NoScript v10: websites in the default whitelist from NS v5?

Ask for help about NoScript, no registration needed to post
fenix

NoScript v10: websites in the default whitelist from NS v5?

Post by fenix » Wed Jun 20, 2018 5:27 pm

Hello.

As we know NoScript v5, installed for the first time, contains a pretty short default whitelist of sites, which are required - for example - by the add-ons Mozilla website, YouTube, GMail, Google Maps etc. Not to mention noscript.net site. But that's obvious. Anyway, we can see e.g. youtube.com, ajax.googleapis.com, googlevideo.com, yahoo.com, paypal.com, hotmail.com, msn.com just to name a few.

There are also some of the so-called "pseudo URL's" (about:xyz, moz-safe-about:, resource:) and they can not be removed, because of a browser etc. Of course, there could not be missed some websites related to CDN (Content Delivery Networks), which is - quoting the FAQ page (please see below) - "providing common, well known and verified JavaScript libraries and frameworks to popular websites". On the list there are, among others, ajax.aspnetcdn.com, bootstrapcdn.com, code.jquery.com and so on.

So, I would like to ask a question: does NoScript v10 Users should or should not add mentioned sites (especially, I'm thinking about CDN)? If yes, then which preset should be used: TRUSTED or CUSTOM with needed options? Yes, I know that some sites are "required by popular credit card verification systems". Or maybe Users should not doing anything and leave everything as-is? Even Users whos removed some of whitelisted sites etc.

I'm asking about all these things, because after NoScript v5 to v10 update, there was not any of sites mentioned, for example, in FAQ (see below). Except YouTube related sites. If I remember correctly, I'd removed some of these websites a couple of years ago when v10 was not available yet.

More informations can be found on the excellent NoScript FAQ site; https://noscript.net/faq#qa1_5 and https://noscript.net/faq#qa1_11. If someone would like to know what CDN is in general, please see; https://www.incapsula.com/cdn-guide/wha ... works.html.

Geez, I'm so confused... Anyway, I'm sorry for my very naive questions.

Thanks, best regards.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

skriptimaahinen
Senior Member
Posts: 213
Joined: Wed Jan 10, 2018 7:37 am

Re: NoScript v10: websites in the default whitelist from NS

Post by skriptimaahinen » Wed Jun 20, 2018 7:17 pm

Default TRUSTED sites (all permissions enabled):

Code: Select all

addons.mozilla.org
afx.ms
ajax.aspnetcdn.com
ajax.googleapis.com
bootstrapcdn.com
code.jquery.com
firstdata.com
firstdata.lv
gfx.ms
google.com
googlevideo.com
gstatic.com
hotmail.com
live.com
live.net
maps.googleapis.com
mozilla.net
netflix.com
nflxext.com
nflximg.com
nflxvideo.net
noscript.net
outlook.com
passport.com
passport.net
passportimages.com
paypal.com
paypalobjects.com
securecode.com
securesuite.net
sfx.ms
tinymce.cachefly.net
wlxrs.com
yahoo.com
yahooapis.com
yimg.com
youtube.com
ytimg.com
Then there is about:config entry "extensions.webextensions.restrictedDomains", that lists some Mozilla related sites where NoScript cannot function (unless you mess with that entry and "privacy.resistFingerprinting.block_mozAddonManager". You probably shouldn't).

The "pseudo URLs" are also out of scope for NoScript 10 and there is no way to include them.

There is no real reason to allow the above domains unless you actually encounter them while browsing and it doesn't matter wether you use TRUSTED or CUSTOM with select permissions as long as it works.

For DEFAULT the default permissions are (frame, fetch and other).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

fenix

Re: NoScript v10: websites in the default whitelist from NS

Post by fenix » Thu Jun 21, 2018 1:17 pm

Hi skriptimaahinen.

Thanks for an answer. Do You have all websites mentioned in <code></code> tags added to NoScript v10? If yes, which preset are you using: one, for example DEFAULT or for each page/s different option/s? Also, you modified one 'about:config' entry? If it's about Firefox's anti-fingerprinting, I'm using 'privacy.resistFingerprinting' option on my testing computer (and this topic applies to this testing computer).

