Whitelisting subdomains for https connections only

[t9k]

Is there a way to allow scripts to run on all subdomains of a site but only when sent over https? In other words is there a way to whitelist https://*.google.com ?

The "Forbid active web content unless it comes from a secure (HTTPS) connection" option is not what I am looking for because I still want to allow other http sites to run scripts.

The "Force the following sites to use secure (HTTPS) connections" option is also not what I am looking for because I still want http://*.google.com to be allowed to load but not allowed to run scripts. This option can also break OCSP when https://www.google.com is loaded OCSP queries http://clients1.google.com/ocsp which NoScript converts to https causing another OCSP query resulting in an infinite loop.

Thanks in advance for any suggestions.

[fatboy]

google.com in whitelist

Code: Select all

Site ^http://[^/]+\.google\.com #for subdomains, not http://google.com
# or Site ^http://([^/]+\.)?google\.com #subdomains or http://google.com
Deny INC(SCRIPT)
Sandbox

(On a sample viewtopic.php?p=77597#p77597)

[barbaz]

@fatboy: When a site is forbidden in NoScript, it's not just JS that's blocked. The "OBJ, FONT, XHR, MEDIA" in the sample is there to emulate *all* of NoScript's active content blocking. (see NoScript Options > Embeddings, and noscript.forbidXHR)

[t9k]

@fatboy I have tried modifying the ABE rules as you have suggested, but it seems that scripts (and other active content) are still able to run on the http versions.

[barbaz]

Temporarily locking

[barbaz]

Unlocking.

t9k, please upgrade NoScript to latest development build 2.9.5.3rc2 and then retry fatboy's suggestion.