InformAction Forums

I am running Firefox 57.0.1 (64-bit) and NoScript 10.1.5.1.
I have ...gov.uk set to Trusted with the green padlock icon (https only).
If I go to https://www.gov.uk/government/organisat ... ue-customs then the page has blocked scripts.
I see that ...www.gov.uk and ...publishing.service.gov.uk appear in the list as 'Default'.
Why are these not trusted if ...gov.uk is trusted?
(If I set them both to trusted they appear as entries with the green padlock icon)

Just updated to NoScript 10.1.5.3 and confirmed that the behaviour hasn't changed (not that I expected it to given the content of the release notes).

I'm assuming that it is not just me that is confused about:
a) Why setting ...gov.uk as trusted doesn't make ...www.gov.uk and ...publishing.service.gov.uk trusted.
b) On what basis it decides to offer ...www.gov.uk and ...publishing.service.gov.uk (particularly the latter).

Not sure whether this behaviour is a bug or undocumented functionality (or some combination of both?).

I think gov.uk or gov.au are more TLDs then websites.
If you allow ...gov.uk then you would also have to allow ...co.uk (amazon.co.uk, etc) and even ...com as a rule, and that really doesn't make sense.
And why would one want to allow every single website under gov.uk:
https://www.edinburgh.gov.uk/ ; https://www.london.gov.uk/ ; etc.......

I think its fine to just add https://www.gov.uk/, then you can browse that website.

https://de.wikipedia.org/wiki/.uk#Second-Level-Domains

in english...
https://en.wikipedia.org/wiki/.uk#Second-level_domains

Different people might have different views on trusting ...gov.uk - I think that should be a user choice, I am just trying to understand the rules.

On further investigation the issue still seems to be there at the next domain level down and not just with ...gov.uk.
If I trust ...service.gov.uk and ...googleapis.com and go to https://www.compare-school-performance.service.gov.uk/
then it shows ...compare-school-performance.service.gov.uk and ...maps.googleapis.com both as default rather than trusted.

Regarding googleapis.com, service.gov.uk:

* In case of googleapis.com it could be the intended behaviour, as googleapis are widely used, to choose them individually. (Just a guess.)
maps.googleapis.com
imasdk.googleapis.com
ajax.googleapis.com
content.googleapis.com
...
* service.gov.uk is a redirection to www.gov.uk (probably not important)
I agree that on service.gov.uk it should be possible to apply rules to it's subdomains.

Would be interesting what is special about those few domains, that they are currently not accepted by Noscript.

Youtube shows its clearly possible to apply rules for more than one level downwards:
https://googleads.g.doubleclick.net
https://pubads.g.doubleclick.net
https://static.doubleclick.net
…doubleclick.net

I also found those strange examples:
https://www.vic.gov.au/
…www.vic.gov.au
https://www.nsw.gov.au/
…nsw.gov.au

I found out that this is corresponding to the way firefox highlights the base domain in address bar:
https://www.gov.uk/
https://assets.publishing.service.gov.uk/
https://www.vic.gov.au/
https://www.nsw.gov.au/

So I guess NS uses that base domain information from firefox.

That's an interesting suggestion...

If NoScript 10 is trying to process a mixture of inputs sourced from:
a) Existing entries that were carried over from the previous NoScript settings that the user may have built up over the years.
b) Any entries that have subsequently been manually entered in the 'Address of web site' input box.
c) Options that may be based of Firefox's idea of domain structures.

and you can't rely on reasonable assumptions such as that ...service.gov.uk will match *.service.gov.uk and ...googleapis.com will match *.googleapis.com then it all seems very confusing to me!

(Better to say not necessarily taken over from firefox, but obtained in the same way.)

Maybe its better to not use manual adding so much, until there is the documentation available for NS.
(Or someone with enough knowledge will clear it up here.)

I would suspect NoScript is determining top-level domain by comparing the domain to this list, and just going one level down from that - https://github.com/publicsuffix/list/bl ... x_list.dat

The same problem exists for internal corporate domains, where I definitely want to white-list the entire domain:

Currently, if I set ...acme.corp to trusted, none of the subdomains will be trusted (like https://portal.acme.corp). Larger companies have many of these subdomains making the use of internal sites together with NoScript quite awkward.

ok, service.org.uk really is on that list;
but doesn't explain behaviour with:
...ajax.googleapis.com
...www.vic.gov.au
and what Richard said

I wonder if it's easily possible to distinguish between for example
...vic.gov.au ( https://www.vic.gov.au/ ) (please keep links)
and
...co.uk ( https://www.google.co.uk/ )
where again you don't really want big "Top-level"-Domains to be an allowed rule

Tomate wrote:ok, service.org.uk really is on that list;
but doesn't explain behaviour with:
...ajax.googleapis.com
...www.vic.gov.au
and what Richard said

that statement is wrong, forgot to go one level down
does explain it

it even shows that nsw.gov.au was removed:
// nsw.gov.au Bug 547985 - Removed at request of <Shae.Donelan@services.nsw.gov.au>

Tomate wrote:Maybe its better to not use manual adding so much, until there is the documentation available for NS.
(Or someone with enough knowledge will clear it up here.)

Then in my opinion all that's needed is some explanation:
* that rules for anything higher than base domains are forbidden
and
* that base domains are the highlighted part in address bar

Richard wrote:The same problem exists for internal corporate domains, where I definitely want to white-list the entire domain:

Currently, if I set ...acme.corp to trusted, none of the subdomains will be trusted (like https://portal.acme.corp). Larger companies have many of these subdomains making the use of internal sites together with NoScript quite awkward.

I confirm this. It not only affects subdomains with "fake" TLDs (such as .corp or .lan), it also affects some real TLDs (like .test).

I would suggest that if the domain contains any dots, and if it doesn't have a known TLD, NoScript should fall back to the "one-dot rule" - whatever comes after the last dot is treated as the TLD.