Either way you decide, maybe have an error condition for adding a rule that No script will not match.Giorgio Maone wrote:I wonder how blanket trusting all the subdomains of cloudfront.net might be a good idea, since anybody can store any kind of code there and each subdomain can be operated by a different entity (so, who are "trusting" you exactly?).DHO wrote:Several weeks have now passed. There have been some more threads about wanting to trust *.cloudfront.net
Using the public TLD suffix list to build the list of operable items in the popup will be kept as it is because it's the only thing which makes sense security-wise.
However, I'm considering to let users shoot themselves in their foot if they wish so by making manually entered sites (in the Options tab) validated in a more and lenient way.
As is, it adds the rule, the rule looks fine, but it is never applied.
If you do allow manual adding these kind of broad rules a warning would probably be appropriate.
The specific case of cloudfront and other such providers is surely more debatable then the other cases described here.
.gov.uk isn't such a "everybody can drop something on there", and the internal corporate domains neither.
With the change of how the presets are configured, and this case..
I see a risk of making security decisions as if the majority of users were completely computer illiterate, but for those NS was always rather too complicated in the first place.
And meanwhile annoy the users who actually want to use it, but run into increasing barriers of getting it done, because of the above.
Making NS both foolproof (pun intended) and actually quick to use for those who know what they want, is going to be quite a challenge.
It's not like NS Classic ever really prevented users from making it entirly pointless by configuring it non nonsensically.
What's the worst that can happen? Scripts running as for every user out there who just uses their browser.