For all those users out there who feel NoScript is a PAIN to use, it just got a whole lot better.
Navigate to Preferences > Advanced > Trusted > and enable "Cascade top document's permissions to 3rd party scripts."
What this does is prevent you from constantly having to allow stuff that loads after you temporarily allow a top level domain. A lot of the time a site just plain won't work until you let a bunch of stuff load. So you are left Temp allowing over and over again before the site works. This cascade feature has made it so you only have to do it once per top level domain. Pretty cool.
Thanks Giorgio. This made NoScript a lot more user-friendly.
"Cascade" feature is a godsend
"Cascade" feature is a godsend
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Re: "Cascade" feature is a godsend
For purposes like that, I agree.A lot of the time a site just plain won't work until you let a bunch of stuff load. So you are left Temp allowing over and over again before the site works. This cascade feature has made it so you only have to do it once per top level domain.
And I think it should be more discoverable.
Even to the point where there might be an option to have Cascade take preference over Allow Globally (such that the context-menu might read, Cascade (dangerous) rather then Allow Scripts Globally (dangerous).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 SeaMonkey/2.32.1
Re: "Cascade" feature is a godsend
Bear in mind that there is no per-site cascade. So this is helpful for minimising effort, but you run a much higher risk of, eg, a legitimate site being compromised by a persistent XSS.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Re: "Cascade" feature is a godsend
How does it differ from "Allow all this page" by the way ? I never used that feature, so not sure.
I'd guess, allow all this page allows what can be seen and then reload, sometimes bumping into new domains that won't be allowed, whereas cascading allows any domain that may come up after reload as long as first party domain is whitelisted.
Also, allow all this page actually adds domains to the whitelist whereas cascading only whitelists the first party domain, ensuring that if you visit one of the 3rd party domains in the future, it won't be allowed to run JavaScript.
Is that correct ? If so, I do prefer cascading and it indeed sounds both safer and almost as user friendly as "allow scripts globally".
Edit: It might be incorrect. If it's correct, then the "Temporarily allow first level domains by default" options in NoScript's General tab should maybe be tweaked so that, like cascading, domains are not automatically added to the whitelist, only allowed upon meeting criterias (here: Be loaded as a first party domain. for cascading: Be loaded as third party from a 1st party domain that is allowed to cascade), and disallowed when not meeting such criterias. (The whitelist is all or nothing.)
I'd guess, allow all this page allows what can be seen and then reload, sometimes bumping into new domains that won't be allowed, whereas cascading allows any domain that may come up after reload as long as first party domain is whitelisted.
Also, allow all this page actually adds domains to the whitelist whereas cascading only whitelists the first party domain, ensuring that if you visit one of the 3rd party domains in the future, it won't be allowed to run JavaScript.
Is that correct ? If so, I do prefer cascading and it indeed sounds both safer and almost as user friendly as "allow scripts globally".
Edit: It might be incorrect. If it's correct, then the "Temporarily allow first level domains by default" options in NoScript's General tab should maybe be tweaked so that, like cascading, domains are not automatically added to the whitelist, only allowed upon meeting criterias (here: Be loaded as a first party domain. for cascading: Be loaded as third party from a 1st party domain that is allowed to cascade), and disallowed when not meeting such criterias. (The whitelist is all or nothing.)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Re: "Cascade" feature is a godsend
You have it rightbgmnt wrote:How does it differ from "Allow all this page" by the way ? I never used that feature, so not sure.
I'd guess, allow all this page allows what can be seen and then reload, sometimes bumping into new domains that won't be allowed, whereas cascading allows any domain that may come up after reload as long as first party domain is whitelisted.
Also, allow all this page actually adds domains to the whitelist whereas cascading only whitelists the first party domain, ensuring that if you visit one of the 3rd party domains in the future, it won't be allowed to run JavaScript.
Is that correct ?
It's not any safer than Allow Scripts Globally... however you _may_ get privacy benefit from Cascade compared to Allow Scripts Globally.bgmnt wrote:If so, I do prefer cascading and it indeed sounds both safer and almost as user friendly as "allow scripts globally".
