[RESOLVED] NS 10 Weird handling of TLDs & local domains?

Ask for help about NoScript, no registration needed to post
DHO

[RESOLVED] NS 10 Weird handling of TLDs & local domains?

Post by DHO »

I am running Firefox 57.0.1 (64-bit) and NoScript 10.1.5.1.
I have ...gov.uk set to Trusted with the green padlock icon (https only).
If I go to https://www.gov.uk/government/organisat ... ue-customs then the page has blocked scripts.
I see that ...www.gov.uk and ...publishing.service.gov.uk appear in the list as 'Default'.
Why are these not trusted if ...gov.uk is trusted?
(If I set them both to trusted they appear as entries with the green padlock icon)
Last edited by barbaz on Thu Dec 07, 2017 2:17 am, edited 1 time in total.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
DHO

Re: NoScript 10.1.5.1 question

Post by DHO »

Just updated to NoScript 10.1.5.3 and confirmed that the behaviour hasn't changed (not that I expected it to given the content of the release notes).

I'm assuming that it is not just me that is confused about:
a) Why setting ...gov.uk as trusted doesn't make ...www.gov.uk and ...publishing.service.gov.uk trusted.
b) On what basis it decides to offer ...www.gov.uk and ...publishing.service.gov.uk (particularly the latter).

Not sure whether this behaviour is a bug or undocumented functionality (or some combination of both?).
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Tomate

Re: NoScript 10.1.5.1 question

Post by Tomate »

I think gov.uk or gov.au are more TLDs then websites.
If you allow ...gov.uk then you would also have to allow ...co.uk (amazon.co.uk, etc) and even ...com as a rule, and that really doesn't make sense.
And why would one want to allow every single website under gov.uk:
https://www.edinburgh.gov.uk/ ; https://www.london.gov.uk/ ; etc.......

I think its fine to just add https://www.gov.uk/, then you can browse that website.

https://de.wikipedia.org/wiki/.uk#Second-Level-Domains
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Tomate

Re: NoScript 10.1.5.1 question

Post by Tomate »

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
DHO

Re: NoScript 10.1.5.1 question

Post by DHO »

Different people might have different views on trusting ...gov.uk - I think that should be a user choice, I am just trying to understand the rules.

On further investigation the issue still seems to be there at the next domain level down and not just with ...gov.uk.
If I trust ...service.gov.uk and ...googleapis.com and go to https://www.compare-school-performance.service.gov.uk/
then it shows ...compare-school-performance.service.gov.uk and ...maps.googleapis.com both as default rather than trusted.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Tomate

Re: NoScript 10.1.5.1 question

Post by Tomate »

Regarding googleapis.com, service.gov.uk:

* In case of googleapis.com it could be the intended behaviour, as googleapis are widely used, to choose them individually. (Just a guess.)
maps.googleapis.com
imasdk.googleapis.com
ajax.googleapis.com
content.googleapis.com
...
* service.gov.uk is a redirection to www.gov.uk (probably not important)
I agree that on service.gov.uk it should be possible to apply rules to it's subdomains.

Would be interesting what is special about those few domains, that they are currently not accepted by Noscript.

Youtube shows its clearly possible to apply rules for more than one level downwards:
https://googleads.g.doubleclick.net
https://pubads.g.doubleclick.net
https://static.doubleclick.net
doubleclick.net

I also found those strange examples:
https://www.vic.gov.au/
www.vic.gov.au
https://www.nsw.gov.au/
nsw.gov.au
Last edited by barbaz on Mon Dec 04, 2017 1:40 am, edited 1 time in total.
Reason: kill board-generated links
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Tomate

Re: NoScript 10.1.5.1 question

Post by Tomate »

I found out that this is corresponding to the way firefox highlights the base domain in address bar:
https://www.gov.uk/
https://assets.publishing.service.gov.uk/
https://www.vic.gov.au/
https://www.nsw.gov.au/

So I guess NS uses that base domain information from firefox.
Last edited by barbaz on Mon Dec 04, 2017 1:41 am, edited 1 time in total.
Reason: kill board-generated links
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
DHO

Re: NoScript 10.1.5.1 question

Post by DHO »

That's an interesting suggestion...

If NoScript 10 is trying to process a mixture of inputs sourced from:
a) Existing entries that were carried over from the previous NoScript settings that the user may have built up over the years.
b) Any entries that have subsequently been manually entered in the 'Address of web site' input box.
c) Options that may be based of Firefox's idea of domain structures.

and you can't rely on reasonable assumptions such as that ...service.gov.uk will match *.service.gov.uk and ...googleapis.com will match *.googleapis.com then it all seems very confusing to me!
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Tomate

Re: NoScript 10.1.5.1 question

Post by Tomate »

(Better to say not necessarily taken over from firefox, but obtained in the same way.)

Maybe its better to not use manual adding so much, until there is the documentation available for NS.
(Or someone with enough knowledge will clear it up here.) :)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript 10.1.5.1 question

Post by barbaz »

I would suspect NoScript is determining top-level domain by comparing the domain to this list, and just going one level down from that - https://github.com/publicsuffix/list/bl ... x_list.dat
*Always* check the changelogs BEFORE updating that important software!
-
Richard

Re: NoScript 10.1.5.1 question

Post by Richard »

The same problem exists for internal corporate domains, where I definitely want to white-list the entire domain:

Currently, if I set ...acme.corp to trusted, none of the subdomains will be trusted (like https://portal.acme.corp). Larger companies have many of these subdomains making the use of internal sites together with NoScript quite awkward.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Tomate

Re: NoScript 10.1.5.1 question

Post by Tomate »

ok, service.org.uk really is on that list;
but doesn't explain behaviour with:
...ajax.googleapis.com
...www.vic.gov.au
and what Richard said

I wonder if it's easily possible to distinguish between for example
...vic.gov.au ( https://www.vic.gov.au/ ) (please keep links)
and
...co.uk ( https://www.google.co.uk/ )
where again you don't really want big "Top-level"-Domains to be an allowed rule
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Tomate

Re: NoScript 10.1.5.1 question

Post by Tomate »

Tomate wrote:ok, service.org.uk really is on that list;
but doesn't explain behaviour with:
...ajax.googleapis.com
...www.vic.gov.au
and what Richard said
that statement is wrong, forgot to go one level down
does explain it

it even shows that nsw.gov.au was removed:
// nsw.gov.au Bug 547985 - Removed at request of <Shae.Donelan@services.nsw.gov.au>
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Tomate

Re: NoScript 10.1.5.1 question

Post by Tomate »

Tomate wrote:Maybe its better to not use manual adding so much, until there is the documentation available for NS.
(Or someone with enough knowledge will clear it up here.) :)
Then in my opinion all that's needed is some explanation:
* that rules for anything higher than base domains are forbidden
and
* that base domains are the highlighted part in address bar
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript 10.1.5.1 question

Post by barbaz »

Richard wrote:The same problem exists for internal corporate domains, where I definitely want to white-list the entire domain:

Currently, if I set ...acme.corp to trusted, none of the subdomains will be trusted (like https://portal.acme.corp). Larger companies have many of these subdomains making the use of internal sites together with NoScript quite awkward.
I confirm this. It not only affects subdomains with "fake" TLDs (such as .corp or .lan), it also affects some real TLDs (like .test).

I would suggest that if the domain contains any dots, and if it doesn't have a known TLD, NoScript should fall back to the "one-dot rule" - whatever comes after the last dot is treated as the TLD.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply