Temporary allow second level domains

Bug reports and enhancement requests
Post Reply
anyone
Posts: 5
Joined: Tue Jul 08, 2014 1:28 pm

Temporary allow second level domains

Post by anyone »

Hey,

wow, the spamfilter just ate my whole post.
So, I don't know if it's a bug, a missing feature or if it's me missing something, so this is more a description of the problem. It relates to NoScript version 2.6.8.31.

When using some websites (e.g. kickstarter, example: the videos on https://www.kickstarter.com/projects/ai ... ports-dron ) parts of them are hosted on cloudfront, so the domain is like yyyyyyyyy.cloudfront.net, where the y-part is dynamic on page reload. That means to use the site I would like to temporarily allow the whole second-level domain (cloudfront.net). But in the context menu only the complete domain is shown. NoScript is configured to offer second-level-domains only.

I then tried to manually add a temporary entry to the whitelist, but the configuration dialogue only offers you to add permanent permissions. This could be improved to also offer temporary addition, maybe even switching an entries life san between permanent and temporay (e.g. via extra-button or even better context menu).

Thanks for feedback and or correcting the problem.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Temporary allow second level domains

Post by Thrawn »

anyone wrote:That means to use the site I would like to temporarily allow the whole second-level domain (cloudfront.net).
Don't do that. Cloudfront is a hosting provider. Their subdomains could be hosting anything at all. Only allow the specific domains that you need.
I then tried to manually add a temporary entry to the whitelist, but the configuration dialogue only offers you to add permanent permissions. This could be improved to also offer temporary addition, maybe even switching an entries life san between permanent and temporay (e.g. via extra-button or even better context menu).
I can't see a strong use-case for temporarily allowing something via the Options dialog. Temporary permissions are really only useful when you aren't yet sure what you'll need to make a site work. Or if you're really paranoid and never permanently allow anything - in which case, you definitely won't want to allow all of cloudfront.net.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
anyone
Posts: 5
Joined: Tue Jul 08, 2014 1:28 pm

Re: Temporary allow second level domains

Post by anyone »

Thrawn wrote:Don't do that. Cloudfront is a hosting provider. Their subdomains could be hosting anything at all. Only allow the specific domains that you need.
I agree that the permission is far too wide, but as the prefix I described above is neither descriptive nor spefific for the content provided (almost guid-style, e.g. fnm1138hgcm1.cloudfront.net) and changes on page reload and following links on a page. Therefore I cannot permit only a specific subdomain. So allowing the whole second-level-domain (and revoking that permit when leaving the site) is the only option imho. Or do I miss something here?

Still there is no explaination why the context menu won't offer me to add a second-level-temp-permit when it is configure to give that option. Could you please elaborate on that?

Thanks in advance.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Temporary allow second level domains

Post by Thrawn »

There are some second-level domains that are treated as top-level domains, for exactly this kind of reason. Blogspot is one, eg the Google blog; you won't be offered the option to whitelist all of Blogspot. Different blogs are essentially different sites - they are owned by different people - so they are treated that way. Cloudfront is the same.

I would be surprised if there is no pattern at all to the Cloudfront domains that are used. If you refresh a few times, I suspect you'll find that they start to repeat. But if not, then you can use an ABE rule to protect yourself. You would need to allow cloudfront.net via the Options dialog, then add to ABE (in the USER ruleset):

Code: Select all

Site .cloudfront.net
Accept from https://www.kickstarter.com/projects/airdog/*
Deny
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:30.0) Gecko/20100101 Firefox/30.0
anyone
Posts: 5
Joined: Tue Jul 08, 2014 1:28 pm

Re: Temporary allow second level domains

Post by anyone »

That sounds reasonable. Ty very much!
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Temporary allow second level domains

Post by barbaz »

anyone wrote:switching an entries life san between permanent and temporay (e.g. via extra-button
+1 to this feature. I've just run into a valid use case for it:
1) You give temporary permissions to a site, to see what works and what doesn't. You intend to go back to that site later.
2) You figure the correct permissions, and want them to be permanent, but you forget to click "Make page permissions permanent". You leave the site, but you can't go back there right away to correct your mistake, or the site changes in a rotating way and you don't want to reload and reload.
3) So to try to fix your mistake, you go to NoScript Options -> Whitelist, where you can see that the entry has temporary permission, but it turns out that isn't what you wanted. The GUI offers no way to copy the domain name to (eventually) paste into the box to Allow it, and there's no way to say "make this permission permanent"...


Not relevant as of NoScript 2.6.9.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:29.0) Gecko/20100101 SeaMonkey/2.26.1
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Temporary allow second level domains

Post by Thrawn »

If you use sticky menus, then you should be able to return to the site, then forbid and permanently allow each domain without reloading. NoScript is smart enough to recognise that the effective permissions haven't changed and skip the reload. (Or you could just disable auto-reloading completely, like I do.)
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Temporary allow second level domains

Post by barbaz »

Thrawn wrote:If you use sticky menus, then you should be able to return to the site, then forbid and permanently allow each domain without reloading. NoScript is smart enough to recognise that the effective permissions haven't changed and skip the reload.
Yes, I use the sticky menu, and that's exactly how I handle it most of the time. This was a bit of an edge case.
Not relevant as of NoScript 2.6.9.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0 SeaMonkey/2.30a1
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Temporary allow second level domains

Post by Thrawn »

Hmm. Maybe the simplest solution to this is: when you click 'Revoke Temporary Permissions' in the Whitelist tab, NoScript could put the removed domain name in the input field. What do you think?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Temporary allow second level domains

Post by barbaz »

Thrawn wrote:Hmm. Maybe the simplest solution to this is: when you click 'Revoke Temporary Permissions' in the Whitelist tab, NoScript could put the removed domain name in the input field. What do you think?
Good idea, except in this case it was more than one domain.
Not relevant as of NoScript 2.6.9.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0 SeaMonkey/2.30a1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Temporary allow second level domains

Post by barbaz »

Yet another use case for being able add temporary permissions manually through NS Options -> Whitelist: viewtopic.php?f=7&p=71217#p71208
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; OpenBSD amd64; rv:26.0) Gecko/20100101 Firefox/26.0 SeaMonkey/2.23
Post Reply