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20100101 Firefox/17.0
Re: "Cascade" feature is a godsend
Well it's not any safer on a given site that has been whitelisted. But all non whitelisted sites are almost as safe as they are with NoScript's default config (i.e. JS disallowed).
Now if only this behaviour was used with the "Temporarily allow first level domains by default" feature, where instead of automatically adding any visited domain to the whitelist, you simply allow it without whitelisting, ensuring that they will not run JS as 3rd party, that would be nice. That would prevent redirection from adding unwanted domains to the whitelist (e.g. mainSite -> adSite -> mainSite, we only wanted to visit mainSite but adSite ends up whitelisted, and later allowed as third party anywhere on the web). At some point in the past, Paypal had such a redirect to DoubleClick, and I don't think anyone here wants to whitelist DoubleClick
Now if only this behaviour was used with the "Temporarily allow first level domains by default" feature, where instead of automatically adding any visited domain to the whitelist, you simply allow it without whitelisting, ensuring that they will not run JS as 3rd party, that would be nice. That would prevent redirection from adding unwanted domains to the whitelist (e.g. mainSite -> adSite -> mainSite, we only wanted to visit mainSite but adSite ends up whitelisted, and later allowed as third party anywhere on the web). At some point in the past, Paypal had such a redirect to DoubleClick, and I don't think anyone here wants to whitelist DoubleClick
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Re: "Cascade" feature is a godsend
I don't understand what you're suggesting. If you allow something it goes on the whitelist, if you Temporarily allow something it gets temporarily added to the whitelist. Cascading just changes the extent of the meaning of being on the whitelist.bgmnt wrote:Now if only this behaviour was used with the "Temporarily allow first level domains by default" feature, where instead of automatically adding any visited domain to the whitelist, you simply allow it without whitelisting, ensuring that they will not run JS as 3rd party, that would be nice.
There isn't another way to allow a site...
adSite isn't 3rd-party there, it's temporarily 1st-party and a top-level site...bgmnt wrote:That would prevent redirection from adding unwanted domains to the whitelist (e.g. mainSite -> adSite -> mainSite, we only wanted to visit mainSite but adSite ends up whitelisted, and later allowed as third party anywhere on the web).
If you don't like that, Mark adSite as Untrusted - that way it can't be automatically (Temp-)Allowed even through cascading permissions.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20100101 Firefox/17.0
Re: "Cascade" feature is a godsend
If it makes things clearer you could imagine a special whitelisted item such as "$first-party", translated by NoScript's whitelist parser as "allow first party site to run JS". This way the actual domain isn't added to the whitelist per se and, not being whitelisted, won't run JS if encountered as third-party. (Just like 3rd party domains allowed through cascading won't be allowed if encountered as first party later on)Cascading just changes the extent of the meaning of being on the whitelist.
There isn't another way to allow a site...
Yes, but as you continue browsing the web you may stumble upon siteB that loads adSite as a third party. adSite has been whitelisted already and will be able to run JS. This problem doesn't exist if first party domains are not allowed because of their name, but because they are first party. i.e. they are not allowed individually, it's the entity *first-party* that is allowed. I hope it's a little more clearadSite isn't 3rd-party there, it's temporarily 1st-party and a top-level site...
Blacklists are never ideal but that's a very nice suggestionIf you don't like that, Mark adSite as Untrusted - that way it can't be automatically (Temp-)Allowed even through cascading permissions.
Last edited by bgmnt on Fri Feb 13, 2015 2:27 am, edited 1 time in total.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Re: "Cascade" feature is a godsend
Yes, that makes it much clearer.
Such permissions management might be part of NoScript 3.
Such permissions management might be part of NoScript 3.
*Always* check the changelogs BEFORE updating that important software!
-
Re: "Cascade" feature is a godsend
Ok
I thought the cascading feature had some code that could be tweaked to improve the auto-allow thing without too much work. From what I understand, NoScript 3 is scheduled for whenever Firefox release channel has e10s enabled by default ? Like, maybe July or something. Sounds good enough
I thought the cascading feature had some code that could be tweaked to improve the auto-allow thing without too much work. From what I understand, NoScript 3 is scheduled for whenever Firefox release channel has e10s enabled by default ? Like, maybe July or something. Sounds good enough
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0