I understand the idea of NoScript is to be a script blocker first... and then other items (object, frame, font, webgl, fetch, etc.) can be blocked once a domain has been identified by using javascript.
However it would be nice to have other items trigger a domain to be blockable if they appear w/o the use of javascript.
eg. if webgl, xhr/fetch, ping, fonts, etc. are used but not necessarily javascript.
All things being blocked via NoScript, I've observed website's size being 40% fonts that were downloaded from some 3rd party domain wasn't necessarily using javascript as well. And could some of these other web components besides javascript introduce security issues on their own?
This would turn NoScript into more of a uMatrix but must NoScript really have to always revolve around javascript only? NoScript has a less cumbersome interface than uMatrix since it doesn't have the extreme granularity and I'd like to be able to reduce traffic and exposure by detecting more domains.
in summary, ability to identify domains by other technologies than javascript (fetch, ping, object, etc.)
-reduce page loads
-catches more domains
-reduces unforeseen security issues that other web technologies may introduce - not necessarily related to javascript
Thank you for your consideration
feature request I've always wanted: trigger NoScript on other items besides scripts
feature request I've always wanted: trigger NoScript on other items besides scripts
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
-
- Master Bug Buster
- Posts: 244
- Joined: Wed Jan 10, 2018 7:37 am
Re: feature request I've always wanted: trigger NoScript on other items besides scripts
Each of those technologies is detected separately. So if the page has no javascript but some external fonts are used, Noscript will list the domain. Same goes for frames, objects and media.
Fetch, ping and webgl can only be used with javascript, so javascript needs to be enabled before they can be used or detected.
Fetch, ping and webgl can only be used with javascript, so javascript needs to be enabled before they can be used or detected.
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Re: feature request I've always wanted: trigger NoScript on other items besides scripts
Yes, that's why NoScript blocks them.
It already doesn't. It revolves around active content, which could be Javascript or WASM or HTML5 media or fonts or etc.
Sorry, this is not the purpose of NoScript.
Again, NoScript already does this. If you know of a vulnerability through not-currently-blocked content types that does not require an already-blocked content type to exploit, please let Giorgio know.
*Always* check the changelogs BEFORE updating that important software!
-
Re: feature request I've always wanted: trigger NoScript on other items besides scripts
Thank you for the replies. It is good to know that it catches those things
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0