The Crane Technique... a workflow for NoScript 10

General discussion about the NoScript extension for Firefox
Post Reply
jawz101
Senior Member
Posts: 65
Joined: Sun Jul 10, 2011 11:13 pm

The Crane Technique... a workflow for NoScript 10

Post by jawz101 » Wed Dec 20, 2017 11:06 pm

I've been playing with the new NoScript trying to get a feel for an "order of operations" or workflow of sorts. Kinda how I set it up to function and just wanted to put it out there for comments and maybe help others get an idea of how things work and how things are dependent on one another.

First things first.

Go to the Global Options screen
  • What you see listed out of the box is a list of base domains that are Trusted by default out-of-the-box.
    If a "base domain" is google.com, subdomains are accounts.google.com, fonts.google.com, etc.
A Trusted a base domain inherently trusts every subdomain. Instead of setting base domains to Trusted, consider trusting only what is needed on individual subdomains to fix site breakage.
Under each trust level are categories representing types of content potentially loaded from a domain: script, object, media, frame, font, webgl, fetch, and other. If a content type is actively used it will show its block in red.
Click on the Trusted button for a few of the built-in base domain rules.
  • See how everything (script, object, media, frame, font, webgl, fetch, and other) for Trusted sites is allowed? That means google.com and all of it's subdomains are Trusted out-of-the box. We'll readdress this Trusted permission shortly.
Now, set every built-in trusted site to Default and refresh the page.
  • Did every site go away? This is because sites with Default permissions are not permanently saved.
The simple approach to NoScript would be to Trust things as they break but we can get as picky as we want.

I suggest clicking the checkbox that says Temporarily set top-level sites to TRUSTED.
  • For some reason NoScript calls google.com a top-level site. Top-level typically refers to .com, .org, .net, etc.
    google.com is a secondary or base domain.
    A 3rd level domain name would be accounts.google.com, and so on...
    Wikipedia: domain name space or subdomain for info on Domain Name Space terminology.
Now, browse to google.com and click on the NoScript icon.
  • it shows google.com as Trusted with a little clock so it's actually Temporarily Trusted
    We also have gstatic.com and https://www.gstatic.com with Default permissions.
Click on google.com Trusted button
  • Setting Default, Trusted, or Untrusted permissions on any site actually affect every site with that permission. If you Trust fonts on one trusted site you trust fonts on all Trusted sites.
I prefer to keep my trust levels as low as possible while trying to avoid major breakage.

Right now I'm experimenting with
  • Default: only check Fetch
    Trusted: only Script and Fetch checked
Remember we set Temporarily set top-level sites to TRUSTED so google.com and its subdomains would temporarily get script and fetch permissions when you browse to it but not elsewhere on the Internet.

Ideally, at this point, we never need to set anything to Default or Trusted anymore. From now on things are either Untrusted or give it Custom permissions if a site really needs anything special. How do you know if a site needs anything special? Well, if a site misbehaves, click on a domain's trust level button next to the various domains in your pop-up to see if anything is red. This means something is actively being blocked. Then, just change that domain's trust level to a Custom trust and check only the ones in red (script, object, media, frame, font, webgl, fetch, other).
With domains you don't Trust or don't want to get any resources from them, just block the base domain. To fix breakage, work backwards and allow individual blocked webpage components on a site's subdomains first- before allowing content on the base domain.
So if you are on androidpolice.com and know there is a YouTube video on that page, it may show both youtube.com and https://www.youtube.com - while youtube.com is the base domain, note nothing is being blocked (Script, Objects, ... no components are marked red). Under https://youtube.com, however, Frame is being blocked.

The plain youtube.com entry is there if you want to block everything from a site from working (ads, analytics, other bloat.) We just need to give https://www.youtube.com Frame and Script or whatever it takes to get the video to show up and play. If it works and starts playing you'll notice the youtube.com entry actually disappears from the pop-up because that base domain has nothing on it or its subdomains being blocked anymore.

