a suggestion: making NS whitelist more flexible

[江3如此多娇]

https://github.com/arantius/karma -blocker/wiki/Configuration

Karma Blocker allow whitelist or blacklist based on host；NS can also achieve some similar behavior as the KB rules below, like "forbid sciprt/object and other active content unless comes from https", like "forbid 3rd-party scripts"（default）,

[Group]
name="HTTPS"
score=-4
rule=$url.scheme=='https'

[Group]
name="3rd-Party"
score=4
rule=$thirdParty==true
----------------------------------------------------------------------
the rule below can also achieved by NS
[Group]
name="Whitelist 2rd-level TLD"
score=-5
rule=$origin.host$='.gov.cn'
rule=$origin.host$='.edu.cn'

-----------------------------------------------------------------------
but not flexible enough，such as some top-level domain or regex whitelist/blacklist.

[Group]
name="Whitelist TLD"
score=-7
rule=$origin.host$='.org'
rule=$origin.host$='.gov'
rule=$origin.host$='.edu'

[Group]
name="Adult Sites"
score=4
rule=$origin.host$='.xxx'

[Group]
name="non-CDN"
score=4
rule=$url.host=~'cpro|share|widget'

[Group]
name="Whitelist host: CDN"
score=-4
rule=$url.host=~'cdn|image|static|libs'

[Group]
name="White-Keywords (Partial)"
score=-3
rule=$url.host=~'wiki[\b_-]|[\b_-]wiki'

[Group]
name="3rd-Party Adservers"
score=8
match=all
rule=$thirdParty==true
rule=$url.host=~'\.ads??[a-z]+\.(com|net)$'

hope Giorgio Maone could think about it

[access2godzilla]

Use the ABE (http://noscript.net/abe/) if you want the blocking.
Unfortunately, as Giorgio has said elsewhere, ABE was only made to block CSRF, and the system of weight-based filtering won't be implemented in ABE (well, unless he has changed his mind recently).

[Thrawn]

NoScript is not an ad-blocker. It is a security tool, first and foremost. Blocking ads that rely on active content is a bonus. Either a website is going to attack you, and should be blocked, or it is not, and can be allowed.

As the original poster pointed out, there are already addons to do weighted filtering (as well as blacklist-based filtering, and pretty much every other kind of ad-filtering). Adding this to NoScript would not help its real purpose of improving security.

[江3如此多娇]

NoScript is not an ad-blocker. It is a security tool, first and foremost. Blocking ads that rely on active content is a bonus. Either a website is going to attack you, and should be blocked, or it is not, and can be allowed.

As the original poster pointed out, there are already addons to do weighted filtering (as well as blacklist-based filtering, and pretty much every other kind of ad-filtering). Adding this to NoScript would not help its real purpose of improving security.

I don`t want to use NS as an ad-blocker, that`s the reason why I had not mentioned any $url.path or $origin.path patterns as:

rule=$url.path=~'[\b_]ad(?:frame|sense|server?|sonar|space|spot|swizz|system|techfront|topbanner|track|network|marvel|framesrc|partner|placement|result|river)??s?[0-9]*[\b_]'
rule=$url.path=~'[\b_](?:banner|housead|pop|poptest|publisher|sponsor)s?[0-9]*[\b_]'
rule=$url.path=~'[\b_](?:analytic|s_code|track|urchin|webtrend)(?:s|er|ing)??[0-9]*[\b_]'

Because NS is based on the site/host(1st or 3rd party)，there are some CDNs needed to be allowed (http://forums.informaction.com/viewtopic.php?f=7&t=268) even though "temp allow 2nd level domain", and I used to do that with a big whitelist as follows:
user_pref("noscript.subscription.trustedURL", "https://gist.github.com/jiang3/cdf9e04c ... -Whitelist");//可信名单的订阅URL？
but that`s not efficient ;
Beside, I often surf adult sites by googling "亚洲色图" (&safe=off)，I want to blacklist the result sites for safe， but the result is changeable， So Why not use a regex method in NS as follows：

[Group]
name="non-AV"
rule=$origin.host$='.hao123.com'
rule=$origin.host$='.hao123img.com'

[Group]
name="AV"
rule=$origin.host=~'([0-9]{2,}[a-z]+|[a-z]+[0-9]{2,}[a-z]*)\.com$'

[Thrawn]

Because NS is based on the site/host(1st or 3rd party)，there are some CDNs needed to be allowed (http://forums.informaction.com/viewtopic.php?f=7&t=268) even though "temp allow 2nd level domain", and I used to do that with a big whitelist as follows:
user_pref("noscript.subscription.trustedURL", "https://gist.github.com/jiang3/cdf9e04c ... -Whitelist");//可信名单的订阅URL？
but that`s not efficient ;

What's wrong with it?

Beside, I often surf adult sites by googling "亚洲色图" (&safe=off)，I want to blacklist the result sites for safe， but the result is changeable， So Why not use a regex method in NS as follows：

[Group]
name="non-AV"
rule=$origin.host$='.hao123.com'
rule=$origin.host$='.hao123img.com'

[Group]
name="AV"
rule=$origin.host=~'([0-9]{2,}[a-z]+|[a-z]+[0-9]{2,}[a-z]*)\.com$'

I'm having some difficulty understanding here due to the language barrier, but if you want regex-based rules, then you're looking at ABE.

Whitelisting based on a regex is dangerous, however, because if you don't write the regex very carefully, then someone might be able to set up another site that matches the regex and use it to attack you. You should always know in advance which sites you're whitelisting.

[江3如此多娇]

What's wrong with it?

I'm having some difficulty understanding here due to the language barrier, but if you want regex-based rules, then you're looking at ABE.

Whitelisting based on a regex is dangerous, however, because if you don't write the regex very carefully, then someone might be able to set up another site that matches the regex and use it to attack you. You should always know in advance which sites you're whitelisting.

the subscription is large, when I open the NS`s setting UI -> Whitelist, it will be responseless for seconds, so i guess, too many sites in NS would slow down it.

the second reason/example means: many Chinse AV sites have a similar pattern in host - that`s mixing random number with english letters in host, e.g.
www.384a.com
www.29mlw.com
www.vvv29.com
www.855dd.com
... a lot in google result. If using regex, I can easily block the JS form those sites even if allowing scripts globally.

you and access2godzilla adviced me using ABE, I think that`s feasible and i will try it first, and appreciate again for your answers and advices

[Thrawn]

OK then.

Here's a possible ABE rule:

Code: Select all

Site ^https?://www\.[a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9]?\.com/.*
Deny INC

By the way, you shouldn't need to open the Whitelist tab most of the time. But yeah, I suppose a long whitelist could become a performance hit. Do all those sites really need JavaScript?