First things first.
Go to the Global Options screen
- What you see listed out of the box is a list of base domains that are Trusted by default out-of-the-box.
If a "base domain" is google.com, subdomains are accounts.google.com, fonts.google.com, etc.
A Trusted a base domain inherently trusts every subdomain. Instead of setting base domains to Trusted, consider trusting only what is needed on individual subdomains to fix site breakage.
Click on the Trusted button for a few of the built-in base domain rules.Under each trust level are categories representing types of content potentially loaded from a domain: script, object, media, frame, font, webgl, fetch, and other. If a content type is actively used it will show its block in red.
- See how everything (script, object, media, frame, font, webgl, fetch, and other) for Trusted sites is allowed? That means google.com and all of it's subdomains are Trusted out-of-the box. We'll readdress this Trusted permission shortly.
- Did every site go away? This is because sites with Default permissions are not permanently saved.
I suggest clicking the checkbox that says Temporarily set top-level sites to TRUSTED.
- For some reason NoScript calls google.com a top-level site. Top-level typically refers to .com, .org, .net, etc.
google.com is a secondary or base domain.
A 3rd level domain name would be accounts.google.com, and so on...
Wikipedia: domain name space or subdomain for info on Domain Name Space terminology.
- it shows google.com as Trusted with a little clock so it's actually Temporarily Trusted
We also have gstatic.com and https://www.gstatic.com with Default permissions.
- Setting Default, Trusted, or Untrusted permissions on any site actually affect every site with that permission. If you Trust fonts on one trusted site you trust fonts on all Trusted sites.
Right now I'm experimenting with
- Default: only check Fetch
Trusted: only Script and Fetch checked
Ideally, at this point, we never need to set anything to Default or Trusted anymore. From now on things are either Untrusted or give it Custom permissions if a site really needs anything special. How do you know if a site needs anything special? Well, if a site misbehaves, click on a domain's trust level button next to the various domains in your pop-up to see if anything is red. This means something is actively being blocked. Then, just change that domain's trust level to a Custom trust and check only the ones in red (script, object, media, frame, font, webgl, fetch, other).
So if you are on androidpolice.com and know there is a YouTube video on that page, it may show both youtube.com and https://www.youtube.com - while youtube.com is the base domain, note nothing is being blocked (Script, Objects, ... no components are marked red). Under https://youtube.com, however, Frame is being blocked.With domains you don't Trust or don't want to get any resources from them, just block the base domain. To fix breakage, work backwards and allow individual blocked webpage components on a site's subdomains first- before allowing content on the base domain.
The plain youtube.com entry is there if you want to block everything from a site from working (ads, analytics, other bloat.) We just need to give https://www.youtube.com Frame and Script or whatever it takes to get the video to show up and play. If it works and starts playing you'll notice the youtube.com entry actually disappears from the pop-up because that base domain has nothing on it or its subdomains being blocked anymore.
After a while your Global Options screen just has a bunch of Untrusted analytics and advertising base domains and a few Custom subdomains. Rarely do I have a base domain that gets Custom permissions (actually, none so far).
To sum up, by default you get Fetch. Temporarily, the base domain (or Top-level site) gets Script and Fetch because we temporarily Trust Top-level sites by checking that preference in the Global Options screen. Occasionally a site may need more than that and they get whatever is needed to unbreak whatever wasn't working.Both Default and Temporarily Trusted entries clean up after themselves once you browse away from a page or click the Revoke Temporary Permissions button in the pop-up.
I tend to get the painful stuff out of the way by browsing some news sites (cnn.com, washingtonpost.com, tomshardware.com, foxnews, etc. and fix some custom rules right off the bat. THat way I get the popular 3rd party content addressed. After a few custom rules you probably won't need much more changing unless you just like untrusting things (i.e. block Fetch.)
Extra tip: If you want to move away from uBlock Origin, run both for a while and use uBlock's blocked domains to get familiar with what domains you can Untrust in NoScript. After a while you'll start recognizing useless domains versus domains that provide media.
Extra extra tip: if you get a little annoyed seeing some font breakage you may try allowing fonts on Trusted sites so first-party fonts are temporarily allowed. I do this on one of my computers that accesses some web admin consoles which look screwy without 1st party fonts, for example. Really, blocking fonts is mainly to save a few kilobytes more.