Preset customizations: treating HTTPS and HTTP differently

Bug reports and enhancement requests
Post Reply
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Preset customizations: treating HTTPS and HTTP differently

Post by musonius »

The latest development version of the Tor Browser includes NoScript Quantum and I have found a rather interesting rule there which sets HTTP to UNTRUSTED by setting "http:" accordingly. I like that and added the rule to my Firefox customization. I am fully aware, that this is something like an undocumented feature and therefore don't complain, that I failed doing that using the GUI. At the moment it is impossible to see the blocked domains or to set exceptions (which I would welcome for internal pages at work). One has to disable all restrictions for the current tab or something like that, which isn't necessarily what one wants to do too often.

I therefore think, it is great to set HTTP to UNTRUSTED and it would be even greater to be able to treat HTTPS and HTTP differently in a more general way. Wouldn't it be nice to have two versions of the presets, one for HTTP and one for HTTPS? This would offer full flexibility. Alternatively, there may be an additional option analogously to "Temporarily set top-level sites to TRUSTED" which treats HTTP as UNTRUSTED, unless the user has defined a rule or sets the domain to Temp. TRUSTED.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Preset customizations: treating HTTPS and HTTP different

Post by Giorgio Maone »

That's interesting, but I need some time to wrap my head around it, especially from the UX perspective, and in the meanwhile the Tor Browser guys are likely to come with similar ideas as well.
Just to be sure, would the green/red lock near each site entry, locking privileges to the HTTPS version of the site only, fit your use case?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Preset customizations: treating HTTPS and HTTP different

Post by barbaz »

I think what they're asking for is ability to do something like this:

Plain HTTP sites Default -> nothing checked
HTTPS sites Default -> check only frame, fetch
Individual trusted sites -> all checked, green lock set

Basically the option to have two Default presets, one for plain HTTP sites and a separate one for HTTPS sites, and set different permissions for each one. The green/red lock only applies to individual sites, so it does not seem to cover this.

@musonius Do I have it right?
*Always* check the changelogs BEFORE updating that important software!
-
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Re: Preset customizations: treating HTTPS and HTTP different

Post by musonius »

Giorgio Maone wrote:Just to be sure, would the green/red lock near each site entry, locking privileges to the HTTPS version of the site only, fit your use case?
It's about breaking as few pages as possible and still being safer than without NoScript. On the other hand, I want to be able to easily switch to a much more restricted mode, for examply by unchecking script of the DEFAULT preset. I have not found a way to trust everything besides object and media per default and distrust http globally except some particular pages by using the red/green locks. The Tor Browser settings do the job apart from the failure to define exceptions for http.

Why do I want to define exceptions for http? We use a bug tracking system at work whose url looks like

Code: Select all

http://bugtracker:8080/...
Having set "http:" to UNTRUSTED, I cannot make the page work, unless I disable all restrictions for the tab. Adding a rule to the page manually with the red lock has not worked so far. I failed to define exceptions for ordinary pages as well (like for ORF.at, which is still http).
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Re: Preset customizations: treating HTTPS and HTTP different

Post by musonius »

barbaz wrote:@musonius Do I have it right?
Yes indeed. Your explanation is simpler. It's about the defaults, when there is no explicit rule for a given domain. I want them to be different for HTTPS and HTTP.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Re: Preset customizations: treating HTTPS and HTTP different

Post by musonius »

With the latest update (10.1.9.8) I can finally do that: I have set "http:" to UNTRUSTED and can customize http sites, if necessary.

@Giorgio Maone: I am very happy with this update, many thanks!
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Preset customizations: treating HTTPS and HTTP different

Post by Giorgio Maone »

musonius wrote:With the latest update (10.1.9.8) I can finally do that: I have set "http:" to UNTRUSTED and can customize http sites, if necessary.

@Giorgio Maone: I am very happy with this update, many thanks!
You're welcome :)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Post Reply