Yes, sometimes I'm encountering some of these websites. Mostly CDN related, like for example: ajax.aspnetcdn.com or bootstrapcdn.com etc. So, what would You suggest in such situation: allow mentioned two websites and check what options they really needs, to work correctly? (I mean 'script', 'fetch', 'others' etc.) Or maybe add every website from your post? (Are they from NoScript v5?)

I'm sorry for my naive questions, but I would like to know the default whitelist of websites from NoScript v5 and what to do in NoScript v10 etc.

By the way: skriptimaahinen did you use, for example, Decentraleyes addon?
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

skriptimaahinen
Senior Member
Posts: 213
Joined: Wed Jan 10, 2018 7:37 am

Re: NoScript v10: websites in the default whitelist from NS

Post by skriptimaahinen » Thu Jun 21, 2018 6:50 pm

Oh no. I don't actually have any of them added. I just copied the list straight from the (NS10) sourcecode. So that is the default whitelist you should get on fresh install of NS10. But like you, I also deleted all the whitelisted sites way back when I was using NS5.

Even though block_mozAddonManager is in the resistFingerprinting section, I don't think it has anything to do with resisting fingerprinting...
fenix wrote:Yes, sometimes I'm encountering some of these websites. Mostly CDN related, like for example: ajax.aspnetcdn.com or bootstrapcdn.com etc. So, what would You suggest in such situation: allow mentioned two websites and check what options they really needs, to work correctly? (I mean 'script', 'fetch', 'others' etc.) Or maybe add every website from your post? (Are they from NoScript v5?)
I'm going to quote myself here:
skriptimaahinen wrote:There is no real reason to allow the above domains unless you actually encounter them while browsing and it doesn't matter whether you use TRUSTED or CUSTOM with select permissions as long as it works.
Don't want to give any recommendations, but they are whitelisted by default with all privileges. You decide yourself.


I do not use Decentraleyes but I have considered doing so at some point.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

fenix

Re: NoScript v10: websites in the default whitelist from NS

Post by fenix » Wed Jul 04, 2018 2:54 pm

Hi skriptimaahinen.

I'm sorry for such a long time without answer. OK, so you don't have any of the CDN websites in your NoScript installation. And if it's about what you have written: "There is no real reason to allow the above domains unless you actually encounter them while browsing" -- Sometimes, on a various websites, I'm noticing one or two CDN related domain. (I mean NoScript main window). Mostly it's 'ajax.aspnetcdn.com' and/or 'cdnjs.cloudflare.com'.

It looks like CDN related domains, needs script option only. So, the best way to make - for example - Decentraleyes add-on work is to create a CUSTOM rule with script option. What do You think? Should it be okay? I'm asking because of a mentioned add-on, which you were considering to use etc. On an official website, there is a simple test to check if Decentraleyes is configured correctly and works okay.

By the way, skriptimaahinen; Which permissions have You marked in a DEFAULT scope? Generally, what is your setting for a DEFAULT scope? I'm sorry for my very naive and stupid questions.

(On one of my testing computer, I unchecked everything, but I'm thinking about, let say: 'fetch', 'other' and 'frame'. However, I don't know if it's a good idea etc.)

Thanks, best regards.

(I would like recommend Decentraleyes add-on to all Users, because it's doing a really good job! (Protecting against tracking via "free", content delivery and it works out of the box!) More informations can be found on addons.mozilla.org and on an official Decentraleyes website.)
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

skriptimaahinen
Senior Member
Posts: 213
Joined: Wed Jan 10, 2018 7:37 am

Re: NoScript v10: websites in the default whitelist from NS

Post by skriptimaahinen » Wed Jul 04, 2018 6:47 pm

I have noticed that "fetch" is a good addition to the CDN rules, since that allows page scripts to fetch content from the CDN, such as media files and streams, which does seem to be the usual case.

frame, fetch and other are default choices for DEFAULT, so those should be good options. Personally I don't have anything in the DEFAULT.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Post Reply