2nd level domains

[lancelot]

On imdb . com, clicking the NoScript button shows this:
...imdb . com
...media-imdb . com
...media-imdb . com

That seems wrong. Either those two entries do the same thing, then only one should be shown, or NoScript should show how they're different.

[lancelot]

On 10.1.3, the list for imdb . com looks like this:

So, apparently, it shows:

the full trusted address https :// ia . media-imdb . com
the full untrusted address http :// ia . media-imdb . com
the 2nd level trusted address ...media-imdb . com
the 2nd level untrusted address ...media-imdb . com

That looks way too cluttered. I'd prefer to be able to switch between "Show full address" and "Show 2nd level domain", like in the old NoScript.

Also, wouldn't it be possible for NoScript to detect the correct default (trusted or untrusted) for a given source? So there would be one entry, and if I wanted to change the default, I'd click on the lock icon.

[Pansa]

On 10.1.3, the list for imdb . com looks like this:

So, apparently, it shows:

the full trusted address https :// ia . media-imdb . com
the full untrusted address http :// ia . media-imdb . com
the 2nd level trusted address ...media-imdb . com
the 2nd level untrusted address ...media-imdb . com

That looks way too cluttered. I'd prefer to be able to switch between "Show full address" and "Show 2nd level domain", like in the old NoScript.

Also, wouldn't it be possible for NoScript to detect the correct default (trusted or untrusted) for a given source? So there would be one entry, and if I wanted to change the default, I'd click on the lock icon.

1. Imdb is a bit of an outlier in that it actually runs different scripts for the IA sub over https and http.

I agree with a toggle between the "..." full domain trust and the "specific adress" rules would long term free up the interface

As far as "the correct default" is concerned, apparently quite a number of users prefer "default" to be less restricted than "untrusted"

The lock icon is something entirely different, the lock is for the ...page rules and in general (imdb being the exception) you would decide between allowing the whole domain either for HTTPS (green lock) or both http and https (red lock).
Basically in you screenshot:
If you make a red lock rule for the red '... media-imdb' the black one is "included". You would allow "both https and http for the whole media.imdb domain" which covers all 4 entries you see there.
Accordingly having a redlock or green lock at all for the "http(s)://ia.media-imdb.com" rules is redundant, because you already specifically allow http or https.

[lancelot]

Sorry, bad wording on my part. Forget I said trusted/untrusted . I meant http vs. https.

That is, in most cases a given source will use only one protocol (either http or https), and NoScript knows which protocol is being used. So why doesn't it show just one line, either black for https or red for http? And if for some reason I want to change it, I click the lock.

I already complained here about how it was done in 10.1.2, but it's no better now, I still have to guess whether I need to allow http or https.

[Pansa]

Sorry, bad wording on my part. Forget I said trusted/untrusted . I meant http vs. https.

That is, in most cases a given source will use only one protocol (either http or https), and NoScript knows which protocol is being used. So why doesn't it show just one line, either black for https or red for http? And if for some reason I want to change it, I click the lock.

I already complained here about how it was done in 10.1.2, but it's no better now, I still have to guess whether I need to allow http or https.

I think I already replied to that in yet another post, but I can't quickly find it.
The issue is that specifically it is NOT always only one source.
Many webpages have both an HTTPS and a HTTP variant.
Sure, at a given point you are on either, but in most cases you should intentionally visit the https version. Making an HTTPS only rule prevents script execution (and thus man in the middle attacks) should you by accident visit the http version.
But for cases (like here) where a site for god knows what reasons delivers separate content via http than https, chances are you want to enable both in one go.

Some things Noscript knows (and it is more clear when it spits out the full path domains) but specifically for the way more lenient "allow all subdomains with it" rules (which, if you remember were the only ones available for a time) NS can't just make that distinction for what is on the specific page you are on NOW.

Just take imdb as example.
The main domain only comes as http, the media sub domain comes in http and https variants (and as I see it with different content no less.)
So you might think "well https is available" and make am https rule, but that could fail you. In other cases the http and https variants are redundant, and then you'd make a https only rule, just to prevent it from trying to run http which it doesn't need. This is all "site" specific, and noscript can't account for that, so you have to make that decision (by, as usually, starting as restrictive as you think works, and then allow more if it doesn't.)

[Guest]

If NoScript sees that a source is using both http and https, can't it show just the red line?

[lancelot]

Forgot to set the username in the previous reply .

