Editing whitelist site prefixes: https vs http vs neither

[JMThomas]

Exporting the whitelist (which carries the exception list at its end), I see several groups.

The first group has no protocol at the start of each entry.

Following groups have pseudo protocols "abline:" and "about:"; then come groups with protocols "file://", "http://", and "https://" preceding the entry.

Most, but not all, sites appear 3 times, with prefixes: 1) no protocol, 2) "http://", and 3) "https://".

Question: As I edit the list, do I need to add a new site 3 times? Or would it be sufficient to just add it once without a prefix.

In other words, if I add only "abc123.com" to the whitelist, will http://abc123.com and https://abc123.com also automatically be allowed?

Follow-up: Is adding a site without a protocol to the exception list sufficient to block access no matter what protocol is requested?

Thanks!

[barbaz]

Don't remember but I think the extra entries will be automatically generated as needed. Why not try it and see?

Make sure it's a 2nd-level domain (like informaction.com, google.com, noscript.net) as the extra entries are not needed nor generated for "fuller" domains (forums.informaction.com, apis.google.com).

Let us know the results, thanks.

Follow-up: Is adding a site without a protocol to the exception list sufficient to block access no matter what protocol is requested?

Adding the site in what way? To what exception list?

[JMThomas]

I'm merging lists from different machines. I can do some scripting to extract all the site names, generate all three forms, and build a rather large file for importing on the new machine. In the interests of NoScript performance, I don't want to have NoScript building lists any larger than they need to be.

I would think that just adding the site without a protocol would cover things, unless one was trying to be very tricky and allow scripts only served by a site via HTPPS protocol and suppress the same site sending a script under plain HTTP protocol.

Since I use additional tools like HTTPS everywhere, all I care about is a blanket "yes"/"no" decision about a site, no matter how it serves content.

I'm hoping a developer can might deign to make a quick "do this" answer.

PS: While I can sort (the two sections of) the file I've built to be imported, is doing so necessary?

[JMThomas]

Don't remember but I think the extra entries will be automatically generated as needed. Why not try it and see?

Make sure it's a 2nd-level domain (like informaction.com, google.com, noscript.net) as the extra entries are not needed nor generated for "fuller" domains (forums.informaction.com, apis.google.com).

Let us know the results, thanks.

While I can try, I'm not sure my testing would fully cover things as I'm not sure how "under the covers" redirects and URL re-writing (think HTTPS Everywhere) will affect my trials.

Follow-up: Is adding a site without a protocol to the exception list sufficient to block access no matter what protocol is requested?

Adding the site in what way? To what exception list?

Export the whitelist, then edit the exported file. Scrolling down past the [UNTRUSTED] line, and insert lines with sites that are to be blacklisted. Then import the edited file.

[barbaz]

While I can try, I'm not sure my testing would fully cover things as I'm not sure how "under the covers" redirects and URL re-writing (think HTTPS Everywhere) will affect my trials.

It won't at all. You only need to check that the extra entries are automatically added to about:config > noscript.untrusted (or, if you edit the whitelist, capability.policy.maonoscript.sites).

I'm hoping a developer can might deign to make a quick "do this" answer.

Well, in that case only Giorgio can help you, as he's the only NoScript developer.