[Resolved] How to enable restrictSubdocScripting in NoScript 10?
[Resolved] How to enable restrictSubdocScripting in NoScript 10?
According to viewtopic.php?f=7&t=25395 this feature has already been ported. But in my NoScript 10.6.3rc7 on Waterfox 68, it's disabled. How to enable restrictSubdocScripting?
*Always* check the changelogs BEFORE updating that important software!
-
Re: How to enable restrictSubdocScripting in NoScript 10?
Ok found it: NoScript Options > General > "Cascade top document's restrictions to subdocuments"
IMO that is somewhat misleading wording. It implies that, for example, if a Trusted page embeds a Default frame, the frame would automatically become Trusted. The actual effect is more like "Block subdocuments from having more permissions than their top document".
IMO that is somewhat misleading wording. It implies that, for example, if a Trusted page embeds a Default frame, the frame would automatically become Trusted. The actual effect is more like "Block subdocuments from having more permissions than their top document".
*Always* check the changelogs BEFORE updating that important software!
-
Re: How to enable restrictSubdocScripting in NoScript 10?
I still don't understand this pref. So you are saying checked would mean it is a stricter policy?
"Cascade top document's restrictions to subdocuments"
To me this sounds like a looser policy. I would rather a subdocuments' permissions be granted or restricted separately. If I allow script/frame/images/fonts/etc on a primary page that doesn't necessarily mean I want to allow them on a subdocument. Right?
What stinks is there is absolutely no explanation what this preference is for except that it is for the TOR project. Even so, does that imply the TOR project would want this pref checked or not?
It's dumb.
"Cascade top document's restrictions to subdocuments"
To me this sounds like a looser policy. I would rather a subdocuments' permissions be granted or restricted separately. If I allow script/frame/images/fonts/etc on a primary page that doesn't necessarily mean I want to allow them on a subdocument. Right?
What stinks is there is absolutely no explanation what this preference is for except that it is for the TOR project. Even so, does that imply the TOR project would want this pref checked or not?
It's dumb.
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Re: How to enable restrictSubdocScripting in NoScript 10?
No. It's not about inheriting permissions to subdocuments, it's about inheriting restrictions to subdocuments. For example, if you do not allow 'media' for the first party domain, 'media' won't be allowed for any subdocument (not even for those for which you have allowed 'media').
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Re: How to enable restrictSubdocScripting in NoScript 10?
So, if I put some (custom) permissions for ...googlevideo.com then all subdocuments (whatever they are) of googlevideo.com will have exactly same permissions and restrictions? (With that
"Cascade top document's restrictions to subdocuments" checked.
But: What happens if I do the same to https://googlevideo.com?
And what happens if that Cascade thing is unchecked?
"Cascade top document's restrictions to subdocuments" checked.
But: What happens if I do the same to https://googlevideo.com?
And what happens if that Cascade thing is unchecked?
Mozilla/5.0 (Windows NT 6.1; rv:68.0) Gecko/20100101 Firefox/68.0
Re: How to enable restrictSubdocScripting in NoScript 10?
@Quest: If you think of "permission" as whether "script", "object",... are checked or not:
Without the option selected - subdocuments have just whatever permission you've set for their domain/site.
With the option selected - subdocuments are only allowed the permissions that are allowed for BOTH the top-level site AND whatever you've set as allowed for the subdocument's site.
-----
While I'm here, I should also point out that the use of the word "Cascade" to describe this feature is particularly confusing for NoScript Classic users. Look at how it was used there:
And also around the forums, e.g. in the sticky - viewtopic.php?f=7&t=8309
Cascading has always referred to cascading "allows", never cascading "denys". People think by word association, you can't just abruptly invert the association of a word like this without causing confusion. And putting "Cascade" as the first word, puts the emphasis on "Cascade", but it seems the emphasis was intended to be on the word "restrictions".
Now look at my suggested wording "Block subdocuments from having more permissions than their top document", and how the restrictSubdocScripting option was worded in NoScript Classic -
Would be much less confusing, wouldn't it? See?
Meaning:
Without the option selected - subdocuments have just whatever permission you've set for their domain/site.
With the option selected - subdocuments are only allowed the permissions that are allowed for BOTH the top-level site AND whatever you've set as allowed for the subdocument's site.
-----
While I'm here, I should also point out that the use of the word "Cascade" to describe this feature is particularly confusing for NoScript Classic users. Look at how it was used there:
And also around the forums, e.g. in the sticky - viewtopic.php?f=7&t=8309
Cascading has always referred to cascading "allows", never cascading "denys". People think by word association, you can't just abruptly invert the association of a word like this without causing confusion. And putting "Cascade" as the first word, puts the emphasis on "Cascade", but it seems the emphasis was intended to be on the word "restrictions".
Now look at my suggested wording "Block subdocuments from having more permissions than their top document", and how the restrictSubdocScripting option was worded in NoScript Classic -
Would be much less confusing, wouldn't it? See?
*Always* check the changelogs BEFORE updating that important software!
-
Re: How to enable restrictSubdocScripting in NoScript 10?
https://simplysecure.org/blog/noscript-case-study wrote: We found that some of the labels were unclear to both novice and experienced users. For example, none of the 6 people we talked to could describe what Cascade top-level documents [...] meant.
*Always* check the changelogs BEFORE updating that important software!
-
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: How to enable restrictSubdocScripting in NoScript 10?
What about Any capability blocked in the top document must be blocked in its subdocuments too?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
Re: How to enable restrictSubdocScripting in NoScript 10?
Sounds good to meGiorgio Maone wrote: ↑Wed Feb 24, 2021 4:37 pm What about Any capability blocked in the top document must be blocked in its subdocuments too?
*Always* check the changelogs BEFORE updating that important software!
-
Re: How to enable restrictSubdocScripting in NoScript 10?
Fixed in https://github.com/hackademix/noscript/ ... 8a6daeef9f. Thanks!
*Always* check the changelogs BEFORE updating that important software!
-