[Pansa]

For the mainpage that doesn't work. (because if you are on the http variant it doesn't show you it has the https available as well, or vice versa)

And for either (main or sub) it's not a proper response.
Just because the page WANTS to run both http and https doesn't mean you NEED both.

You are downplaying a bit what webdevelopers can do with their pages, and what the implications are.

[lancelot]

No, for the main page it already works as it should. If I open https :// edition . cnn . com, NoScript shows me only the black entry https :// edition . cnn . com. If I open http :// edition . cnn . com, NoScript shows me only the red entry http :// edition . cnn . com.

If I click a red entry for one of the sources, yes, I'm allowing an insecure connection. So maybe if the main page is https, some extra caution needs to be taken here. But if the main page is http, then asking me to guess -- let's click the black line; nope, didn't work, let's click the red line -- just wastes my time.

[Pansa]

No, for the main page it already works as it should. If I open https :// edition . cnn . com, NoScript shows me only the black entry https :// edition . cnn . com. If I open http :// edition . cnn . com, NoScript shows me only the red entry http :// edition . cnn . com.

That is for the specific full domain name rules. These operate differently than the [...] rules.
Just for starters there is NO "both" for the full domain name rules. If you want to run both versions, and NOT use a "...page rule", you have to set BOTH specific rules.
If a page shows you both the explicit https://page and http://page rule for a source, that means the page is actually trying to run BOTH. (see imdb: imdb specifically tries to run scripts for both the http aswell as https variants of ia.media-imdb.com.) No script has no way to figure out whether that is redundant (as in scripts trying to run either/or) or whether both have different functions (https doing one thing and http doing something else)

The
"...media-imdb.com" rules are different.
As they are generalised. In those rules the red one means "apply to either" and the black one "apply to only https". (black text and red text are basically the same as green lock red lock)
But the reason why BOTH show up is that imdb is running scripts from both.

[Guest]

OK, but seeing identical red and black lines doesn't seem uncommon. I've already seen a couple of sites that have both black and red ...google . com plus both black and red ...youtube . com.

Wouldn't it be better to represent them as one red line? If I want to change the lock to green, then I click the lock.

And I didn't know that red lock for a full address doesn't mean allow both http and https. That makes things doubly confusing.

[lancelot]

I really should just register the username already...

[Pansa]

OK, but seeing identical red and black lines doesn't seem uncommon. I've already seen a couple of sites that have both black and red ...google . com plus both black and red ...youtube . com.

Wouldn't it be better to represent them as one red line? If I want to change the lock to green, then I click the lock.

And I didn't know that red lock for a full address doesn't mean allow both http and https. That makes things doubly confusing.

Just check your debug log when you are confused.
If you make a rule for http:// something specifically it pops up in the lock as exactly that.
Interestingly switching the lock on exact rules sets the exact other rule. SO if it asks you whether https or http and you switch the lock, it behaves as if you have chosen the other (which basically makes sense)

And making it default to red is just from a "default" perspective not good. It leads to excessively more unneeded and unnescesairy http rules when you should be using https to begin with.
Again, no script can't know whether that is actually better, and the least it can do is show it and thus imply a decision to be made.

Btw I don't have have excessive red rules in 1.3r3 (not on 1.3 because of the resize issue) other on pages that are really pushing a mixture of http and https.)
Youtube specifically almost exclusively gives me black rules to choose from.

I understand that the initial display may be a bit confusing, but forcing https whenever possible and only allowing http when necessary is the proper thing to do. It may not look like it for "random page 15" but in many cases you do explicitly not want something (especially by accident) to run http if https is more appropriate. Http means that anyone on the way can sniff out what you send and receive and in cases of "hostile" internet providers even inject content.

[lancelot]

Regarding the 2nd level domains, actually maybe that can be a toggle, like the lock currently is: there would be the global setting, "Show full addresses: on/off"; when it's off, I see just ...page . com in the drop-down menu, but I can click the toggle button on that line to see http :// www . page . com.

Regarding the lock, doesn't it seem redundant now? If NoScript decides that it needs to show me both red and black ...page . com, OK, there are two lines. If NoScript decides that only one is needed, then there is just one line. What is the purpose of the lock here?

[lancelot]

On imdb . com, clicking the NoScript button shows this:
...imdb . com
...media-imdb . com
...media-imdb . com

That seems wrong. Either those two entries do the same thing, then only one should be shown, or NoScript should show how they're different.

Doesn't happen for imdb anymore, but there's exactly the same issue in 10.1.6.3 with two identical (or identically looking?) entries for https :// www . livejournal . com: