Default trust top domain with cascading permissions?

[idheitmann]

Hi folks,

I have been fiddling trying to optimize how effectively I'm using NoScript while avoiding breaking sites. I have been playing with the option to temporarily allow top-level sites by default, because I would rather that scripts hosted on the same domain are just allowed -- otherwise just about every site breaks or complains. Incidentally, I find that if I select Base 2nd level Domains, I will often still find that a site is broken - for example, I was having this issue with Amtrak and trying to trouble shoot by cycling through the settings. (I'm having a hard time reproducing the issue). Base 2nd level Domains is the most permissive option, right? am I mistaken?

But I would also love to have 3rd party scripts allowed to run on sites that I have whitelisted. My question is, when a top level site is automatically added to the temporary list, does that mean it gets treated the same as a trusted site? Because in that case, NoScript would end up allowing all 3rd party scripts on all sites by default, which is obviously not what I want and defeats the purpose of the plugin.

For example, there are so many sites that have CDNs, but I don't know if I want to whitelist Cloudfront, I'd rather the Cloudfront subdomain be allowed when I'm on a site that I trust, like Trello for example. Is this a case in which I need to use ABE? All the text based configuration is a bit intimidating for me still.

Cheers,

~i

[barbaz]

Sorry, I'm not making sense of this. "Default trust top domain with cascading permissions" is "Allow Scripts Globally". You ask this in the thread title, but you say you don't actually want?

Please help us to understand what you're trying to achieve, so that we can help you properly.

when a top level site is automatically added to the temporary list, does that mean it gets treated the same as a trusted site?

Essentially, yes.

[Thrawn]

Please help us to understand what you're trying to achieve

Sounds to me like he wants the ability to trigger cascading separately to allowing the top-level site, so that he can allow top-level sites by default, but then require further interaction to cascade all third-party sites.

Which is an interesting idea, but would complicate the interface further...it can't be the default way to cascade, since it would defeat the two main purposes of cascading (ie single-click allow, and concealing your whitelist for anonymity purposes). And allowing top-level sites by default actually isn't a very good policy; it allows anything you get redirected to, and it general it means that you're whitelisting sites before you can review them. Which rather severely undercuts the protection NoScript can give you.

[idheitmann]

Sorry if that wasn't clear. Basically what I was hoping for would be: if a site is explicitly whitelisted, then the permissions cascade; if a site is not specifically whitelisted, then only the top level is allowed. So if the answer is that:

>> "Default trust top domain with cascading permissions" is "Allow Scripts Globally"

then that answers that question: there is no difference. Which is too bad, but OK.

So, my next question is, if you don't use the top-level permission by default, then how do you avoid it being necessary to specifically allow scripts on basically every single domain you visit, and one at a time? Do you just whitelist stuff until your whitelist is enormous and you can browse smoothly? This seems like a real hassle to me.

And if I want to allow 3rd party scripts from specific subdomains without whitelisting the top level domain, how can I do that without polluting my whitelist with a zillion meaningless subdomains?

Basically I want it just to work with minimal user interaction. Does that make me a lesser nerd?

Thanks

~i

[barbaz]

So, my next question is, if you don't use the top-level permission by default, then how do you avoid it being necessary to specifically allow scripts on basically every single domain you visit, and one at a time?

Me, I simply don't bother with all that unless something I want to do doesn't work. Or if I'm doing some sort of "rich content" interaction with a site, and want to minimise the chances of a screw-up.

Otherwise, I let sleeping dogs lie.

And if I want to allow 3rd party scripts from specific subdomains without whitelisting the top level domain, how can I do that without polluting my whitelist with a zillion meaningless subdomains?

Simple, just don't whitelist scripts that won't run anyway -

Even if some of the 3rd party script sources imported by the page may be in your whitelist, no code could run because the hosting documents are not enabled.

https://noscript.net/features#basics

Basically I want it just to work with minimal user interaction. Does that make me a lesser nerd?

Who cares what that makes you? We are here to help you get working with NoScript, not to name-call.

If you're willing to cascade permissions on sites, try this on. Set NoScript in Cascading permissions mode and audit your whitelist accordingly. Then install uBlock Origin and go into its Dashboard > 3rd-party filters tab, select subscriptions to block whatever you don't want.

Now, if you want to enable some site, just one click Allow the top-level domain in NoScript and know that uBlock Origin is there handling the known undesirables. And you're done.

How's that for minimal user interaction?

[therube]

I'm not clear...

Are you using the Cascade option in Options | Advanced?

If you use that, then once you Allow a site, or I suppose too if a site is already whitelisted, then permissions will cascade just by opening or Allowing.

[Thrawn]

S/he is currently using both Cascade and 'Temporarily allow top-level sites by default', which effectively means allowing globally.

[idheitmann]

Thanks again for your help

I do already use uBlock origin, but I just leave it on default settings mostly. It had not occurred to me that there might be a way to use the two extensions more closely together. Are you suggesting that I block domains with unwanted scripts in uBlock origin?

I have been browsing with cascading turned off, because I don't actually want to allow everything globally. But an example of when this is super annoying: I land on a news site via a link -- this time it's Washington Post. There's a video on the page as well as text, but the video is loaded via some script. I have the top-level domain allowed by default, so the page itself functions fine, but when I click on the 'play' button nothing happens. I go and look in the noscript menu and there are 6 different domains I don't recognize, so I just say what the heck and hit temporarily allow all. I already feel like I've defeated the purpose of the extension at this point, and on this particular site the video starts working. But there are plenty of other occasions where I have to repeat the last step because the scripts I allowed apparently are loading another script from another domain. So now I feel like I'm defeating the purpose of the extension as well as creating a bunch of work for myself, and so I end up just not watching the videos; either that or open another browser when I want things to just work. It seems to me like the majority of sites I encounter will not function properly using this method.

Thanks for the link to the clarification in the basics, that does help.

~i

[barbaz]

Well, it's true that cascading permissions is a bit less safe. But NoScript is more than just a script blocker. Even when you allow scripts, you still have XSS filter, ABE (CSRF protection), ClearClick, secure cookie management, forcing HTTPS, etc.

NoScript's purpose is making your browser more secure. And NoScript is designed to let you allow scripts easily.

Stuff on the modern Web will break without active content. The NoScript security model is that you allow only the active content you want (more or less). Need to allow scripts to watch a video? Go ahead, feel free to do it. That's not defeating NoScript's purpose, that's using it as intended.

No, this is why you should feel like you're defeating the purpose of NoScript -

open another browser when I want things to just work.

If cascading permissions will help you avoid that, then use cascading permissions. You've still got better security than your other browser. Especially if you use something like uBlock Origin alongside NoScript.

So yes, do customise uBlock Origin to block *all* types of unwanted scripts. You'll find that the 3rd-party filters block other unwanted stuff too.