Feature Request, Sandboxing Jscript permissions

[N0ScriptUza]

I'd like to permanently authorize some jscripts for certain domains only.

For example in order login to facebook, you need to approve facebook.com and fbcn.net (or something like that). but when i browse the web, for example at washingtonpost.com they load up the facebook jscript, or perhaps some other jscript from facebook.com. I guess this has to do with ever growing pathology of facebook to try to learn every possible detail about their users. In any case, i may not want FB to know what article i'm reading at wapo, or link me to comments i post etc, or what i'm buying from certain retailers et all. (remember the beacon incident with FB, when they started syndicating what i was buying to my friends.) Particularly when i browsed to that page independently in a new tab.

Now i understand that if i authorize a script currently it becomes active in all tabs. True, but if i close the FB tab and then open a new tab and go to wapo i'd have to go to the noscript bar, knock out facebook.com (via forbidding it) then when i want to relogin to facebook put it back on my whitelist. B/c who wants to click allow temporary permissions ever time they go to facebook. I may nonetheless have to start doing this.

The solution i propose, not fully understanding how jscripts execute, and the interplay with multiple tabs/windows would be to allow me to whitlist facebook jscript, but only for facebook.com domain (eg where i NEED it to access the service) and to thus implictly deny it when other sites try to key it up.

The assumption in NoScript is that if a script is okay, then it should be okay globally regardless of whos domain is serving it. This may not be true for all jscripts. I'm okay with fb having a script while i have the fb.com tab open. i log out and close it, and i want that to be the end of FB's ability or potential ability to track my behavior.

On a side note, is any one as pissed off as i am about how SO many sites are now stacking a dozen or more jscripts from multiple origins that are not their own? What can these webmasters be thinking running every one and their brother's jscript on their sites with little concern over the implications... I guess $$ talks and jscripts proliferate, eh? NoScript is needed mo' than eva! BBF, LOL!

[Tom T.]

The long-running thread Site-Specific Permissions covers this general topic, and the feature is eagerly awaited by many. In the meantime, this work-around might help:

Don't whitelist any domain involved in this issue. In NoScript > Options > General, check "Allow sites opened through bookmarks." This *should* allow the scripts from Facebook (it might not recognize fbcdn, which you might have to whitelist), while not allowing Facebook scripts at other sites.

Keep in mind that this option means that every other site in your bookmarks menu will be allowed when you click those, so make sure that you want to do that. I have some sites bookmarked for which I do *not* allow their own scripting, so I can't use this method.

who wants to click allow temporary permissions ever time they go to facebook

That's really the safest solution. It takes only a couple of clicks, and solves all of your issues regarding other sites loading FB scripts. Privacy and security versus convenience -- always a trade-off. Personally, I'm willing to do the few extra clicks.

On a side note, is any one as pissed off as i am about how SO many sites are now stacking a dozen or more jscripts from multiple origins that are not their own?

Yes.

FWIW, Facebook itself is a massive privacy leak ("flood" would be more accurate), and has been subject to frequent hacks, the latest being this worm. You might wish to reconsider your participation there if you value your privacy.

I guess $$ talks and jscripts proliferate, eh?

Exactly.

FWIW, when I just now went to washingtonpost.com after cleaning out the facebook history, it did *not* try to load the facebook scripts. Try using the Private Browsing feature in Firefox, *plus* RequestPolicy to prevent one site from requesting resources from another, *plus* RefControl to prevent a site from knowing which site you just came from. These will improve your overall privacy, and in a brief (not extensive) test, going from Facebook (scripts allowed) to wapo did *not* allow FB at wapo. Cheers.

[N0ScriptUza]

Tom, thank you for your reply, and your support of the NoScript community. I also installed those other 2 addons u suggested, refcontrol and request policy. They are great! I don't see facbook.com on wapo anymore too. May have had to do with clicking a wapo posted link from within fb. At first i thought that i should copy and paste the link in a new tab in future but...

Even more interestingly, even if right clicking copy/pasting, those posted FB links are dynamicaly generated PHP with some gobbly gook referencing FB and what appears to be a HASH code tacked onto the HTML link, eg: &h=2207ed97ee576274201109e9e892c5a7&ref=nf. It might reference the event of the poster creating the link so the new tab loads the right link, eg like tinyurl. OR, when its possible the hash is passed thru to the wapo server, where a perl script at wapo parses and logs the hash, which can be used to query a FB server to collect the same data. But I doubt its a unique id tying it to MY profile, prolly just the poster if even that. In short, FB wants to know what your clicking on (reasonable) but they'll open that up to others, prolly for an innocuous ad share, but who knows how all this data may be used some day. </tin foil hat>

Ans as u point out, FB scripts are clearly the devil...

Thanks again!

-D

[Tom T.]

Tom, thank you for your reply, and your support of the NoScript community. I also installed those other 2 addons u suggested, refcontrol and request policy. They are great! I don't see facbook.com on wapo anymore too.

Excellent! Glad you like them. Most of us here on the support team use these add-ons, although of course we can't guarantee or support them here; that would come from their developers.

May have had to do with clicking a wapo posted link from within fb..

Probably. Easy work-around: Either hand-type wapo in the address bar, or use a bookmark to go there. Either one avoids tying you to FB, although RefControl will do that for you also.

. At first i thought that i should copy and paste the link in a new tab in future but...

Yes, but first ... (see below)

In short, FB wants to know what your clicking on (reasonable) but they'll open that up to others, prolly for an innocuous ad share, but who knows how all this data may be used some day.

Exactly. Another way to clean up links, though it shouldn't be necessary with your new add-ons, is to copy/paste the URL, but before hitting "enter", delete everything after the URL itself: the ? and whatever comes after the ?. Read them first for legitimate info, like "lang=en-US", etc.

</tin foil hat>

NoScript, these other add-ons, and careful "safe surf" practices start building a pretty good tin hat!

Thanks again!

You're very welcome. Glad you found the suggestions useful.