Page 1 of 1

Pros and cons of adding a permanent whitelist for Cloudflare

Posted: Fri Aug 10, 2018 10:50 pm
by asdfasdfasdfasdfasdfasd
I've been using NoScript for a few years. Great job, sorry to hear about hte pain of the new Firefox. Cloudflare is becoming more and more popular for websites to use. A few that i go to regularly require scripts from, some require gibberish looking subdomains from Cloudflare, and some work fine with scripts from Cloudflare blocked.

Generally speaking, what are the pros and cons of permanently whitelisting

An example of a site requiring is BitChute. It requires the actual domain,, and

Cloudlfare is in the buisness of tracking things across the web, in an attempt to block harmful things. And who knows what else they do with that data, or whether what they say is true, bent, or a lie? I don't. And even if I were to corroborate their words now, what about in the future?

Re: Pros and cons of adding a permanent whitelist for Cloudf

Posted: Sat Aug 11, 2018 2:50 am
by barbaz
I assume you're using NoScript Classic. If you go to NoScript Options > Appearance, and check "Full Domains", does the cloudflare show as "" on the sites you see cloudflare? If yes then it's a somewhat different question from 'What are the pros and cons of whitelisting Cloudflare?'.
asdfasdfasdfasdfasdfasd wrote: some require gibberish looking subdomains from Cloudflare,
To be clear, you're not confusing Cloudflare with cloudfront, are you?

Re: Pros and cons of adding a permanent whitelist for Cloudf

Posted: Sat Aug 11, 2018 12:18 pm
by asdfasdfasdfasdfasdfasd
If I change that setting in appearance, on BitChute, I have the option to allow scripts from as well as in the same block. I had to revoke before I could see both of them. Reddit now has double the number of domains of javascript too, with a www. subdomain for both and

Looking at recent websites I went ot yesterday, I found one with the gibebrish subdomain, and it was indeed Cloudfront, not Cloudflare. I'm surprised I never noticed that difference, but the first 6 characters (60%) of the characters are the same, so I guess the human condition got in the way.

It seems that Cloudfront is yet another Amazon CDN.

Should I worry about adding permanent exceptions to allow javascript from all these tech companies that are obviously vacuuming up as much user data as possible? Any kind of threat model goes out the window when there is a pervasive vacuum everywhere sucking up everything to be sold to all the bidders and stolen or leaked on a regular basis.

Re: Pros and cons of adding a permanent whitelist for Cloudf

Posted: Sat Aug 11, 2018 2:50 pm
by barbaz
Re: cloudfront
I wouldn't be comfortable allowing all of Anyone can put their CDN there, so whitelisting * is like whitelisting the entire Internet.
It looks like the "gibberish subdomains" are specific to the owner, so I would recommend only whitelisting the specific full domain(s) you need. Permanent whitelist probably isn't that much different from temporary whitelist in this case.

Re: cdnjs.cloudflare
This is a generic Javascript library CDN, hosted by Cloudflare. Personally, I just allow it when it comes up on a site where I need JS. But you don't have to allow *any* generic JS library CDN if you don't want to. The simplest way to avoid it is probably to use Decentraleyes (I don't use it myself, but others here have recommended it). And if cdnjs.cloudflare is serving a JS library that Decentraleyes doesn't provide, you could download that JS library from its official site and have NoScript provide it - ... 682#p90682

Re: Pros and cons of adding a permanent whitelist for Cloudf

Posted: Sun Aug 12, 2018 2:53 pm
by fenix

Yes, barbaz is right -- 'Decentrlaeyes' addon is okay but it seems, that there are some issues when its used along with NoScript in the same time. "CDN" websites needs a 'script' option (that's what I've noticed via '[CUSTOM]' option etc.), but even with that 'Decentrlaeyes' is not working.

When I disable NoScript and reload website, then everything is okay: 'Decentrlaeyes' works, injects and shows "CDN" numbers of local content delivery etc. I'm trying to solve this problem but... Nothings helps.

Thanks, best regards.

Re: Pros and cons of adding a permanent whitelist for Cloudf

Posted: Sat Aug 18, 2018 2:42 pm
by asdfasdfasdfasdfasdfasd
I just recently started to use Decentralyeyes. I dind't know about the incompatibility, though lately I have been running across sites I couldn't get to work in my usual browser. I suspected the problem was from downgrading over top of itself when Quantum came out.

I'll look into adding that bit of javascript to Decentralyeyes

Re: Pros and cons of adding a permanent whitelist for Cloudf

Posted: Sun Aug 19, 2018 4:03 pm
by fenix
Hi asdf.

Would You do me a favour? Because You'd started to use "Decentraleyes" addon, but with some issues etc., please write a message, here - in this thread, when You'll manage to solve these problems, okay?

Anyway, it seems that "CDN" websites needs, at least, one option: 'script'. However, even if I'm using a 'CUSTOM' preset for such a domain - and reload website - "Decentraleyes" isn't working properly. I've tried different solutions, but with no luck. The only working solution is to disable "NoScript".

There is a test available on 'decentraleyes' website, where You can check if everything is okay:

Best regards.

Re: Pros and cons of adding a permanent whitelist for Cloudf

Posted: Mon Aug 20, 2018 5:45 am
by skriptimaahinen
Decentraleyes requiring that the resource (CDN) is unblocked by any content blocker used (e.g. NoScript) is by design (see their wiki).

What exactly is not working properly with Decentraleyes? Is there some specific web page that you have problem with?

The test page gives "fully operational" when I try it (NS, DCE 2.0.6).

Re: Pros and cons of adding a permanent whitelist for Cloudf

Posted: Wed Aug 29, 2018 4:54 pm
by fenix
Hi skriptimaahinen.

I'm sorry for such a long time without answer. The test page - mentioned by You - is working when I disable NoScript. As I already mentioned: according to NoScript and 'CUSTOM' scope, "CDN" websites needs 'script' option to work. However, even with this option, Decentraleyes is not working. I have no idea what is the reason. For now, the only one and working solution is to disable NoScript. But that's not the point, right?

Okay, lets take two examples: there is a website on which NoScript detected "CDN" domain - let say ''. If this domain is already added by the User - for instance - via 'Policy' window (found in 'Options' and 'Advanced' tab) in "untrusted" section, NoScript will assign an 'UNTRUSTED' scope for above "CDN" domain, right? In this case, Decentraleyes will not work, which is obvious.

One the second hand, if '' domain is not added by the User to the "untrusted" section (see above) and NoScript will assign a 'DEFAULT' scope, right? (In this case Decentraleyes will not work also, because sometimes Users are not using any available options. But if they do, 'script' option for a 'DEFAULT' scope seems to be not very good idea.

So, I would like to ask You some questions, skriptimaahinen. Firstly: have You tried Decentraleyes only on a testing page? What about daily use: to look over some websites etc.? Secondly: what options do You use for a 'DEFAULT' scope? Can You share your configuration, which may be very helpful etc.

By the way: with above examples, I can describe my situation very clearly. I'm so sorry for such a long message. I hope, that I've described what I mean in good way.

Thanks, best regards.

Re: Pros and cons of adding a permanent whitelist for Cloudf

Posted: Fri Aug 31, 2018 3:09 pm
by skriptimaahinen
No, I do not use it daily, but I have tested it on few other pages too and it seems to work.

Take for example

Code: Select all

CUSTOM rules for each:            script, fetch      script              script
Everything works and Decentraleyes shows that it has served jQuery.

If you set it up like this, does it not work for you?