Google, Yahoo and Microsoft in whitelist, FAQ uncompleted

[ROOT]

In FAQ 1.5: What websites are in the default whitelist and why? I found this:

- gmail.com, google.com, googleapis.com and gstatic.com (GMail, Google Maps and other Google services)
- hotmail.com, live.com, microsoft.com, msn.com, passport.com, passport.net, passportimages.net, js.wlxrs.com (Microsoft webmail services)
- yahoo.com, yimg.com, yahooapis.com (Yahoo! Mail)

All these sites have been added to enable JavaScript on the most popular AJAX-based webmail services "out of the box". This way, even if some users installs NoScript without understanding what they'r doing, and they've got no idea about how NoScript works, they can still ask for help by email.

But these links are no longer in the default whitelist, so I'd like to know why should I accept these scripts since they belong to Google, Yahoo! and Microsoft. I don't use webmail clients but I do use TOR and sometimes I need to submit a captcha to visit some websites (or sing up in sites like this forum). And if these sites are dangerous and insecure, please, remove them from the FAQ.

Thanks for your work!

[barbaz]

The whole FAQ needs major updating. The FAQ 1.5 as it is now describes the default whitelist as it was back in 2012.

You are, of course, welcome to remove sites from the default whitelist on your NoScript install.

Here's a half-baked updated version of that FAQ:

addons.mozilla.org mozilla.net
AMO
persona.org
Mozilla's single sign-on provider. Replaced browserid.org
flashgot.net informaction.com maone.net noscript.net
Giorgio's own sites
hotmail.com msn.com passport.com passport.net passportimages.com live.com live.net outlook.com afx.ms gfx.ms sfx.ms wlxrs.com
Microsoft webmail
ajax.aspnetcdn.com bootstrapcdn.com cdnjs.cloudflare.com code.jquery.com yandex.st mootools.net prototypejs.org tinymce.cachefly.net vjs.zendcdn.net
Javascript library CDNs
google.com gstatic.com googleapis.com
Google, so that Gmail works
paypal.com paypalobjects.com
Paypal
securecode.com securesuite.net firstdata.com firstdata.lv
(required by popular credit card verification systems)
yahoo.com yimg.com yahooapis.com
Yahoo webmail
youtube.com ytimg.com googlevideo.com
Youtube

None of these sites are 'dangerous'.

[ROOT]

Thanks for the answer! but, why don't you consider it dangerous? what information can get Google by www.google.com (for example) from me?
A script manage a lot of information, so they can get easily my IP, right?

[barbaz]

why don't you consider it dangerous?

Because NoScript is a security tool, and from a security standpoint they're not?

IOW: Most of those sites are there because they *need* to be so that users can use webmail to get support or for some really widely used sites work properly (so that we don't get overloaded with support requests). So in effect the user is already using at least some of these even if they don't know it.
The others are:
- Giorgio's own sites: if you don't trust him... well, Firefox addons can do anything Firefox can, so you shouldn't be installing addons authored by him should you?
- AMO & mozilla.net: So that users can install addons from Mozilla's official gallery. Mozilla made your browser, so if you don't trust them... well.. this.

Giorgio could explain that more since he is the one who put those sites in the default whitelist.

what information can get Google by www.google.com (for example) from me?
A script manage a lot of information, so they can get easily my IP, right?

Offtopic but I'll answer anyway.
There are so many different ways to collect information and track users that it's impossible to fully answer this. Google can knows a lot about you and it's far beyond the IP address. From the IP they can know your location and, if you're not using a proxy, they can track you as long as you have that IP. google.com hosts some scripts that are used by many sites, so if you don't disable referer header they know some of your browsing history outside Google too. If you enable JS then there are a LOT more ways to find info about you than if you don't.
Just some examples. Feel free to start another thread in the Web Tech or Security forums here if you have more questions about browser fingerprinting.

[dhouwn]

Maybe adding a last-edit/version date to each FAQ entry wouldn't be bad.