Requesting domain script control

Bug reports and enhancement requests
Post Reply
pjk
Posts: 19
Joined: Mon Jul 20, 2020 10:13 pm

Requesting domain script control

Post by pjk »

NoScript is a precious resource and I'm so glad that the developer has continued to produce, evolve and improve it.

The one feature that would be a great addition for me would be a way to block based on requesting domain. Especially for giant, ubiquitous and privacy shredding script-hosting domains like "google.com".

For example, my regional government has websites that access and process very sensitive data on individual citizens, yet some of those require you to solve a Google captcha before you can use them. If I am not in a position to convince the government to stop this annoying practice, I'd like to at least minimize its "spillover" impact on everything else I do on the web. Not allowing "google.com" by default in NS is a start, but then I am forced to continually approve requests that do not conveniently restrict themselves to a specific Google subdomain like "docs.google.com" (This includes their captcha, btw), and then turn around and revoke those temporary permissions each time. (If I don't forget)

I used to use a Firefox extension called "Request Policy", but I cannot find something like this for Chromium-based browsers. And this functionality would be far more useful if it can be a parameter on a NS rule, like "disable JS for google.com by default, but allow requests originating from UsefulDomain.com".

Thanks for your interest!
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.186 Safari/537.36
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Requesting domain script control

Post by Giorgio Maone »

"Contextual permissions" are planned for later this year (summer, most likely).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
d-mz
Posts: 2
Joined: Mon Dec 06, 2021 6:01 pm

Re: Requesting domain script control

Post by d-mz »

Hello,

I am also very interested in contextual domain-based blocking configuration options.

I'm very happy to see that this is already being investigated, and I have a few questions about how it will work and what exactly will be supported.

For each domain which has a specific setting configured will it be possible to create a list of websites where they are available, rather than a single allowed domain? As an example gstatic.com is required for both google translate and google maps to work, but I wouldn't want gstatic scripts loading on a separate unrelated site. There are probably similar cases for other affiliate type domains (like CDNs).

Secondly for embed/iframe type requests which rule gets used, the rule that applies to the embedding domain or the rule that applies to the iframe src domain? For example if googlevideo.com is allowed only in the context of youtube.com, would embedded videos (iframe src=youtube.com) on other sites load or not?

Lastly, what is the version of NoScript that is planned for this support to be added?

Thank you for looking into this and for all your hard work on this extension.
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Mad_Man_Moon
Senior Member
Posts: 75
Joined: Fri Oct 27, 2017 12:02 pm

Re: Requesting domain script control

Post by Mad_Man_Moon »

This sounds an awful lot like ABE, folks.

Anyway ... FTR, these are the domains/URLs that specifically affect recaptcha on google:

Code: Select all

recaptcha.com
recaptcha.net
gstatic.com/recaptcha/*
google.com/recaptcha/*
google.com/recaptcha/api2/
I appreciate that the last one is redundant there ... sue me. ;-)

I know this because I have them in a rule for ... another thing.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
d-mz
Posts: 2
Joined: Mon Dec 06, 2021 6:01 pm

Re: Requesting domain script control

Post by d-mz »

I agree; from what I can tell what is being discussed here is a subset of the functionality previously provided by ABE (otherwise known as the Application Boundaries Enforcer). As far as I can determine ABE is not included in current releases of NoScript since it moved to the WebExtensions API. The only references I found in the source code are in src/legacy/defaults.js

I attempted to search the forum to see if there are any concrete plans to re-introduce ABE for Firefox, but unfortunately the search box ignores "ABE" because it's less than 4 characters long, and the results for Application Boundaries Enforcer are now obsolete.

If there are already plans to re-introduce ABE to current versions of NoScript for Firefox then I think that would cover this use case. Is that something that will be in an upcoming release?
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Requesting domain script control

Post by barbaz »

@d-mz: ABE *will* be brought back in NoScript Webext and it is being worked on, though I'm not sure the current status of that or if there are any concrete plans about when it will happen.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply