Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

Ask for help about NoScript, no registration needed to post
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

Post by musonius »

If I trust trusteddomain.com for HTTP, it will also be trusted for HTTPS, which is exactly what I expect. There is the padlock to switch between trusting a domain for HTTPS only (green padlock) or for both protocols (red padlock).

But if I set untrusteddomain.com to UNTRUSTED for HTTPS, the domain untrusteddomain.com will still be set to DEFAULT for HTTP. That is, I have to set a domain to UNTRUSTED for HTTP, if I want the setting to be applied for both protocols. Unfortunately, there is no padlock to do that, which is what I prefer to do, if HTTPS is the current protocol.

Does that work as intended? If it does, what's the reason? I'd expect the UNTRUSTED preset to work the other way round than the TRUSTED preset. If I don't trust untrusteddomain.com for the protocol HTTPS, I won't trust it for HTTP either.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

Post by Giorgio Maone »

Yes, it's been an implementation overlook.
The right thing to do, IMHO, is setting the whole domain (no matter the protocol) as UNTRUSTED (as the UI would suggest), and let advanced users fine tune if they wish in the "NoScript Options>Per-site permissions" tab.
Putting this in my TODO list, thanks.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Re: Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

Post by musonius »

This commit: https://github.com/hackademix/noscript/ ... 982bc6abf8

Thank you, I am going to test this as soon as 11.0.12rc1 is available.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Re: Question concerning the TRUSTED and UNTRUSTED presets and their application to HTTP and HTTPS requests

Post by musonius »

Everything set to UNTRUSTED in NoScript 11.0.11rc2 for HTTPS only is set to UNTRUSTED for HTTP and HTTPS after updating to 11.0.12rc1. Setting a domain (HTTPS) to UNTRUSTED in 11.0.12rc1 sets the domain to UNTRUSTED for both protocols, too.

The new behavior is very welcome. Thank you!
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Post Reply