Allowing JS for a 3rd party site only on a given 1st party

[Sam]

Hi,

Let's say I want to permanently allow ajax.googleapis.com ONLY on a given site. How would I do this ?

Curiosity question: If that site is allowed normally (i.e. not using the solution to this thread's question), but the website I am currently on doesn't have JS enabled, will ajax.googleapis.com scripts be downloaded ? If so, will they be run ?
Looks like the answer to both questions is "no", but that could be because I checked on a site that uses JS to download and run Ajax. I'm thinking Ajax always needs to be called by the first party script otherwise it never runs, but it can be downloaded without JS. Is that correct ?


Thanks!

[barbaz]

Hi,

Let's say I want to permanently allow ajax.googleapis.com ONLY on a given site. How would I do this ?

http://noscript.net/faq#qa8_10

Curiosity question: If that site is allowed normally (i.e. not using the solution to this thread's question), but the website I am currently on doesn't have JS enabled, will ajax.googleapis.com scripts be downloaded ?

Not unless they are in an iframe from ajax.googleapis or another allowed site.

If so, will they be run ?

JS files called by the forbidden site: no
scripts inlined in or requested by an iframe from an allowed site: yes, unless you set about:config -> noscript.restrictSubdocScripting to true

I'm thinking Ajax always needs to be called by the first party script otherwise it never runs, but it can be downloaded without JS. Is that correct ?

The second part only. A simple script tag will get the ajax script to run, but it may not actually do anything if it's just defining a set of APIs that never get used.

[Sam]

Thanks.


Just to make sure I got it:

The second part only. A simple script tag will get the ajax script to run, but it may not actually do anything if it's just defining a set of APIs that never get used.

But the script tag will not run if the first party site has JS forbidden, so in that case both parts of my assumption are correct right ?


I didn't think of using ABE. I was hoping for something more straightforward like a whilelist item ajax.googleapis.com@example.com
ABE is fine though, but I'd be glad to hear it if there is a way to do it with the whitelist

[Sam]

I'm thinking Ajax always needs to be called by the first party script otherwise it never runs

Sorry bad wording, let's assume <script> tag is included in that "first party script" thing
But IFrame and anything else is not.

[barbaz]

But the script tag will not run if the first party site has JS forbidden

Sorry about the misunderstanding. No script tags on a forbidden site will run, even if the JS file originates from an allowed site.

I was hoping for something more straightforward

IIUC there will be, in NoScript 3..

[Sam]

NoScript 3 ? Yay, I wonder what's cooking now. We've been on 2.x for what feels like 5 years or more ^^
Here's hoping for an easier way to allow WebGL games to run.


Oh sorry, I forgot to ask for confirmation: A 3rd party script blocked with ABE amounts to it being forbidden in that, in the eyes of the first party, it doesn't exist. So NoScript surrogates do kick in right ?


PS: The captchas are wayyyyy too hard I failed like 10 times in a row

[barbaz]

Here's hoping for an easier way to allow WebGL games to run.

That is viewtopic.php?f=7&t=19289

Oh sorry, I forgot to ask for confirmation: A 3rd party script blocked with ABE amounts to it being forbidden in that, in the eyes of the first party, it doesn't exist. So NoScript surrogates do kick in right ?

Yes but only as of NoScript 2.6.8.27

[Sam]

Oh right! Can't believe I forgot the changelog since it is so recent. Well I'm good to go now, thanks for all the fish!

*rolls up his sleeves to take on Doom Captcha the Arch-nemesis*

(Yay, only 60 seconds to beat it this time!)

[Sam]

From the changelog of NoScript 2.6.8.31:

+ "NoScript Options|Advanced|Untrusted|Block scripting in whitelisted
subdocuments of non-whitelisted pages" user-facing preference

According to what I understood from the discussion in this thread, notably this:

Sam wrote:If so, will they be run ?

JS files called by the forbidden site: no
scripts inlined in or requested by an iframe from an allowed site: yes, unless you set about:config -> noscript.restrictSubdocScripting to true

No script tags on a forbidden site will run, even if the JS file originates from an allowed site.

There shouldn't be a need to block whitelisted subdocuments because they already can't run in a JS-disabled page. What am I missing ?

[barbaz]

There shouldn't be a need to block whitelisted subdocuments because they already can't run in a JS-disabled page. What am I missing ?

yes, they can run scripts when they're included by a JS-disabled page. that's what i meant by

scripts inlined in or requested by an iframe from an allowed site: yes, unless you set about:config -> noscript.restrictSubdocScripting to true

[Sam]

So if this necessitates an IFrame containing an allowed site, then if IFrames are forbidden there's no way for Untrusted|Block scripting in whitelisted subdocuments of non-whitelisted pages to come into play, right ?

Did I completely get it right this time ?

[Sam]

Oh f*, yes! IFrames are "subdocuments", dumbhead.
Since the changelog doesn't use the name IFrame directly, I assume there are other types of subdocuments. The question then is, what are they ? Normal Frames ? What else ?

And as long as they're all forbidden, then this feature by definition (if I read correctly) is never triggered.

[barbaz]

So if this necessitates an IFrame containing an allowed site, then if IFrames are forbidden there's no way for Untrusted|Block scripting in whitelisted subdocuments of non-whitelisted pages to come into play, right ?

I think it doesn't come into play before you click the placeholder to allow the iframe, but it would after you allow the iframe.

Since the changelog doesn't use the name IFrame directly, I assume there are other types of subdocuments. The question then is, what are they ? Normal Frames ? What else ?

Yes. In practice I've only seen it used for frames and iframes. More generally, presumably anything that is labeled by the browser as

TYPE_SUBDOCUMENT 7 Indicates a document contained within another document (for example, IFRAMEs, FRAMES, and OBJECTs).

[Sam]

I think it doesn't come into play before you click the placeholder to allow the iframe, but it would after you allow the iframe.

Yes that would be expected in that case
I turned the feature on, let's hope that it will be easy to understand why something is broken next time I need an IFrame to have JS. (It barely ever happens so I guess I'll completely forget this feature until it breaks something in an eon or two. Hope the regular NS drop down will help whitelisting the subdocument then)

Yes. In practice I've only seen it used for frames and iframes. More generally, presumably anything that is labeled by the browser as

Thank again for clearing that up. If it's basically plugins, frames and iframes, then it's fine.