can i allow a specific script but not all scripts?

[user]

hello,
i would like, if it is possible, to use noscript to allow one(!) specific script from a website/domain? The key point is that i do not want to allow all scripts from one host but only a single script.

Example:
I open a webpage. NoScript is configured to block everything and displays in the status bar that the page, for example, has two scripts (which are blocked of course).

a) Is there a possibility to click and view these two srcipts in their javascript source from the NoScript status bar? (I know that i can use mozilla to display the pages HTML source and also search and look at the srcipts.)

b) Is there a possibility to tell NoScript to allow one of the two scripts? All i find is the option to allow all scripts from one domain. I would like to have an option to view, evaluate and then allow a specific script to be executed. But only this script which i have evaluated and found to be safe.

ciao

[Tom T.]

Yes.

Use the JSView add-on. Open its menu and observe the very specific and detailed script names. You may double-click any specific script to read its actual code.

For example, among the 100+ scripts currently running in my Yahoo Mail are these:

Code: Select all

http://mail.yimg.com/zz/combo?/nq/mc/15_0_8/js/im_blue_all.js&/nq/mc/15_0_8/js/us_strings.js&/nq/mc/15_0_8/js/msgr.js
http://yui.yahooapis.com/3.1.1/build/loader/loader-min.js

Suppose for some reason I wish to allow the first, but not the second. Then use NoScript's ABE feature (if not familiar, ABE FAQ) to create a script-specific rule:

Code: Select all

Site http://yui.yahooapis.com/3.1.1/build/loader/loader-min.js
Deny

Of course, with Yahoo generally running about 100 scripts whenever I"m in email, it could get a bit tedious. But for your example of two scripts from a source, and blocking one, this should do it. Let us know how it works for you, or if you need any more help.

[user]

hi tom,
thanks for your quick and informative reply. JSView looks quite useful and handy. Also i learned some stuff about ABE now.

However, my question was rather with respect to srcipts directly defined in the HTML code like for the example below:

<script type="text/javascript">
// some code for script 1
</script>
<script type="text/javascript">
// some code for script 2
</script>

Would it be possible to allow only script1 but not script2?

As an alternative solution: Would it be possible to "tell" NoScript to allow script1 and script2 but not any other script from the same server/domain.

ciao

[Thrawn]

my question was rather with respect to srcipts directly defined in the HTML code like for the example below:
<snip>
As an alternative solution: Would it be possible to "tell" NoScript to allow script1 and script2 but not any other script from the same server/domain.

Hmm...there's no way for ABE to distinguish between different parts of the same file, and the regular script-blocking is strictly domain-based.

You could try an ABE rule like this (at the end of your USER ruleset) to allow inline scripts but block script imports:

Code: Select all

Site ALL
Deny INCLUSION(SCRIPT) from site-with-inline-scripts.com

[Tom T.]

Hmm...there's no way for ABE to distinguish between different parts of the same file, and the regular script-blocking is strictly domain-based.

You could try an ABE rule like this (at the end of your USER ruleset) to allow inline scripts but block script imports:

Code: Select all

Site ALL
Deny INCLUSION(SCRIPT) from site-with-inline-scripts.com

I could be mistaken, but I believe OP is referring strictly to inline scripts, "defined in the HTML code", rather than to scripts imported via a link, albeit a link inside the same domain/site.

@ user: Am I correct? For example, at this site I see a script in the page source code, the one that starts with

Code: Select all

<script type="text/javascript">
// <![CDATA[
	var jump_page = 'Enter the page number you wish to go to:';
	var on_page = '';
	var per_page = '';
	var base_url = '';
	var style_cookie = 'phpBBstyle';
	var style_cookie_settings = '; path=/; domain=forums.informaction.com';
	var onload_functions = new Array();
	var onunload_functions = new Array();

As Thrawn pointed out, "regular" script blocking is domain-based. I'm not a user of GreaseMonkey or Scriptish, but it's possible that you could use one of those add-ons to modify (nullify) or block that particular script. I'm not aware of any method by which NoScript could selectively block such things.

if you do try these add-ons, please let us know if they work.

@ Thrawn: You contributed a fine GM script for the team to use in banning spammers. Do you think you could write a template, at least, that OP could modify for each individual page-embedded script desired?

[Thrawn]

I could be mistaken, but I believe OP is referring strictly to inline scripts, "defined in the HTML code", rather than to scripts imported via a link, albeit a link inside the same domain/site.

Well, I was responding to this:

As an alternative solution: Would it be possible to "tell" NoScript to allow script1 and script2 but not any other script from the same server/domain.

If I understand user correctly, s/he would like to allow inline scripts, but block imported ones, even from the same domain. Hence my suggested ABE rule, which would block all script imports from that domain, but would not touch inline scripts.

I'm not a user of GreaseMonkey or Scriptish, but it's possible that you could use one of those add-ons to modify (nullify) or block that particular script. I'm not aware of any method by which NoScript could selectively block such things.

I'm not familiar with Scriptish either, but Greasemonkey, at least, should be able to search the page for that script and remove it...I've never tried it myself. Surrogate scripts (the '@' kind) could do something similar.

@ Thrawn: You contributed a fine GM script for the team to use in banning spammers. Do you think you could write a template, at least, that OP could modify for each individual page-embedded script desired?

Thanks for the compliment . I could try this if I get time...not really my area of expertise, but if I come up with something, I'll post it.

[Tom T.]

I could be mistaken, but I believe OP is referring strictly to inline scripts, "defined in the HTML code", rather than to scripts imported via a link, albeit a link inside the same domain/site.

Well, I was responding to this:

As an alternative solution: Would it be possible to "tell" NoScript to allow script1 and script2 but not any other script from the same server/domain.

If I understand user correctly, s/he would like to allow inline scripts, but block imported ones, even from the same domain. Hence my suggested ABE rule, which would block all script imports from that domain, but would not touch inline scripts.

I provided a way of using ABE to block linked scripts, by using JSView to get the exact full domain name and subdirectory for each script from a given domain. However, OP replied:

http://forums.informaction.com/viewtopi ... 714#p47714

However, my question was rather with respect to srcipts directly defined in the HTML code like for the example below:

<script type="text/javascript">
// some code for script 1
</script>
<script type="text/javascript">
// some code for script 2
</script>

Would it be possible to allow only script1 but not script2?

... which is different from

Code: Select all

<script type="text/javascript" src="./styles/prosilver/template/styleswitcher.js"></script>
<script type="text/javascript" src="./styles/prosilver/template/forum_fn.js"></script>

... in which the actuaL JS code is not present in the page, but rather imported from those links. Which all start with http://forums.informaction.com, the "same domain", as can be seen by adding back the left side:

http://forums.informaction.com./styles/ ... witcher.js
http://forums.informaction.com./styles/ ... orum_fn.js

Those are perfectly clickable links - try them! -- for which the page source code has no actual js, but calls it from those links stored elsewhere on the site's server.

@ Thrawn: You contributed a fine GM script for the team to use in banning spammers. Do you think you could write a template, at least, that OP could modify for each individual page-embedded script desired?

Thanks for the compliment . I could try this if I get time...not really my area of expertise, but if I come up with something, I'll post it.

If you were to succeed, I'd say that would be a triple (tin-foil) hat trick!