Pros and cons of adding a permanent whitelist for Cloudflare

Ask for help about NoScript, no registration needed to post
asdfasdfasdfasdfasdfasd

Pros and cons of adding a permanent whitelist for Cloudflare

Post by asdfasdfasdfasdfasdfasd »

I've been using NoScript for a few years. Great job, sorry to hear about hte pain of the new Firefox. Cloudflare is becoming more and more popular for websites to use. A few that i go to regularly require scripts from cloudflare.com, some require gibberish looking subdomains from Cloudflare, and some work fine with scripts from Cloudflare blocked.

Generally speaking, what are the pros and cons of permanently whitelisting Cloudflare.com?

An example of a site requiring Cloudflare.com is BitChute. It requires the actual domain, cloudflare.com, and polyfill.io

Cloudlfare is in the buisness of tracking things across the web, in an attempt to block harmful things. And who knows what else they do with that data, or whether what they say is true, bent, or a lie? I don't. And even if I were to corroborate their words now, what about in the future?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Pros and cons of adding a permanent whitelist for Cloudf

Post by barbaz »

I assume you're using NoScript Classic. If you go to NoScript Options > Appearance, and check "Full Domains", does the cloudflare show as "cdnjs.cloudflare.com" on the sites you see cloudflare? If yes then it's a somewhat different question from 'What are the pros and cons of whitelisting Cloudflare?'.
asdfasdfasdfasdfasdfasd wrote: some require gibberish looking subdomains from Cloudflare,
To be clear, you're not confusing Cloudflare with cloudfront, are you?
*Always* check the changelogs BEFORE updating that important software!
-
asdfasdfasdfasdfasdfasd

Re: Pros and cons of adding a permanent whitelist for Cloudf

Post by asdfasdfasdfasdfasdfasd »

If I change that setting in appearance, on BitChute, I have the option to allow scripts from cdnjs.cloudflare.com as well as cloudflare.com in the same block. I had to revoke cloudflare.com before I could see both of them. Reddit now has double the number of domains of javascript too, with a www. subdomain for both reddit.com and reditstatic.com.

Looking at recent websites I went ot yesterday, I found one with the gibebrish subdomain, and it was indeed Cloudfront, not Cloudflare. I'm surprised I never noticed that difference, but the first 6 characters (60%) of the characters are the same, so I guess the human condition got in the way.

It seems that Cloudfront is yet another Amazon CDN.

Should I worry about adding permanent exceptions to allow javascript from all these tech companies that are obviously vacuuming up as much user data as possible? Any kind of threat model goes out the window when there is a pervasive vacuum everywhere sucking up everything to be sold to all the bidders and stolen or leaked on a regular basis.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Pros and cons of adding a permanent whitelist for Cloudf

Post by barbaz »

Re: cloudfront
I wouldn't be comfortable allowing all of cloudfront.net. Anyone can put their CDN there, so whitelisting *.cloudfront.net is like whitelisting the entire Internet.
It looks like the "gibberish subdomains" are specific to the owner, so I would recommend only whitelisting the specific full domain(s) you need. Permanent whitelist probably isn't that much different from temporary whitelist in this case.

Re: cdnjs.cloudflare
This is a generic Javascript library CDN, hosted by Cloudflare. Personally, I just allow it when it comes up on a site where I need JS. But you don't have to allow *any* generic JS library CDN if you don't want to. The simplest way to avoid it is probably to use Decentraleyes (I don't use it myself, but others here have recommended it). And if cdnjs.cloudflare is serving a JS library that Decentraleyes doesn't provide, you could download that JS library from its official site and have NoScript provide it - https://forums.informaction.com/viewtop ... 682#p90682
*Always* check the changelogs BEFORE updating that important software!
-
fenix

Re: Pros and cons of adding a permanent whitelist for Cloudf

Post by fenix »

Hello.

