NoScript allowing sites that I visit in another tab?

[matthewdavis]

Firefox 25.0 (64-bit)
Windows 7 (64-bit)
NoScript 2.6.8.4

I keep my noscript config fairly generic. However, I change the temp allow top level domains to 'Base 2nd level'.

When I was visiting one site that had a few sites blocked, I wanted to see what was being blocked (to know if it was a site I really wanted to block or not). So I opened a new tab and visited that domain. Stupid move? Maybe. But I refreshed the original page, and the domain I visited (to checkout) is now no longer being blocked.

For example, I was on domain.com. After visiting domain.com, I noticed domain2.com was being blocked. I navigated to domain2.com in another tab. Then refreshed the tab for domain.com, and domain2.com is no longer blocked. By visiting domain2, I white listed it for my session. I never actually told noscript to whitelist domain2.com.

is this intentional due to the initial change I made to allow all 2nd level domains?

Edit: clarified my instructions.

[therube]

Are you sure you wanted:

Options | General -> Temporarily allow top-level sites by default...

& not

Options | Appearance -> Base 2nd level Domains

?

If the former, then what you described is exactly what it should have done.

> After visiting domain.com, I noticed domain2.com was being blocked

Correct.

> navigated to domain2.com in another tab

At that point, because you 'allow top-level sites by default', & as you loaded it directly, it was then a top-level site, so Allowed.

> Then refreshed the tab for domain.com, and domain2.com is no longer blocked

Correct.
You allowed it by visiting it.

> I never actually told noscript to whitelist domain2.com

But you did, earlier.
You said to "allow top-level sites by default".


Allow top-level sites by default, would be considered, IMO, dangerous.
Setting, Options | Appearance -> Base 2nd level Domains, is fine (& I'm pretty sure, the default).

[matthewdavis]

Are you sure you wanted:

Options | General -> Temporarily allow top-level sites by default...

& not

Options | Appearance -> Base 2nd level Domains

?

If the former, then what you described is exactly what it should have done.

No, that's what I wanted. I want it to default allow *.domain.com when I visit the domain. That's made my experience a bit less cumbersome (I get the privacy vs. usability paradigm).

> I never actually told noscript to whitelist domain2.com

But you did, earlier.
You said to "allow top-level sites by default".


Allow top-level sites by default, would be considered, IMO, dangerous.
Setting, Options | Appearance -> Base 2nd level Domains, is fine (& I'm pretty sure, the default).

I just never thought it through before. Thank-you for the clarification. I had this idea in my head that tabs were segregated. And activity in 1 tab didn't impact the activity in the other. I still don't like it, but now I know. Thank-you!

[Thrawn]

I had this idea in my head that tabs were segregated. And activity in 1 tab didn't impact the activity in the other.

Not at all!

The only 'isolation' is that you can disable the auto-refresh of all tabs when permissions change.

But there are no per-tab permissions.

And from a security perspective, they wouldn't be all that helpful anyway. One malicious tab is enough to attack you, and 20 safe tabs are not.

[matthewdavis]

Thanks all for the clarification. Makes more sense now. May revisit the 'allow top level domain' setting afterall.