Do you Allow domains or hosts to your whitelist?

[tarjk]

domain = google.com
host = drive.google.com

Is it worth the extra effort to Allow only hosts to the NoScript whitelist?

Some sites, like google, have an enormous amount of hosts attached to the domain, and it is extra effort to wade through them and figure out if they are really needed or not. Although it is comforting to know that if I selectively allow hosts, landing on a page I have never seen before, even if it is at a domain I frequent, will not be able to run scripts until I approve it.

Does anyone know of any attacks that would be thwarted from only allowing hosts instead of domains? Are there scenarios where we might trust a domain but not a host on that domain?

[barbaz]

domain = google.com
host = drive.google.com

Is it worth the extra effort to Allow only hosts to the NoScript whitelist?

IMO yes but in some cases it's not practical. You're probably stuck allowing the whole domain if you want to allow origins along the patterns matched by this regexp

Code: Select all

^[0-9A-Za-z-]+://(?:(?:specific-subdomain-1|specific-subdomain-2)\.)?doma\.in

but not *every* subdomain, and you don't want to have an ABE rule.

Does anyone know of any attacks that would be thwarted from only allowing hosts instead of domains?

Sure, there's lots. The only ones I know of are theoretical though. For example a CDN domain like cloudfront.net where each subdomain contains a different site's stuff, or can an attacker register a subdomain of an existing domain without the knowledge of the owner of the existing domain?

Are there scenarios where we might trust a domain but not a host on that domain?

"googleusercontent.com" comes to mind there - I trust the domain but not "webcache.googleusercontent.com" which contains things from the *entire* Internet .
In these cases you can Mark the specific subdomain as Untrusted then Allow the domain, scripts from the Untrusted subdomain won't run.

[tarjk]

Thanks, barbaz. Great info as always.

Can you share any particular methods on how to figure out what to allow and what not to? For example, when faced with several googleusercontent.com items, like oauth.googleusercontent.com, is it just a matter of noticing something seems to not be working so you start "trying" things? Or is there a website or other resource that is a good source for education on how these different resources tie together and explains what is really needed and what is not.

I'm aware of the middle click option. But I find the only sources that seem helpful are hosts lists. If it's on a hosts list, I assume it's bad.

Recently when trying to make use of Google Docs, it wouldn't Rename a document. It finally dawned on me that I needed to allow a script. I took a guess and learned that I needed to allow client-channel.google.com. And it worked. Is this the same approach you use? Trial and error?

[barbaz]

viewtopic.php?p=75314#p75314
But after that, yeah it's usually just trial-and-error.