Recaptcha without allowing entire google.com domain

[ultramage]

A lot of sites include the google recaptcha script. Unfortunately, it does not have its own subdomain, but is hosted directly on google.com. Whitelisting the whole google.com domain is not funny. Can this be sorted out somehow within the current NoScript framework?

[barbaz]

Allow google.com in script blocking, then use ABE to allow only select google scripts -

Code: Select all

Site <whatever-google.com-stuff-recaptcha-needs>
Accept

Site .google.com
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox

Replace <whatever-google.com-stuff-recaptcha-needs> with the scripts you want to allow. See ABE Rules .pdf for how to specify it.

[ultramage]

I only spent a few minutes on it, but "Site ^https://www.google.com/recaptcha/" is good enough for me. Thank you very much for this info.

[barbaz]

You're welcome.

"Site ^https://www.google.com/recaptcha/"

In regex, a plain . means 'any character', so your Site line would match e.g. "https://www-google.com/recaptcha/". So you might want to change it to this -

Code: Select all

Site ^https://www\.google\.com/recaptcha/

[ultramage]

I have a followup to this. Whenever a captcha loads, the firefox debugger reports

Code: Select all

CustomError: Jsloader error (code #0): Error while loading script //www.google.com/js/bg/<long string that triggers forum antispam>.js

Failing to load this out-of-scope script causes the google server to request 5+ valid answers before accepting, compared to the usual 1-2 if the script is allowed.
I wish NoScript would ship with a narrowly scoped surrogate-like thing that deals with these sorts of shenanigans. Or that google made their recaptcha easier to whitelist.