Add a subscription for white/black-lists

[iDrugoy]

any news?

[iDrugoy]

this idea was forgotten?

[d00dyhead]

hope it wasn't forgotten. still hoping to see it implemented.

[iDrugoy]

A year has passed. Nothing changed.
Giorgio, why?

[jago25_98]

It is true that convenience is antagonistic to security. Certainly, subscribing to someone else's analysis of what is and isn't safe is a security compromise.

So, what have we learnt from this thread?

1) Blacklisting becomes unwieldly
2) Whitelisting by subscribing to someone else's list is a risk. But also it is subscribing to their preferences - they might have different needs to you; i.e. they might be browsing in a chroot environment like VMWares Browser appliance.

However,
the problem is still there. That is:

- the workload of reading javascript manually for every site is too high.
For many people who don't bother much with security (perhaps interested in noscript for saving bandwidth), they might just remove noscript and fall back to image and flashblocking.

- The work in determining what is and isn't safe is being duplicated.
I know that when I'm browsing on Facebook thousands of other noscript users have already sifted through the Javascript.
Wouldn't it be nice to share that knowledge?

There are dangers in sharing this knowledge if there is a single source of failure such as a subscription list. So how do we mitigate for that? -through democratic controls in a p2p (aka Hive way). A Firefox extension called PropertyBee does this in a simple, non democratic way. Could this be extended? Sure, there could be disagreement over what is and isn't safe, could we err on the side of caution and still have a few sites everyone agrees are safe?


Right now though, why not post your whitelist rules here for all to comment on?

[qayuj]

I really would like to see this feature too. Most of the time I spend whitelisting domains which allows me to access the basic functionality of a website. As stated in this post the source code is available in the .xpi file (unzip -> chrome/noscript.jar), so we could add it. For the time being, I think we have to come up with a whitelist creation process anyway => create by single users, democratic, technocratic etc.

Giorgio, thanks for the add-on btw!

[iDrugoy]

@al_9xSo I just wonder isn't it in his priority list?

It is, but I've got higher priorities too.

Any news?

[Giorgio Maone]

@al_9xSo I just wonder isn't it in his priority list?

It is, but I've got higher priorities too.

Any news?

Not yet: current top priorities are 1) Android native UI compatibilit 2) investigation on new Clickjacking techniques and countermeasures 3) Chrome porting

[iDrugoy]

Not yet: current top priorities are 1) Android native UI compatibilit 2) investigation on new Clickjacking techniques and countermeasures 3) Chrome porting

Too bad.
When you reach these 3 goals - there will appear more platforms/browsers to port to

[tlu]

Not yet: current top priorities are 1) Android native UI compatibilit 2) investigation on new Clickjacking techniques and countermeasures 3) Chrome porting

Giorgio, I wonder why you didn't include Noscript 3 desktop version. Is it postponed

[GµårÐïåñ]

All the changes and upgrades to NS will ultimately culminate to what is designated as NS 3.x and given the impracticality of global whitelist/blacklists, it shouldn't be and I would be very surprised for this product if it ever is on a high priority list. It is at best a nice to have feature that is not critical and given such variety of online practices and user behavior, the list based system will undoubtedly be slow, introduce unnecessary issues, ineffective for the masses (payoff v. work that goes into implementing it) and be simply a reason for users to get complacent and lazy. How about we let NS do what its good at and that is to protect us against REAL threats rather than cater to the set-it-and-forget-it style of security.

[Giorgio Maone]

Not yet: current top priorities are 1) Android native UI compatibilit 2) investigation on new Clickjacking techniques and countermeasures 3) Chrome porting

Giorgio, I wonder why you didn't include Noscript 3 desktop version. Is it postponed

Yes it is, as a consequence of the forced changes which NSA is undergoing because of the sudden move of Mozilla to drop Electrolysis in favour of the Java-native Android shell.

[tlu]

[
Giorgio, I wonder why you didn't include Noscript 3 desktop version. Is it postponed

Yes it is, as a consequence of the forced changes which NSA is undergoing because of the sudden move of Mozilla to drop Electrolysis in favour of the Java-native Android shell.

Thanks. I had read before that E10 was put on hold - a decision which I regret. I had already suspected that that decision might cause problems for you. Does that mean that you have to completely rewrite NS 3 (or, at least, large parts of it)?

[RAW]

Hi Giorgio,

thanks so far for implementing this feature. I'm like to use it with our corporate client PCs, in order to deploy our domains and those of our customers to be trusted as part of our business. The subscription will be created by our support system every day.

Is there any way to reject domains, which were trusted before? This would be necessary e.g. if a customer quits.

As far as I can see, the contents of the subscription list is being merged with "capability.policy.maonoscript.sites" resulting in a mix of subscripted and own declared trusts. Wouldn't it be better to devide those lists?
The solution could be to leave the own declarations in "capability.policy.maonoscript.sites", import the subscription to a new variable (which will be overwritten on each import) and add the variable to "capability.policy.maonoscript.sites".

I'm not sure if this is possible at all. Please regard this as a suggestion.

Thanks in advance and have a happy Easter weekend!