Import / Export noscript_data.txt Management ( and XSS )

Ask for help about NoScript, no registration needed to post
Mad_Man_Moon
Junior Member
Posts: 38
Joined: Fri Oct 27, 2017 12:02 pm

Import / Export noscript_data.txt Management ( and XSS )

Post by Mad_Man_Moon » Fri Jun 05, 2020 4:21 pm

Hi,

I'm currently struggling with the issue of remembered trusted/untrusted sites ( over here viewtopic.php?f=7&t=25927&p=102272#p102165 ), and as a part of that I've bodged together a noscript_data.txt file from different sources. However there is a lot of stuff in there that I'm wondering either what it is or what it does.

The following questions I'm listing because I performed a few searches here on the site, and couldn't find anything concrete on managing the data file, or what any of this means in the FAQ. If there's a documentation page, I couldn't find that, unfortunately.
  1. What does this symbol mean when presented before a site with a colon after it?

    Code: Select all

    §
    This is only in my ns data file's trusted' and 'custom' sections.

    Possible Answer: Through trying to get a valid import, this seems like it's the locking signifier for NS Quantum to allow the (sub-)domain "only if their protocol is HTTPS":
    What about the "Match HTTPS only" green/red lock toggle? If green (locked), the toggle makes base domain entries (e.g. "..google.com") match themselves and all their subdomains, but only if their protocol is HTTPS (and therefore the traffic encrypted and not easily tampered with). Otherwise, if red and unlocked, both HTTP and HTTPS match: this has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy, but is unfortunately needed for some sites to work. NoScript tries to gives you the "smartest" default for each site, i.e. green if the page is already served on HTTPS, red otherwise.
    .
  2. I've noted that https green mark is done by ensuring that the domain has that before it, and that you can double up and add the insecure to the untrusted list (I assume that's redundant, though). So, to ensure https, one requires:

    Code: Select all

            "arsenal.com",
    ... to become:

    Code: Select all

            "https://arsenal.com",
    Is there anything else regarding the http/https we should know? I'd imagine that one can't repeat a domain more than the twice (secure and non) with that.
    .
  3. Could I capably assume that (to continue the above example) that the previous https site would trust all subdomains, but if I wanted to distrust one subdomain I would add the following to the untrusted section?:

    Code: Select all

            "https://players.arsenal.com",
  4. If a domain (with no secure/insecure signifier) is in the untrusted list does that indicate that either are untrusted or only the insecure version?
    .
  5. Are there any requirements for wildcards in here, and if so, what would they be? (couldn't see an obvious one)
    .
  6. Is the "xssUserChoices" section able to take custom additions (if I magically knew some)? It currently has this entry:

    Code: Select all

        "https://www.lindy.co.uk>https://5404841.fls.doubleclick.net": "block"
    Would it perhaps take the old style stuff, like this from the old XSS section, or am I gloriously misunderstanding NS quantum's style? 8-)

    Code: Select all

    ^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
    ^https?://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
    ^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>?%]+$
    ^https?://translate\.google\.com/translate_t[^"'<>?%]+$
    ^https://secure\.wikimedia\.org/wikipedia/[a-z]+/wiki/[^"<>\?%]+$
  7. Is there a list of what the various 'system URLs' (like the following) in there are for?

    Code: Select all

    [System+Principal]
Hope that this isn't hard stuff to ask, and as always, I do not expect, or feel entitled to an answer from anyone ... although it'd be great to understand the "§:" meaning.

Best

EDIT
Sorry, forgot about that last question, just edited it in.
Last edited by barbaz on Fri Jun 05, 2020 10:07 pm, edited 4 times in total.
Reason: Make link to forum topic clickable
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

Mad_Man_Moon
Junior Member
Posts: 38
Joined: Fri Oct 27, 2017 12:02 pm

Re: Import / Export noscript_data.txt Management ( and XSS )

Post by Mad_Man_Moon » Fri Jun 05, 2020 4:48 pm

This might require a separate thread, but I'd view it as working through this one. If you plop a load of URLs into the 'policy' section's 'sites' sub-section of the file, in the same format as all the others, it creates oddities in the trusted sites lists, showing the "true" values of some of the options within, and even putting the curly brackets at the end.

I'm going to go out on a limb and guess it's that "system URL" I used as an example, and it should have the square brackets escaped ... but that's how it came ¯\_(ツ)_/¯ ...

Testing it without and escaped with the '\' character (assumption) ... and will edit this post with results.

EDIT
The "[System+Principal]" had to be removed as well as the lindy>doubleclick xssUserChoices data. This allowed a small (single entry) line to be imported correctly without oddities. But I had problems with a larger list. Am working through trial and error.

Old:

Code: Select all

  "xssUserChoices": {
    "https://www.lindy.co.uk>https://5404841.fls.doubleclick.net": "block"
  }
New:

Code: Select all

  "xssUserChoices": {}
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

barbaz
Senior Member
Posts: 9501
Joined: Sat Aug 03, 2013 5:45 pm

Re: Import / Export noscript_data.txt Management ( and XSS )

Post by barbaz » Fri Jun 05, 2020 10:12 pm

Entries starting with "https://" will only match that exact domain, not subdomains. If you want to match only HTTPS while including subdomains, use the "§:" (which is what the green lock does).

Domain entries without prefix match both HTTPS and plain HTTP.
*Always* check the changelogs BEFORE updating that important software!
-

Mad_Man_Moon
Junior Member
Posts: 38
Joined: Fri Oct 27, 2017 12:02 pm

Re: Import / Export noscript_data.txt Management ( and XSS )

Post by Mad_Man_Moon » Sun Jun 14, 2020 3:10 pm

Cheers, @barbaz, much obliged!

Have been doing a bit more playing around (I found another export, and it's huge, so am building a solid reference import/export, hence my quietness) and found that even though there's no way to comment in JSON (assumed that is the language) we can basically make up sites to use as categorisation and noscript preserves the order in which sites are presented in the import / export process.

So, if I have:

Code: Select all

    "sites": {
      "trusted": [
        "__MOONYCAT1",
        "§:site1.com",
        "§:site2.com",
        "§:site3.com",
        "__MOONYCAT1",
        "§:site4.com",
        "§:site5.com",
        "§:site6.com",
        "__NOMOONYCAT"
      ],
      "untrusted": [
        "0jzxzd21.com",
Then if I add site7, site8, site9, and export, the file will look like this:

Code: Select all

    "sites": {
      "trusted": [
        "__MOONYCAT1",
        "§:site1.com",
        "§:site2.com",
        "§:site3.com",
        "__MOONYCAT1",
        "§:site4.com",
        "§:site5.com",
        "§:site6.com",
        "__NOMOONYCAT",
        "§:site7.com",
        "§:site8.com",
        "§:site9.com"
      ],
      "untrusted": [
        "0jzxzd21.com",
This could also help as a Work Around to some kind of organisation ... as long as one does an export every now and then to manage one's list.

Probably best not to use the underscore in case the main man decides that it's a required character for something, but you get the drift.

Oh, and I just had the inkling of another idea using Microsoft's Power Automate (Flow) JSON Parser ... ... one could easily set up a system using sharepoint lists to manage your categorised trusted sites, or, perhaps more relevant/cheap, a local excel file ...
barbaz wrote:
Fri Jun 05, 2020 10:12 pm
Entries starting with "https://" will only match that exact domain, not subdomains. If you want to match only HTTPS while including subdomains, use the "§:" (which is what the green lock does).

Domain entries without prefix match both HTTPS and plain HTTP.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0

Post Reply