Have to allow domain of page on

[jcarerra]

I am having to allow top level domains even though I have Full Domains 'dotted' in options.

Any ideas here?

[barbaz]

Nope!

Please be more explicit. Try saying:
1) steps you follow
2) what actually happens
3) why you think that's a problem
4) what you would like NoScript to do instead

No one can have any ideas here until you provide those details.

[jcarerra]

Nope!
Please be more explicit. Try saying:
1) steps you follow
2) what actually happens
3) why you think that's a problem
4) what you would like NoScript to do instead
No one can have any ideas here until you provide those details.

1) steps you follow
I click on some link to a page, say yyy.com/whatever
2) what actually happens
The page opens but some content is missing.
I open the NoScript dropdwn and "Allow yyy.com" is shown as an available thing I can click.
I click it, and the page reloads properly this time.
3) why you think that's a problem
I think that is a problem because (see img)

4) what you would like NoScript to do instead
Actually temporarily allow the top level domain.

So, as I said, "I am having to allow top level domains even though I have Full Domains 'dotted' in options."

[barbaz]

OK, I understand the problem.

What version of NoScript are you using?

Are you sure it's not something like a "http://www.example.com/" requires content from "http://example.com/" in order to work, so only Temporarily allowing www.example.com isn't enough?

[jcarerra]

2.6.9.26

I just changed the dot to Base 2nd level...

Might that solve the issue? Are there any reasons to not do that?

[barbaz]

I just changed the dot to Base 2nd level...

Might that solve the issue?

Yes, if it's what I said. I was just guessing though...

Are there any reasons to not do that?

Well, you are allowing *everything* under that domain - this could includes things like an "analytics.example.com" subdomain or potentially user-provided content that could come from anywhere (like if you were, for some reason, to visit https://cloudfront.net/ - you would be Temp-Allowing a LOT of sites' CDNs as well as some ad/tracker sites).
Also note that this applies to every site you are redirected through as well, because NoScript treats redirect sites as having been visited for the purpose of that feature. So if you are redirected through an "undesirable" domain, the effect of automatically granting that temporary permission potentially has a broader reach than with your prior setting of "Full Domains".

Basically it's just less secure. Convenience vs. security...

[jcarerra]

OK, I understand what you are saying, and don't really like leaving such a broad scope open.

But we have no reason why I am so frequently getting the blocks when "Temporarily allow...full domains" was checked (and now I have moved the selection back to that).

[barbaz]

Can you provide an actual example URL where you see this?

[jcarerra]

Can you provide an actual example URL where you see this?

I will the next time I see it, but it hasn't happened for the last few hours.
Then again, I have been going to my 'normal" places mostly...they probably are already authorized.

[jcarerra]

I have another observation to report...
1. I clicked a bookmark to a page on a site.
A graphic on the page does not show.
Reload the page,
Graphic shows.

2. close all. try again
I clicked a bookmark to a page on a site.
A graphic on the page does not show.
drop NoScript...it has entry to allow the yyy.com --both regular full allow and temp are there

My conclusion from first scenario...
the automatic temp allow in options is not working until the SECOND page load.

Another way to look at this is that I am having to MANUALLY allow the top level domain of every place I go.

I am now feeling this is a bug [NO--see below] , or I have something really configured badly

WAIT not so!

It may actually be temp allowing WWW.yyy.com
but still asking if I want to allow yyy.com
which is correct action, and indicates it probably is auto allowing WWW.yyy.com.
But why is scenario 1 above happening?

[jcarerra]

I have verified something...

when I first hit the page (and the graphic does not show), when I look in whitelist, www.yyy.com is not there.

If I reload the page and look at the whitelist, it IS there in italics--assume italics means it is there as the temp permission as I have not clicked anything in NoScript to add it, other than the option that is checked..

But the question is, why did it take a page reload to get that temp permission and it did not happen on the initial load.

This is consistent with what I was seeing all along that caused me to start this thread.

Do you need me to do anything else to collect additional information about the phenomenon?

[jcarerra]

Can you provide an actual example URL where you see this?

http://www.mapquest.com/directions

When I first go, there is only a logo on the page and
"You must have JavaScript enabled to view MapQuest features. More information "

...AND WWW.MAPQUEST.COM IS NOT IN THE WHITELIST!!

If I do nothing more than reload the page, everything shows,
...and www.mapquest.com ==IS== in the whitelist.
It took a second pageload to get it there.

I have repeated this sequence several times on different sites, so I am now certain that it is real.
I do not know if it is unique to my installation though, nor what is is about the sites than makes/allows this to happen

Question, is NoScript built to set the temp permission and THEN automatically reload the page?

[barbaz]

I can't reproduce the problem on a clean profile, Firefox 38.0.1, NoScript latest development build, all defaults except the setting shown in your screenshot.

Please create a clean profile from scratch. Install only NoScript, leaving all defaults except the "Temporarily allow top-level sites by default" settings shown in your above screenshot.
Does the problem still exist?

If so:
You seem to be running Cyberfox, which is not an officially supported browser. Please try Mozilla Firefox or SeaMonkey.

If not:
Export your NoScript configuration using the Export button *on the very bottom* of NoScript Options, import that into a clean profile with only NoScript installed, and see if you get the issue there. If it does occur, are you able to PM me the export so we can look into this?
(Please do not PM me the export if you are not comfortable with me sharing it with Giorgio Maone and/or the other Moderators.)

[jcarerra]

OK, first let me try in real Firefox.

will report back

[jcarerra]

OK, some further strangeness...

In Firefox, on my first attempt, at first load, the mapquest link did not load ANYTHING ( not the logo or ;need javascript' words).

On REload, the site appeared as with my earlier description.

The puzzle is that at first load,
NO mapquest urls were in the whitelist (expected).
After reload, there were still none at all neither with or without the www! (unexpected)

Let me do some more experimenting. This is really strange.

If I have to, I will do the new profile thing, but for some reason I hate doing that. It isn't easy or likeable thing to do for me.