "http:" to UNTRUSTED and can customize http sites, if necessary.
@Giorgio Maone: I am very happy with this update, many thanks!
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0