Hannibal wrote:Thanks for the explanations
To make sure I got it right: Is #2 (noscript.cascadePermissions) kinda similar to "allow all this page" except it works on a domain instead of just a page ?
It works on any page, i.e. if the top-level document origin is whitelisted, all the scripts imported by it and by its subdocuments are allowed to run independently from their actual origins, which on the other hand these don't get automatically whitelisted: if there's another tab with the same 3rd party scripts but whose top-level document origin is not whitelisted, its scripts won't run.
therube wrote:
Isn't #1, when set to True, the way things were some time ago (maybe a long time ago)?
Nope, each frame used to have (and has) the same permissions on desktop NoScript, unless noscript.docShellBlocking is true (which is not the default and is deprecated anyway).
NSA at this moment uses a mechanism akin to noscript.docShellBlocking (but will change as soon as I find the time to put it back on its rails), therefore works more or less the way you say.