JavaScript CDNs to add to whitelist

[t3g]

In the NoScript whitelist, you have the googleapis.com domain whitelisted which is helpful for accessing fonts and JavaScript on that domain normally since it is a trusted domain. With that in mind, there are a few other domains which serve open source JavaScript from their CDNs. They include:

* ajax.aspnetcdn.com
* cdnjs.cloudflare.com
* code.jquery.com
* yandex.st

I would say those are the top ones for now, but there are some other ones that aren't required but to keep in the back of your mind for the future:

* mootools.net (Libraries from developer site)
* prototypejs.org (Libraries from developer site)
* tinymce.cachefly.net (TinyMCE CDN)
* vjs.zendcdn.net (VideoJS CDN)

[Thrawn]

Giorgio doesn't generally add CDNs to the default whitelist. I'm not sure why he added googleapis.com, except that google.com is already on the default whitelist (so people can use GMail to get support), and googleapis.com is controlled by Google anyway.

I doubt he'll add many others. It's generally up to you to add the ones you trust.

[t3g]

These aren't standard, run of the mill CDNs. They specifically serve free software and open source compliant JavaScript libraries for a big portion of the internet. If this is a JavaScript extension and you can have the option to allow FLOSS JavaScript libraries, then what is big issue?

[Thrawn]

The issue is that Giorgio usually leaves security decisions up to each user. If you trust those sites, then whitelist them. But some people might not choose to, for various reasons, and that's their own business.

The default whitelist is for sites that need to be allowed for some compelling reason - like addons.mozilla.org - plus a couple of Giorgio's own sites (because if you don't trust him, then you shouldn't be installing his software on your computer).

[t3g]

So the googleapis.com CDN is trusted just because it is Google? The developer seems to be very shortsighted in what is right and not. Yes, it is true that you can add sites to your whitelist, but there be some reconsideration on what is there by default.

[Thrawn]

Google is trusted so that new users can use GMail to contact Giorgio for support.

[t3g]

NoScript prides itself on being free software, but then in return blocks a lot of it by default.

[Giorgio Maone]

* ajax.aspnetcdn.com
* cdnjs.cloudflare.com
* code.jquery.com
* yandex.st

I would say those are the top ones for now, but there are some other ones that aren't required but to keep in the back of your mind for the future:

* mootools.net (Libraries from developer site)
* prototypejs.org (Libraries from developer site)
* tinymce.cachefly.net (TinyMCE CDN)
* vjs.zendcdn.net (VideoJS CDN)

Sorry for chiming in so late.
I think I'm gonna add them for new installations and for users who kep googleapis.com in their whitelist (which hints they're not paranoid about JS lib CDNs).

[EDIT]
Done in latest development build 2.6.8, thanks.

[barbaz]

I think I'm gonna add them for new installations and for users who kep googleapis.com in their whitelist (which hints they're not paranoid about JS lib CDNs).

Sorry Giorgio but for users who have changed the whitelist at all, I really don't think NoScript should be tampering with the whitelist behind their backs with basically no notice. I was quite unhappy when I found extra sites in my whitelist after updating to the latest RC. Once users configure their whitelist we expect it to stay as is, we don't expect it to change on us, and we *especially* don't expect NoScript to randomly add sites, no matter how "safe" they are, without asking us first.

Please, back out the changeset that modifies the whitelist for users who have already changed it but just happened to leave googleapis, or at the very least add a dialog asking the user to confirm such automatic modifications, including this, to the whitelist, thus keeping the philosophy NoScript was built on: informing the user what is going on and giving control back to the user. Thanks in advance.

[Giorgio Maone]

Please, back out the changeset that modifies the whitelist for users who have already changed it but just happened to leave googleapis

Fair enough, done.

[barbaz]

Thanks Giorgio, I really appreciate that you are willing to listen to your users and keep NoScript on a good pathway.

[Thrawn]

I'd still be OK with adding them for new installations.

NoScript prides itself on being free software, but then in return blocks a lot of it by default.

That was a cheap shot, and unworthy of the free software movement.

Besides, you should know that the whole point of free software is that the end user is in control of what the software does. If you trust those sites, then whitelist them, and encourage your friends to do likewise. But don't criticise Giorgio if he doesn't impose your choice on everyone.

[t3g]

Thanks for the consideration of those CDNs! I love NoScript and I think its great that you listen to your users for future updates. Especially the adding of http://cdnjs.cloudflare.com which has a lot of libraries the Google one doesn't like Modernizr, html5shiv, and Respond.js. They also host fonts like the excellent Font Awesome .

[barbaz]

* vjs.zendcdn.net (VideoJS CDN)

This domain appears to be a typo. The real VideoJS CDN is located at vjs.zencdn.net
(ref: https://github.com/videojs/video.js/blo ... s/setup.md)

@Giorgio: please replace the vjs.zendcdn.net with the vjs.zencdn.net in all users' whitelists with the next NoScript update, for both dev channel and release channel, thanks.

[Giorgio Maone]

Sorry for the difference with the beta channel, but AMO's signing process is still quite buggy and among other bugs there's one which makes pushin betas for automatic updates way more difficult than doing this for stable versions (quite the opposite of what should be).
Anyway, latest development build with the whitelist-related changes is on noscript.net, and I've asked AMO admins to manually push it for automatic update, but since many are traveling from their Whistler work-week I'm not sure it's gonna happen immediately.
Thanks for your patience.