I like the option to whitelist scripts based on the site that loads them, not the site they're hosted on, but could it be possible to whitelist based on pattern matches on the full URL, rather than only the scheme, and domain? There are several sites that have broken javascript, while still requiring it. Tumblr for instance slows my computer down horribly and breaks the "page up/page down" function, when failing to do progressive loading, but they also have separate pages whose path starts with "/image/" that display nothing but a blank if you don't enable javascript on the whole site. There are also services like "cloudfront.net" who attempt to ruin the NoScript project, by hiding many varied scripts by many possibly dubious authors under one umbrella of a randomized prefix followed by ".cloudfront.net" and I think pattern matching might be important there, too, at least until the authors also randomize the file names of their scripts.
It looks like you'd have to add something to PolicySites.matches that iterates over a set of patterns to see if they match, and also modifying SiteUtils.getSite to not strip off everything except the scheme and domain. Since javascript has "regular expressions" support, you could probably streamline that iteration, by taking all the patterns, concatenating them with some manner of "|" and passing that to a new RegExp. (And if they compile it properly, that actually ends up as a machine coded decision tree, so with a pattern like prefixfoo|prefixbar, the second iteration would never happen if "prefix" didn't match on the first.) But I can't really submit patches, since I can't seem to find any place to get the source, besides just unzipping the ".xpi" and I doubt that source hasn't been through some sort of post-processing.
Whitelisting based on full URL?
Whitelisting based on full URL?
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: Whitelisting based on full URL?
NoScript being a security tool, this doesn't make much sense from a security standpoint because a malicious actor could just move their bad scripts around. However, it is possible to get what you want, albeit not that readily: you can use the same idea as FAQ 8.10. Except the ABE rule you'll come up with will look something like this:
Code: Select all
# Allow active content on example.net/test/* but disallow elsewhere on example.net
Site .example.net/test/*
Accept
Site .example.net
Accept INC(SCRIPT, OBJ, FONT, XHR, MEDIA) from .example.net/test/*
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox*Always* check the changelogs BEFORE updating that important software!
-