InformAction Forums

I've been playing with the new NoScript trying to get a feel for an "order of operations" or workflow of sorts. Kinda how I set it up to function and just wanted to put it out there for comments and maybe help others get an idea of how things work and how things are dependent on one another.

Under each trust level are categories representing types of content potentially loaded from a domain: script, object, media, frame, font, webgl, fetch, and other. If a content type is actively used it will show its block in red.

Go to the Per-site Permissions screen
What you see listed out of the box is a list of base domains that are Trusted by default out-of-the-box.

Click on the Trusted button for a few of the built-in base domain rules.

• See how everything (script, object, media, frame, font, webgl, fetch, and other) for Trusted sites is allowed? That means google.com and all of it's subdomains are Trusted out-of-the box.

• Now, set every built-in trusted site to Default and refresh the page.

• Did every site go away? This is because sites with Default permissions are not permanently saved.

Now, browse to google.com and click on the NoScript icon.

• it shows google.com as Trusted with a little clock so it's actually Temporarily Trusted
  We also have gstatic.com and https://www.gstatic.com with Default permissions.

My default setup is:
Ideally, at this point, we never need to set anything to Trusted- sites are either Untrusted or give it Custom permissions if a site experiences breakage. If a site misbehaves, click on a domain's trust level button next to the various domains in your pop-up to see if anything is red. This means something is actively being blocked. Then, just change that domain's trust level to a Custom trust and check only the ones in red (script, object, media, frame, font, webgl, fetch, other).

After a while your Per-site Permissions screen just has a bunch of Untrusted analytics and advertising base domains and a few Custom subdomains. Rarely do I have a base domain that gets Custom permissions (actually, none so far).

I tend to get the painful stuff out of the way by browsing some news sites (cnn.com, washingtonpost.com, tomshardware.com, foxnews, etc. and mark a most 3rd parties I encounter Untrusted. If a video or image doesn't show, or a font I would like to see won't load, I use custom rules and find which 3p domains permissions fix the breakage. That way I get the popular 3rd party content addressed. After a few custom rules you probably won't need much more changing.

Extra tip: If you want to move away from uBlock Origin, run both for a while and use uBlock's blocked domains to get familiar with what domains you can Untrust in NoScript. After a while you'll start recognizing useless domains versus domains that provide media.

jawz101 wrote:Really, blocking fonts is mainly to save a few kilobytes more.

I could swear I read somewhere (maybe in the NS 5.x docs) that fonts are blockable in NS because there are known malware vectors that use fonts, but now I can't find it to include a link. Can anyone confirm or deny?

FranL wrote:I could swear I read somewhere (maybe in the NS 5.x docs) that fonts are blockable in NS because there are known malware vectors that use fonts, but now I can't find it to include a link. Can anyone confirm or deny?

FranL is correct - https://hackademix.net/2010/03/24/why-n ... web-fonts/

I think Google has started working around something about it now. If I go to androidpolice.com it will load some CSS pointing to http://fonts.googleapis.com/css?family= ... oboto+Slab
undetected

Yeah, because thats just CSS, not an actual webfont.

I'd like to prevent that domain from even loading CSS. Like, if I desired minimal 3rd party traffic

jawz101 wrote:I'd like to prevent that domain from even loading CSS. Like, if I desired minimal 3rd party traffic

NoScript is a security tool, not a generic 3rd-party content blocker. Try uBlock Origin, you can configure it to do this.