The Crane Technique... a workflow for NoScript 10
Posted: Wed Dec 20, 2017 11:06 pm
I've been playing with the new NoScript trying to get a feel for an "order of operations" or workflow of sorts. Kinda how I set it up to function and just wanted to put it out there for comments and maybe help others get an idea of how things work and how things are dependent on one another.
Under each trust level are categories representing types of content potentially loaded from a domain: script, object, media, frame, font, webgl, fetch, and other. If a content type is actively used it will show its block in red.
Go to the Per-site Permissions screen
What you see listed out of the box is a list of base domains that are Trusted by default out-of-the-box.
Click on the Trusted button for a few of the built-in base domain rules.
Ideally, at this point, we never need to set anything to Trusted- sites are either Untrusted or give it Custom permissions if a site experiences breakage. If a site misbehaves, click on a domain's trust level button next to the various domains in your pop-up to see if anything is red. This means something is actively being blocked. Then, just change that domain's trust level to a Custom trust and check only the ones in red (script, object, media, frame, font, webgl, fetch, other).
After a while your Per-site Permissions screen just has a bunch of Untrusted analytics and advertising base domains and a few Custom subdomains. Rarely do I have a base domain that gets Custom permissions (actually, none so far).
I tend to get the painful stuff out of the way by browsing some news sites (cnn.com, washingtonpost.com, tomshardware.com, foxnews, etc. and mark a most 3rd parties I encounter Untrusted. If a video or image doesn't show, or a font I would like to see won't load, I use custom rules and find which 3p domains permissions fix the breakage. That way I get the popular 3rd party content addressed. After a few custom rules you probably won't need much more changing.
Extra tip: If you want to move away from uBlock Origin, run both for a while and use uBlock's blocked domains to get familiar with what domains you can Untrust in NoScript. After a while you'll start recognizing useless domains versus domains that provide media.
Under each trust level are categories representing types of content potentially loaded from a domain: script, object, media, frame, font, webgl, fetch, and other. If a content type is actively used it will show its block in red.
Go to the Per-site Permissions screen
What you see listed out of the box is a list of base domains that are Trusted by default out-of-the-box.
Click on the Trusted button for a few of the built-in base domain rules.
- See how everything (script, object, media, frame, font, webgl, fetch, and other) for Trusted sites is allowed? That means google.com and all of it's subdomains are Trusted out-of-the box.
- Now, set every built-in trusted site to Default and refresh the page.
- Did every site go away? This is because sites with Default permissions are not permanently saved.
- it shows google.com as Trusted with a little clock so it's actually Temporarily Trusted
We also have gstatic.com and https://www.gstatic.com with Default permissions.
Code: Select all
Default - uncheck all
Trusted- check script, font, fetch, media
Untrusted - uncheck all
Temporarily set top-level sites to TRUSTED
After a while your Per-site Permissions screen just has a bunch of Untrusted analytics and advertising base domains and a few Custom subdomains. Rarely do I have a base domain that gets Custom permissions (actually, none so far).
I tend to get the painful stuff out of the way by browsing some news sites (cnn.com, washingtonpost.com, tomshardware.com, foxnews, etc. and mark a most 3rd parties I encounter Untrusted. If a video or image doesn't show, or a font I would like to see won't load, I use custom rules and find which 3p domains permissions fix the breakage. That way I get the popular 3rd party content addressed. After a few custom rules you probably won't need much more changing.
Extra tip: If you want to move away from uBlock Origin, run both for a while and use uBlock's blocked domains to get familiar with what domains you can Untrust in NoScript. After a while you'll start recognizing useless domains versus domains that provide media.