InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Updating NoScript Quick Start Guide

https://forums.informaction.com/viewtopic.php?t=20588

Page 1 of 1

Updating NoScript Quick Start Guide

Posted: Sat Feb 28, 2015 6:41 pm
by barbaz
viewtopic.php?f=7&t=268

The info about Akamai and like sites is outdated - GitHub no longer uses Akamai AFAICT, and also these days a more popular "shared CDN" than Akamai is Cloudfront, but some of the time it's used legitimately and some of the time it's used only to deliver trackingware...
I don't know how relevant the linked FAQ entry is for cloudfront because each site gets its own subdomain(s) of cloudfront.net, so it could be enough just to (Temp-)Allow only exact cloudfront subdomain(s).


I'm not completely sure what would be the best way to update that information, any advice?

Re: Updating NoScript Quick Start Guide

Posted: Mon Mar 02, 2015 12:28 am
by Thrawn
I think the best approach to this might be to have NoScript recognise a list of sites where subdomains are likely to have different ownership/trust, and which NoScript should therefore treat like TLDs. Cloudfront and Akamai are certainly two candidates.

But as for updating the advice, maybe something like this?
Be wary of content coming from third parties. However, please note that many respectable sites use companies like Akamai or Cloudfront to help store and provide some of their content, so these are third-party sites that frequently must be allowed. In the case of Cloudfront, you can typically choose to allow only the specific subdomains that you need (make sure you enable 'Options-Appearance-Full domains' or 'Full addresses').

For further information about Akamai or about how to fine-tune its permissions if you wish to do so, please see this FAQ.

Re: Updating NoScript Quick Start Guide

Posted: Mon Mar 02, 2015 1:13 am
by barbaz
Thrawn wrote:I think the best approach to this might be to have NoScript recognise a list of sites where subdomains are likely to have different ownership/trust, and which NoScript should therefore treat like TLDs.
That already exists, and Cloudfront is on that list.
Thrawn wrote:But as for updating the advice, maybe something like this?
I like that, I'll edit it in. Thanks!

Re: Updating NoScript Quick Start Guide

Posted: Mon Mar 02, 2015 2:58 am
by Thrawn
barbaz wrote:
Thrawn wrote:I think the best approach to this might be to have NoScript recognise a list of sites where subdomains are likely to have different ownership/trust, and which NoScript should therefore treat like TLDs.
That already exists, and Cloudfront is on that list.
Ah, I'd forgotten; thanks.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited