option to prevent new sites from being whitelisted on update

[Thencent]

Upon installing NoScript, I remove all domains from the Whitelist tab, leaving only the Firefox "about:" etc. items in the list. Unfortunately, NoScript adds new domains to the list sometimes when updating. Could you please provide an option (whether in about:config or the UI) to prevent domains from being automatically added to the list? I don't mind if new "about:" type items are added to the list.

[therube]

If you created a user.js file & added this, does that do it?
user.js overriding other settings, hopefully.

user_pref("capability.policy.maonoscript.sites", "");

(Actually suppose you'd have to edit out everything from the existing list except for the about: entries.)

Perhaps this:

Code: Select all

user_pref("capability.policy.maonoscript.sites", "about: about:addons about:blank about:blocked about:certerror about:config about:crashes about:home about:memory about:neterror about:plugins about:privatebrowsing about:sessionrestore about:srcdoc about:support blob: chrome: moz-safe-about: resource:");

[Thencent]

I see a couple issues with your suggestion ...

First, it would be nice if a user wouldn't have to keep track of when new Firefox "about:" pages are added and manually add them to the list.

Second, I'm not sure when user.js is executed in relationship to when NoScript modifies the about:config entries ... my guess is that on first run (at least) the new domains wouldn't be removed because user.js is executed first.

[therube]

> it would be nice if a user wouldn't have to keep track of when new Firefox "about:" pages are added

Maybe if there were separate Prefs, one for about: & the like & a separate one for actual whitelisted domains. Then you could just nix the second & be done.

> I'm not sure when user.js is executed in relationship to when NoScript modifies the about:config entries

Nor I.
But you can test & see .


(Wonder what happens with Tor if you were to update to a newer NoScript version?)

[barbaz]

Unfortunately, NoScript adds new domains to the list sometimes when updating.

What domain(s)?
From what version to what version did you update NoScript?

Note this code in components/noscriptService.js:

Code: Select all

  onVersionChanged: function(prev) {
    // update hacks
    var versions = {
      "2.1.1.2rc6": {
        "hotmail.com": "wlxrs.com", // required by Hotmail/Live webmail
        "google.com": "googleapis.com gstatic.com", // required by most Google services and also by external resources
        "addons.mozilla.org": "paypal.com paypalobjects.com" // required for the "Contribute" AMO feature not to break badly with no warning
      },
      
      "2.2.9rc2": {
        "addons.mozilla.org": "persona.org"
      },
      
      "2.4.9rc2": {
        "!browserid.org": "persona.org"
      },
      "2.5.9rc3": {
        "live.com": "gfx.ms afx.ms" // fully Microsoft-controlled (no user content), now required by MS mail services
      },
      "2.6.5.9rc2": {
        "live.com": "sfx.ms" // fully Microsoft-controlled (no user content), now required by MS mail services
      },
      "2.6.6rc5": {
        "live.com": "outlook.com live.net" // fully Microsoft-controlled (no user content), now required by MS mail services
      },
      "2.6.9.4rc1": {
        "vimeo.com": "vimeocdn.com" // no movie will play anymore without this
      }
    };
    
    for (let v in versions) {
      if (this.versionComparator.compare(prev, v) < 0) {
        let cascading = versions[v];
        for (let site in cascading) {
          let newSite = cascading[site].split(/\s+/);
          let replace = site[0] === "!";
          if (replace) site = site.substring(1);
          if (this.isJSEnabled(site)) { 
            this.jsPolicySites.remove(newSite, true, false);
            this.setJSEnabled(newSite, true);
            if (replace) this.jsPolicySites.remove(site, true, false);
          }
        }
      }
    }
  },

If it happened other than one of those updates and the changes weren't as specified, either you've found a bug or something else is tampering with your whitelist; otherwise, it's by design.

Could you please provide an option (whether in about:config or the UI) to prevent domains from being automatically added to the list? I don't mind if new "about:" type items are added to the list.

+1 bigtime, but I don't think it's technically possible. NoScript is just a browser extension, so it can't do anything that other components of the browser can't do. Any malicious anything with sufficient privileges could find a way to add its domain(s) to the NoScript whitelist and override whatever protection is in place.

[Giorgio Maone]

Please check latest development build 2.6.9.7rc1, thank you.

[barbaz]

... oh, Thencent didn't mean generically.
Nice, thanks Giorgio!