Pros and cons of adding a permanent whitelist for Cloudflare

Ask for help about NoScript, no registration needed to post

Pros and cons of adding a permanent whitelist for Cloudflare

Postby asdfasdfasdfasdfasdfasd » Fri Aug 10, 2018 10:50 pm

I've been using NoScript for a few years. Great job, sorry to hear about hte pain of the new Firefox. Cloudflare is becoming more and more popular for websites to use. A few that i go to regularly require scripts from cloudflare.com, some require gibberish looking subdomains from Cloudflare, and some work fine with scripts from Cloudflare blocked.

Generally speaking, what are the pros and cons of permanently whitelisting Cloudflare.com?

An example of a site requiring Cloudflare.com is BitChute. It requires the actual domain, cloudflare.com, and polyfill.io

Cloudlfare is in the buisness of tracking things across the web, in an attempt to block harmful things. And who knows what else they do with that data, or whether what they say is true, bent, or a lie? I don't. And even if I were to corroborate their words now, what about in the future?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
asdfasdfasdfasdfasdfasd
 

Re: Pros and cons of adding a permanent whitelist for Cloudf

Postby barbaz » Sat Aug 11, 2018 2:50 am

I assume you're using NoScript Classic. If you go to NoScript Options > Appearance, and check "Full Domains", does the cloudflare show as "cdnjs.cloudflare.com" on the sites you see cloudflare? If yes then it's a somewhat different question from 'What are the pros and cons of whitelisting Cloudflare?'.

asdfasdfasdfasdfasdfasd wrote: some require gibberish looking subdomains from Cloudflare,

To be clear, you're not confusing Cloudflare with cloudfront, are you?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8524
Joined: Sat Aug 03, 2013 5:45 pm

Re: Pros and cons of adding a permanent whitelist for Cloudf

Postby asdfasdfasdfasdfasdfasd » Sat Aug 11, 2018 12:18 pm

If I change that setting in appearance, on BitChute, I have the option to allow scripts from cdnjs.cloudflare.com as well as cloudflare.com in the same block. I had to revoke cloudflare.com before I could see both of them. Reddit now has double the number of domains of javascript too, with a www. subdomain for both reddit.com and reditstatic.com.

Looking at recent websites I went ot yesterday, I found one with the gibebrish subdomain, and it was indeed Cloudfront, not Cloudflare. I'm surprised I never noticed that difference, but the first 6 characters (60%) of the characters are the same, so I guess the human condition got in the way.

It seems that Cloudfront is yet another Amazon CDN.

Should I worry about adding permanent exceptions to allow javascript from all these tech companies that are obviously vacuuming up as much user data as possible? Any kind of threat model goes out the window when there is a pervasive vacuum everywhere sucking up everything to be sold to all the bidders and stolen or leaked on a regular basis.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
asdfasdfasdfasdfasdfasd
 

Re: Pros and cons of adding a permanent whitelist for Cloudf

Postby barbaz » Sat Aug 11, 2018 2:50 pm

Re: cloudfront
I wouldn't be comfortable allowing all of cloudfront.net. Anyone can put their CDN there, so whitelisting *.cloudfront.net is like whitelisting the entire Internet.
It looks like the "gibberish subdomains" are specific to the owner, so I would recommend only whitelisting the specific full domain(s) you need. Permanent whitelist probably isn't that much different from temporary whitelist in this case.

Re: cdnjs.cloudflare
This is a generic Javascript library CDN, hosted by Cloudflare. Personally, I just allow it when it comes up on a site where I need JS. But you don't have to allow *any* generic JS library CDN if you don't want to. The simplest way to avoid it is probably to use Decentraleyes (I don't use it myself, but others here have recommended it). And if cdnjs.cloudflare is serving a JS library that Decentraleyes doesn't provide, you could download that JS library from its official site and have NoScript provide it - viewtopic.php?p=90682#p90682
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8524
Joined: Sat Aug 03, 2013 5:45 pm

Re: Pros and cons of adding a permanent whitelist for Cloudf

Postby fenix » Sun Aug 12, 2018 2:53 pm

Hello.

Yes, barbaz is right -- 'Decentrlaeyes' addon is okay but it seems, that there are some issues when its used along with NoScript in the same time. "CDN" websites needs a 'script' option (that's what I've noticed via '[CUSTOM]' option etc.), but even with that 'Decentrlaeyes' is not working.

When I disable NoScript and reload website, then everything is okay: 'Decentrlaeyes' works, injects and shows "CDN" numbers of local content delivery etc. I'm trying to solve this problem but... Nothings helps.

Thanks, best regards.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix
 


Return to NoScript Support

Who is online

Users browsing this forum: No registered users and 14 guests