The Crane Technique... a workflow for NoScript 10

General discussion about the NoScript extension for Firefox
Post Reply
jawz101
Senior Member
Posts: 68
Joined: Sun Jul 10, 2011 11:13 pm

The Crane Technique... a workflow for NoScript 10

Post by jawz101 » Wed Dec 20, 2017 11:06 pm

I've been playing with the new NoScript trying to get a feel for an "order of operations" or workflow of sorts. Kinda how I set it up to function and just wanted to put it out there for comments and maybe help others get an idea of how things work and how things are dependent on one another.

Under each trust level are categories representing types of content potentially loaded from a domain: script, object, media, frame, font, webgl, fetch, and other. If a content type is actively used it will show its block in red.

Go to the Per-site Permissions screen
What you see listed out of the box is a list of base domains that are Trusted by default out-of-the-box.

Click on the Trusted button for a few of the built-in base domain rules.
  • See how everything (script, object, media, frame, font, webgl, fetch, and other) for Trusted sites is allowed? That means google.com and all of it's subdomains are Trusted out-of-the box.
  • Now, set every built-in trusted site to Default and refresh the page.
  • Did every site go away? This is because sites with Default permissions are not permanently saved.
Now, browse to google.com and click on the NoScript icon.
  • it shows google.com as Trusted with a little clock so it's actually Temporarily Trusted
    We also have gstatic.com and https://www.gstatic.com with Default permissions.
My default setup is:

Code: Select all

Default - uncheck all
Trusted- check script, font, fetch, media
Untrusted - uncheck all

Temporarily set top-level sites to TRUSTED
Ideally, at this point, we never need to set anything to Trusted- sites are either Untrusted or give it Custom permissions if a site experiences breakage. If a site misbehaves, click on a domain's trust level button next to the various domains in your pop-up to see if anything is red. This means something is actively being blocked. Then, just change that domain's trust level to a Custom trust and check only the ones in red (script, object, media, frame, font, webgl, fetch, other).

After a while your Per-site Permissions screen just has a bunch of Untrusted analytics and advertising base domains and a few Custom subdomains. Rarely do I have a base domain that gets Custom permissions (actually, none so far).

I tend to get the painful stuff out of the way by browsing some news sites (cnn.com, washingtonpost.com, tomshardware.com, foxnews, etc. and mark a most 3rd parties I encounter Untrusted. If a video or image doesn't show, or a font I would like to see won't load, I use custom rules and find which 3p domains permissions fix the breakage. That way I get the popular 3rd party content addressed. After a few custom rules you probably won't need much more changing.

Extra tip: If you want to move away from uBlock Origin, run both for a while and use uBlock's blocked domains to get familiar with what domains you can Untrust in NoScript. After a while you'll start recognizing useless domains versus domains that provide media.
Last edited by jawz101 on Thu Nov 21, 2019 7:08 pm, edited 22 times in total.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0

FranL
Senior Member
Posts: 83
Joined: Sun Dec 03, 2017 4:17 pm

Re: The Crane Technique... or how I use NoScript 10

Post by FranL » Thu Dec 21, 2017 3:55 pm

jawz101 wrote:Really, blocking fonts is mainly to save a few kilobytes more.
I could swear I read somewhere (maybe in the NS 5.x docs) that fonts are blockable in NS because there are known malware vectors that use fonts, but now I can't find it to include a link. Can anyone confirm or deny?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

barbaz
Senior Member
Posts: 9279
Joined: Sat Aug 03, 2013 5:45 pm

Re: The Crane Technique... or how I use NoScript 10

Post by barbaz » Thu Dec 21, 2017 4:25 pm

FranL wrote:I could swear I read somewhere (maybe in the NS 5.x docs) that fonts are blockable in NS because there are known malware vectors that use fonts, but now I can't find it to include a link. Can anyone confirm or deny?
FranL is correct - https://hackademix.net/2010/03/24/why-n ... web-fonts/
*Always* check the changelogs BEFORE updating that important software!
-

jawz101
Senior Member
Posts: 68
Joined: Sun Jul 10, 2011 11:13 pm

Re: The Crane Technique... or how I use NoScript 10

Post by jawz101 » Thu Dec 21, 2017 4:38 pm

I think Google has started working around something about it now. If I go to androidpolice.com it will load some CSS pointing to http://fonts.googleapis.com/css?family= ... oboto+Slab
undetected
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0

barbaz
Senior Member
Posts: 9279
Joined: Sat Aug 03, 2013 5:45 pm

Re: The Crane Technique... or how I use NoScript 10

Post by barbaz » Thu Dec 21, 2017 4:40 pm

Yeah, because thats just CSS, not an actual webfont.
*Always* check the changelogs BEFORE updating that important software!
-

jawz101
Senior Member
Posts: 68
Joined: Sun Jul 10, 2011 11:13 pm

Re: The Crane Technique... or how I use NoScript 10

Post by jawz101 » Thu Dec 21, 2017 4:40 pm

I'd like to prevent that domain from even loading CSS. Like, if I desired minimal 3rd party traffic
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0

barbaz
Senior Member
Posts: 9279
Joined: Sat Aug 03, 2013 5:45 pm

Re: The Crane Technique... or how I use NoScript 10

Post by barbaz » Thu Dec 21, 2017 4:44 pm

jawz101 wrote:I'd like to prevent that domain from even loading CSS. Like, if I desired minimal 3rd party traffic
NoScript is a security tool, not a generic 3rd-party content blocker. Try uBlock Origin, you can configure it to do this.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply