How to enable restrictSubdocScripting in NoScript 10?

Ask for help about NoScript, no registration needed to post
barbaz
Senior Member
Posts: 9262
Joined: Sat Aug 03, 2013 5:45 pm

How to enable restrictSubdocScripting in NoScript 10?

Post by barbaz » Sun Jun 09, 2019 5:37 pm

According to viewtopic.php?f=7&t=25395 this feature has already been ported. But in my NoScript 10.6.3rc7 on Waterfox 68, it's disabled. How to enable restrictSubdocScripting?
*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9262
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to enable restrictSubdocScripting in NoScript 10?

Post by barbaz » Wed Jun 12, 2019 12:55 am

Ok found it: NoScript Options > General > "Cascade top document's restrictions to subdocuments"

IMO that is somewhat misleading wording. It implies that, for example, if a Trusted page embeds a Default frame, the frame would automatically become Trusted. The actual effect is more like "Block subdocuments from having more permissions than their top document".
*Always* check the changelogs BEFORE updating that important software!
-

jawz101
Senior Member
Posts: 68
Joined: Sun Jul 10, 2011 11:13 pm

Re: How to enable restrictSubdocScripting in NoScript 10?

Post by jawz101 » Fri Aug 23, 2019 3:39 am

I still don't understand this pref. So you are saying checked would mean it is a stricter policy?

"Cascade top document's restrictions to subdocuments"

To me this sounds like a looser policy. I would rather a subdocuments' permissions be granted or restricted separately. If I allow script/frame/images/fonts/etc on a primary page that doesn't necessarily mean I want to allow them on a subdocument. Right?

What stinks is there is absolutely no explanation what this preference is for except that it is for the TOR project. Even so, does that imply the TOR project would want this pref checked or not?

It's dumb.
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

musonius
Senior Member
Posts: 109
Joined: Sun Jul 08, 2018 5:38 pm

Re: How to enable restrictSubdocScripting in NoScript 10?

Post by musonius » Fri Aug 23, 2019 5:42 am

jawz101 wrote:
Fri Aug 23, 2019 3:39 am
To me this sounds like a looser policy. I would rather a subdocuments' permissions be granted or restricted separately. If I allow script/frame/images/fonts/etc on a primary page that doesn't necessarily mean I want to allow them on a subdocument. Right?
No. It's not about inheriting permissions to subdocuments, it's about inheriting restrictions to subdocuments. For example, if you do not allow 'media' for the first party domain, 'media' won't be allowed for any subdocument (not even for those for which you have allowed 'media').
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Quest

Re: How to enable restrictSubdocScripting in NoScript 10?

Post by Quest » Sun Aug 25, 2019 3:12 pm

So, if I put some (custom) permissions for ...googlevideo.com then all subdocuments (whatever they are) of googlevideo.com will have exactly same permissions and restrictions? (With that
"Cascade top document's restrictions to subdocuments" checked.

But: What happens if I do the same to https://googlevideo.com?

And what happens if that Cascade thing is unchecked?
Mozilla/5.0 (Windows NT 6.1; rv:68.0) Gecko/20100101 Firefox/68.0

barbaz
Senior Member
Posts: 9262
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to enable restrictSubdocScripting in NoScript 10?

Post by barbaz » Sun Aug 25, 2019 4:19 pm

@Quest: If you think of "permission" as whether "script", "object",... are checked or not:
barbaz wrote:
Wed Jun 12, 2019 12:55 am
The actual effect is more like "Block subdocuments from having more permissions than their top document".
Meaning:

Without the option selected - subdocuments have just whatever permission you've set for their domain/site.

With the option selected - subdocuments are only allowed the permissions that are allowed for BOTH the top-level site AND whatever you've set as allowed for the subdocument's site.

-----

While I'm here, I should also point out that the use of the word "Cascade" to describe this feature is particularly confusing for NoScript Classic users. Look at how it was used there:

Image

And also around the forums, e.g. in the sticky - viewtopic.php?f=7&t=8309

Cascading has always referred to cascading "allows", never cascading "denys". People think by word association, you can't just abruptly invert the association of a word like this without causing confusion. And putting "Cascade" as the first word, puts the emphasis on "Cascade", but it seems the emphasis was intended to be on the word "restrictions".

Now look at my suggested wording "Block subdocuments from having more permissions than their top document", and how the restrictSubdocScripting option was worded in NoScript Classic -

Image

Would be much less confusing, wouldn't it? See? :)
*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9262
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to enable restrictSubdocScripting in NoScript 10?

Post by barbaz » Wed Sep 25, 2019 7:41 pm

https://simplysecure.org/blog/noscript-case-study wrote: We found that some of the labels were unclear to both novice and experienced users. For example, none of the 6 people we talked to could describe what Cascade top-level documents [...] meant.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply