temp permitted sites not showing on permissions tab

[DonUWannano]

Hello. I have been using NoScript with great satisfaction for many years. I do now have a question that I have been unable to answer on my own.
When I first open my browser for a session, I open the NS Options page, to ensure that all settings are at my chosen defaults. On the General tab, I have checked: Strict Default/deny (recently added by developer); Restore restrictions...; Any capability blocked...; and under presets: on Default tab I have frame, fetch, noscript, & other checked; on Trusted tab I have all options allowed (checked); on Untrusted tab I have no options allowed (all unchecked). I do have 3 sites only permanently set to trusted: archive.org; cloudflare.com; proton.me. When I open a new site/page, I will temporarily trust only those scripts that are required to allow me to do what I need to on the page; before I leave the page, I revoke all temporary permissions. This usually behaves as expected, however, I have found a few exceptions that concern me because they do not fit my understanding of how NS is expected to work.

Occasionally I will go to a site/page and find that one of the scripts on that page is already set to be temporarily alowed. Now, I am as capable of user error as the next person, I freely admit that I could forget to do the Revoke command before leaving a page, or that a browser malfunction of some kind might leave NS settings at other than my defaults (that is the reason for my review on every new browser session). But the following just happened to me immediately after I began a browser session and had verfied my default NS settings, including my per-site permissions. I went to a Tides and Currents page at noaa.gov that I use every morning. To see what I need to on that page I must temporarily allow noaa.gov and unpkg.com, but there are 3 other sites that I do not need to allow to run scripts: arcgis.com; digitalgov.gov; & googletagmanager.com. When I visited this page and clicked the NS icon in my browser bar to temporarily allow the 2 required scripts, I found that googletagmanager.com was already set to be temporarily allowed, even though a few moments before I had looked at my NS per-site permissions page, and it was not shown. This behavior isn't isolated to the named page, I see it at least once a day on a variety of sites/pages. My recollection is that it does nearly always involve a script with a name that seems to identify it with Google.

Is this expected behavior? If so, is there any place that I can examine all scripts that are set to be enabled this way, since I am not seeing them in per-site permissions under options? I am currently using NS v 13.5.10 in Firefox 115.32.0esr running under WIndows 7 Professional. I see identical behavior on my laptop, which runs up to date Linux Mint, using the current Firefox browser with the current NS versiojn for that platform. Thank you.

[Giorgio Maone]

Could you please share (privately, if you prefer) your NoScript Options/Export file? Thanks!

[DonUWannano]

Sure. I don't appear to have attachment privileges (which is OK by me) so here it is inline
==========================================================================+

Code: Select all

{
  "exportMeta": {
    "version": "13.5.10",
    "knownCapabilities": [
      "script",
      "object",
      "media",
      "frame",
      "font",
      "wasm",
      "webgl",
      "fetch",
      "ping",
      "noscript",
      "lazy_load",
      "unchecked_css",
      "lan",
      "other"
    ]
  },
  "policy": {
    "DEFAULT": {
      "capabilities": [
        "frame",
        "fetch",
        "noscript",
        "other"
      ],
      "temp": false
    },
    "TRUSTED": {
      "capabilities": [
        "script",
        "object",
        "media",
        "frame",
        "font",
        "webgl",
        "fetch",
        "ping",
        "noscript",
        "unchecked_css",
        "lan",
        "other",
        "lazy_load",
        "wasm"
      ],
      "temp": false
    },
    "UNTRUSTED": {
      "capabilities": [],
      "temp": false
    },
    "sites": {
      "trusted": [
        "archive.org",
        "proton.me",
        "§:cloudflare.com"
      ],
      "untrusted": [],
      "custom": {}
    },
    "enforced": true,
    "autoAllowTop": false
  },
  "local": {
    "debug": false,
    "showCtxMenuItem": true,
    "showCountBadge": true,
    "showFullAddresses": false,
    "showProbePlaceholders": true,
    "amnesticUpdates": true,
    "autoReload": true,
    "storage": "local",
    "uuid": "acec89a4-fb6b-401b-8325-b807d6b13279",
    "enforceOnRestart": true,
    "toolbarLayout": {
      "left": [
        "close",
        "reload",
        "options"
      ],
      "right": [
        "temp-trust-page",
        "revoke-temp"
      ],
      "hidden": [
        "enforce-tab",
        "enforce"
      ]
    }
  },
  "sync": {
    "global": false,
    "xss": true,
    "TabGuardMode": "global",
    "TabGuardPrompt": "post",
    "cascadePermissions": false,
    "cascadeRestrictions": true,
    "overrideTorBrowserPolicy": false,
    "storage": "sync"
  },
  "xssUserChoices": {}
}

[DonUWannano]

I think I have figured this out. I'm a bit embarrassed that it took this long. The behavior appears to result from my using the default settings on the "Preset customization (for all the sites sharing a preset)" pane. To prevent the permission "inheritence" I was questioning, I think I need to select the "untrusted" tab on that pane. I will try that and report the results. Thanks.

[barbaz]

To prevent the permission "inheritence" I was questioning, I think I need to select the "untrusted" tab on that pane.

That's unlikely to make any difference. The tabs are just to select which preset to customize. Changing the active tab does not change any setting. NoScript does not even remember which of those 3 tabs you last activated.

I am not seeing them in per-site permissions under options?

Are these scripts actually Temp. TRUSTED, or only displaying that way in the NoScript popup?

What other extensions are you using?

Might any of your other extensions be interfering with the requests NoScript makes and blocks internally to work around WebExtensions limitations? These include CSP reports to the nonexistant domain "noscript-csp.invalid" and XHR to the unreachable IPv6 address "[ff00::]". Again, NoScript blocks these requests, they never reach the network. But if another extension blocks these requests before NoScript can even see them, NoScript will malfunction.

Please create a clean profile from scratch. Install only NoScript latest development build, leaving all the defaults.
Does the problem still exist?
If not, what if you then import your NoScript settings into the clean profile using the Import and Export buttons in NoScript Options?
If that still doesn't reproduce the problem, it's not a NoScript issue... try Standard Diagnostic (leaving NoScript enabled) to isolate and correct the real cause.

Let us know, thanks.