feature request I've always wanted: trigger NoScript on other items besides scripts

Bug reports and enhancement requests
Post Reply
jawz101
Senior Member
Posts: 70
Joined: Sun Jul 10, 2011 11:13 pm

feature request I've always wanted: trigger NoScript on other items besides scripts

Post by jawz101 » Thu Sep 03, 2020 4:39 am

I understand the idea of NoScript is to be a script blocker first... and then other items (object, frame, font, webgl, fetch, etc.) can be blocked once a domain has been identified by using javascript.

However it would be nice to have other items trigger a domain to be blockable if they appear w/o the use of javascript.

eg. if webgl, xhr/fetch, ping, fonts, etc. are used but not necessarily javascript.

All things being blocked via NoScript, I've observed website's size being 40% fonts that were downloaded from some 3rd party domain wasn't necessarily using javascript as well. And could some of these other web components besides javascript introduce security issues on their own?

This would turn NoScript into more of a uMatrix but must NoScript really have to always revolve around javascript only? NoScript has a less cumbersome interface than uMatrix since it doesn't have the extreme granularity and I'd like to be able to reduce traffic and exposure by detecting more domains.

in summary, ability to identify domains by other technologies than javascript (fetch, ping, object, etc.)
-reduce page loads
-catches more domains
-reduces unforeseen security issues that other web technologies may introduce - not necessarily related to javascript


Thank you for your consideration
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

skriptimaahinen
Senior Member
Posts: 213
Joined: Wed Jan 10, 2018 7:37 am

Re: feature request I've always wanted: trigger NoScript on other items besides scripts

Post by skriptimaahinen » Thu Sep 03, 2020 5:05 am

Each of those technologies is detected separately. So if the page has no javascript but some external fonts are used, Noscript will list the domain. Same goes for frames, objects and media.

Fetch, ping and webgl can only be used with javascript, so javascript needs to be enabled before they can be used or detected.
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

barbaz
Senior Member
Posts: 9666
Joined: Sat Aug 03, 2013 5:45 pm

Re: feature request I've always wanted: trigger NoScript on other items besides scripts

Post by barbaz » Thu Sep 03, 2020 2:43 pm

jawz101 wrote:
Thu Sep 03, 2020 4:39 am
could some of these other web components besides javascript introduce security issues on their own?
Yes, that's why NoScript blocks them.
jawz101 wrote:
Thu Sep 03, 2020 4:39 am
must NoScript really have to always revolve around javascript only?
It already doesn't. It revolves around active content, which could be Javascript or WASM or HTML5 media or fonts or etc.
jawz101 wrote:
Thu Sep 03, 2020 4:39 am
I'd like to be able to reduce traffic and exposure by detecting more domains.

[...]
-reduce page loads
-catches more domains
Sorry, this is not the purpose of NoScript.
jawz101 wrote:
Thu Sep 03, 2020 4:39 am
-reduces unforeseen security issues that other web technologies may introduce - not necessarily related to javascript
Again, NoScript already does this. If you know of a vulnerability through not-currently-blocked content types that does not require an already-blocked content type to exploit, please let Giorgio know.
*Always* check the changelogs BEFORE updating that important software!
-

jawz101
Senior Member
Posts: 70
Joined: Sun Jul 10, 2011 11:13 pm

Re: feature request I've always wanted: trigger NoScript on other items besides scripts

Post by jawz101 » Sat Sep 05, 2020 1:34 am

Thank you for the replies. It is good to know that it catches those things
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

Post Reply