Yes, barbaz is right -- 'Decentrlaeyes' addon is okay but it seems, that there are some issues when its used along with NoScript in the same time. "CDN" websites needs a 'script' option (that's what I've noticed via '[CUSTOM]' option etc.), but even with that 'Decentrlaeyes' is not working.

When I disable NoScript and reload website, then everything is okay: 'Decentrlaeyes' works, injects and shows "CDN" numbers of local content delivery etc. I'm trying to solve this problem but... Nothings helps.

Thanks, best regards.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
asdfasdfasdfasdfasdfasd

Re: Pros and cons of adding a permanent whitelist for Cloudf

Post by asdfasdfasdfasdfasdfasd »

I just recently started to use Decentralyeyes. I dind't know about the incompatibility, though lately I have been running across sites I couldn't get to work in my usual browser. I suspected the problem was from downgrading over top of itself when Quantum came out.

I'll look into adding that bit of javascript to Decentralyeyes
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
fenix

Re: Pros and cons of adding a permanent whitelist for Cloudf

Post by fenix »

Hi asdf.

Would You do me a favour? Because You'd started to use "Decentraleyes" addon, but with some issues etc., please write a message, here - in this thread, when You'll manage to solve these problems, okay?

Anyway, it seems that "CDN" websites needs, at least, one option: 'script'. However, even if I'm using a 'CUSTOM' preset for such a domain - and reload website - "Decentraleyes" isn't working properly. I've tried different solutions, but with no luck. The only working solution is to disable "NoScript".

There is a test available on 'decentraleyes' website, where You can check if everything is okay: https://decentraleyes.org/test/

Best regards.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Pros and cons of adding a permanent whitelist for Cloudf

Post by skriptimaahinen »

Decentraleyes requiring that the resource (CDN) is unblocked by any content blocker used (e.g. NoScript) is by design (see their wiki).

What exactly is not working properly with Decentraleyes? Is there some specific web page that you have problem with?

The test page gives "fully operational" when I try it (NS 10.1.8.17rc2, DCE 2.0.6).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
fenix

Re: Pros and cons of adding a permanent whitelist for Cloudf

Post by fenix »

Hi skriptimaahinen.

I'm sorry for such a long time without answer. The test page - mentioned by You - is working when I disable NoScript. As I already mentioned: according to NoScript and 'CUSTOM' scope, "CDN" websites needs 'script' option to work. However, even with this option, Decentraleyes is not working. I have no idea what is the reason. For now, the only one and working solution is to disable NoScript. But that's not the point, right?

Okay, lets take two examples: there is a website on which NoScript detected "CDN" domain - let say 'ajax.googleapis.com'. If this domain is already added by the User - for instance - via 'Policy' window (found in 'Options' and 'Advanced' tab) in "untrusted" section, NoScript will assign an 'UNTRUSTED' scope for above "CDN" domain, right? In this case, Decentraleyes will not work, which is obvious.

One the second hand, if 'ajax.googleapis.com' domain is not added by the User to the "untrusted" section (see above) and NoScript will assign a 'DEFAULT' scope, right? (In this case Decentraleyes will not work also, because sometimes Users are not using any available options. But if they do, 'script' option for a 'DEFAULT' scope seems to be not very good idea.

So, I would like to ask You some questions, skriptimaahinen. Firstly: have You tried Decentraleyes only on a testing page? What about daily use: to look over some websites etc.? Secondly: what options do You use for a 'DEFAULT' scope? Can You share your configuration, which may be very helpful etc.

By the way: with above examples, I can describe my situation very clearly. I'm so sorry for such a long message. I hope, that I've described what I mean in good way.

Thanks, best regards.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Pros and cons of adding a permanent whitelist for Cloudf

Post by skriptimaahinen »

No, I do not use it daily, but I have tested it on few other pages too and it seems to work.

Take for example https://askubuntu.com/:

Code: Select all

CUSTOM rules for each:
...askubuntu.com            script, fetch
...ajax.googleapis.com      script
...sstatic.net              script
Everything works and Decentraleyes shows that it has served jQuery.

If you set it up like this, does it not work for you?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Post Reply