After a while your Global Options screen just has a bunch of Untrusted analytics and advertising base domains and a few Custom subdomains. Rarely do I have a base domain that gets Custom permissions (actually, none so far).
Both Default and Temporarily Trusted entries clean up after themselves once you browse away from a page or click the Revoke Temporary Permissions button in the pop-up.
To sum up, by default you get Fetch. Temporarily, the base domain (or Top-level site) gets Script and Fetch because we temporarily Trust Top-level sites by checking that preference in the Global Options screen. Occasionally a site may need more than that and they get whatever is needed to unbreak whatever wasn't working.

I tend to get the painful stuff out of the way by browsing some news sites (cnn.com, washingtonpost.com, tomshardware.com, foxnews, etc. and fix some custom rules right off the bat. THat way I get the popular 3rd party content addressed. After a few custom rules you probably won't need much more changing unless you just like untrusting things (i.e. block Fetch.)

Extra tip: If you want to move away from uBlock Origin, run both for a while and use uBlock's blocked domains to get familiar with what domains you can Untrust in NoScript. After a while you'll start recognizing useless domains versus domains that provide media.

Extra extra tip: if you get a little annoyed seeing some font breakage you may try allowing fonts on Trusted sites so first-party fonts are temporarily allowed. I do this on one of my computers that accesses some web admin consoles which look screwy without 1st party fonts, for example. Really, blocking fonts is mainly to save a few kilobytes more.
Last edited by jawz101 on Fri Dec 22, 2017 5:08 am, edited 10 times in total.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0

FranL
Senior Member
Posts: 83
Joined: Sun Dec 03, 2017 4:17 pm

Re: The Crane Technique... or how I use NoScript 10

Post by FranL » Thu Dec 21, 2017 3:55 pm

jawz101 wrote:Really, blocking fonts is mainly to save a few kilobytes more.
I could swear I read somewhere (maybe in the NS 5.x docs) that fonts are blockable in NS because there are known malware vectors that use fonts, but now I can't find it to include a link. Can anyone confirm or deny?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

barbaz
Senior Member
Posts: 9139
Joined: Sat Aug 03, 2013 5:45 pm

Re: The Crane Technique... or how I use NoScript 10

Post by barbaz » Thu Dec 21, 2017 4:25 pm

FranL wrote:I could swear I read somewhere (maybe in the NS 5.x docs) that fonts are blockable in NS because there are known malware vectors that use fonts, but now I can't find it to include a link. Can anyone confirm or deny?
FranL is correct - https://hackademix.net/2010/03/24/why-n ... web-fonts/
*Always* check the changelogs BEFORE updating that important software!
-

jawz101
Senior Member
Posts: 65
Joined: Sun Jul 10, 2011 11:13 pm

Re: The Crane Technique... or how I use NoScript 10

Post by jawz101 » Thu Dec 21, 2017 4:38 pm

I think Google has started working around something about it now. If I go to androidpolice.com it will load some CSS pointing to http://fonts.googleapis.com/css?family= ... oboto+Slab
undetected
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0

barbaz
Senior Member
Posts: 9139
Joined: Sat Aug 03, 2013 5:45 pm

Re: The Crane Technique... or how I use NoScript 10

Post by barbaz » Thu Dec 21, 2017 4:40 pm

Yeah, because thats just CSS, not an actual webfont.
*Always* check the changelogs BEFORE updating that important software!
-

jawz101
Senior Member
Posts: 65
Joined: Sun Jul 10, 2011 11:13 pm

Re: The Crane Technique... or how I use NoScript 10

Post by jawz101 » Thu Dec 21, 2017 4:40 pm

I'd like to prevent that domain from even loading CSS. Like, if I desired minimal 3rd party traffic
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0

barbaz
Senior Member
Posts: 9139
Joined: Sat Aug 03, 2013 5:45 pm

Re: The Crane Technique... or how I use NoScript 10

Post by barbaz » Thu Dec 21, 2017 4:44 pm

jawz101 wrote:I'd like to prevent that domain from even loading CSS. Like, if I desired minimal 3rd party traffic
NoScript is a security tool, not a generic 3rd-party content blocker. Try uBlock Origin, you can configure it to do this.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply