Full address vs full domain advice

[nwusr]

Can I get some feedback on whether I should allow based on Full Address or Full Domain?

Does Full Address provide more protection from sites pulling files off my computer (e.g., ftp://). Or is Full Address mostly oriented towards HTTPS vs HTTP? What kind of additional protections do I gain by using Full Address--is it worth the extra hassle?

[barbaz]

Personally I mostly use Full Domains, to the point I don't feel the need to select to show Full Addresses in my NS menu, but that doesn't mean I can't or won't whitelist Full Addresses. I've got 3 full addresses in my whitelist, and those are all special cases where I either ONLY wanted to allow example.net itself but not *any* subdomains of example.net, *or* I want to allow only the HTTPS version (as you already pointed out).

But the main reason I don't bother is the extra menu clutter, and most of the time if I trust a site then I trust its subdomains too (or only with a few exceptions that can just go straight to Untrusted & then they'll stay Forbidden).

Can you please clarify this statement, which I don't understand what you mean?

provide more protection from sites pulling files off my computer (e.g., ftp://)

So you have a FTP server on your computer, or you're afraid that when connected to a FTP server that it can pull files off your computer too?

[nwusr]

Personally I mostly use Full Domains, to the point I don't feel the need to select to show Full Addresses in my NS menu, but that doesn't mean I can't or won't whitelist Full Addresses. I've got 3 full addresses in my whitelist, and those are all special cases where I either ONLY wanted to allow example.net itself but not *any* subdomains of example.net, *or* I want to allow only the HTTPS version (as you already pointed out).

But the main reason I don't bother is the extra menu clutter, and most of the time if I trust a site then I trust its subdomains too (or only with a few exceptions that can just go straight to Untrusted & then they'll stay Forbidden).

Can you please clarify this statement, which I don't understand what you mean?

provide more protection from sites pulling files off my computer (e.g., ftp://)

So you have a FTP server on your computer, or you're afraid that when connected to a FTP server that it can pull files off your computer too?

Well, I'm not as computer smart as you. But I read about Russian malware that was thru some advertisement and it was pulling files off people's computers. I was worried that if I whitelist sub.domain.net and not http://sub.domain.net I'm opening myself up to some malware manipulation that can pull a file off my computer. Like sometimes I've seen ftp:// in the address bar, for example. Maybe the full address would not protect against this, this was the nature of my question.

[Thrawn]

I doubt that that is related to allowing full addresses vs subdomains. For starters, NoScript is all about blocking active content on web pages - and as far as I know, there's no such thing as a page including a script via the FTP protocol.

NoScript isn't a general-purpose firewall or application access control system. It just restricts web pages.

The good news is, tainted advertising will typically be blocked by NoScript, simply because it's being served from a domain that you haven't chosen to trust. Unless you use unsafe features like 'Scripts Globally Allowed', or 'Allow all this page', or 'Cascade permissions to third-party scripts', you should be quite safe.

[barbaz]

I read about Russian malware that was thru some advertisement and it was pulling files off people's computers.

That was via an exploit targeting Firefox through its builtin PDF Viewer, nothing to do with ftp or granularity of what you Allow in NS or anything else.

So to answer your question, whether or not you Allow based on Full Addresses would have no effect against something like it.

as far as I know, there's no such thing as a page including a script via the FTP protocol.

I don't see why, in theory, that's impossible... but NoScript inclusionTypeChecking would probably catch it right?

In any case, still irrelevant to the OP's question.

[tarjk]

@Thrawn & barbaz:

when I first heard of that Russian exploit, I immediately thought of NoScript's built-in ABE protection (i.e., SYSTEM). Do you guys know enough about the exploit to know if the ABE setting would have provided protection?

Code: Select all

Site LOCAL
Accept from LOCAL
Deny

[Thrawn]

I don't know a lot, but I would be very surprised if ABE would have helped.

[barbaz]

I don't really know anything about the exploit but I doubt that ABE would have helped unless you had already had a rule blocking the specific domains used to serve the exploit (it was said that ABP mitigated it, so surely ABE could do the same with the right configuration).

So I second Thrawn's suggestion that the rule you posted would likely have no effect there.

(see also viewtopic.php?f=19&t=21134 )