Page 1 of 1
Block scripts from domain, except when visiting that domain
Posted: Fri Oct 19, 2012 11:01 am
by henryphelps
Hi
Is it possible to block scripts from a domain, except when you are visiting that domain?
For instance:
I want to block all Google and Google related scripts (also captcha), except when I am using Google.
Same with Twitter, Facebook and FBcdn. Facebook does not work that well when their scripts are blocked, but when I am visiting other websites they often have facebook plugins which I don't want to run.
If this is possible, please let me know
If it is not already possible, please consider this to be a very nice security update for NoScript
Thanks in advance.
Re: Block scripts from domain, except when visiting that dom
Posted: Fri Oct 19, 2012 11:14 am
by Thrawn
Re: Block scripts from domain, except when visiting that dom
Posted: Fri Oct 19, 2012 11:25 am
by henryphelps
Thanks, sorry I haven't read the FAQ before posting.
It gets much less intuitive when you remember that the scripts you temporarily allow can be from anywhere. If I visit site1.com, temporarily allow Google Analytics, then browse to site2.com, does that mean that Google Analytics is no longer allowed? How about if I browse to
www.site1.com (a subdomain)? Remember, I never visited the Google Analytics site at all. Or how about Facebook? To use it, you'd need to allow fbcdn.net - but you're browsing around facebook.com. NoScript would have to keep track of where you clicked 'Temporarily Allow' and detect when you browse to anywhere else. And what happens when you're using multiple tabs?
It would add a great deal of complexity, probably a lot of processing overhead, and really, if you've chosen to trust a site at all, then it's already had a chance to run malicious scripts if it's going to. Continuing to allow it until you either close the browser or choose to revoke those permissions doesn't really make you more vulnerable.
However, what you're asking for does exist in a way: if the top-level site, the one in your address bar, is blocked, then everything is blocked, regardless of whether it was otherwise whitelisted. If I haven't allowed site2.com, then Google Analytics will not run there, even if I permanently allowed Google Analytics. So, if you keep the default-deny policy, but temporarily allow sites as needed, you're still safe when randomly browsing around.
However I am not really satisfied with this answer
I understand it could add a great deal of complexity
however, if there is an option to manually add domains which you only want to run when the domain name is in the top url
For example:
if top url: http(s?)://
www.facebook.com
Allow: http(s?)://
www.facebook.com, http(s?)://
www.fbcdn.com
if top url: http(s?)://*.google.com
Allow: http(s?)://*.google.com
if top url: http(s?)://*.twitter.com
Allow: http(s?)://*.twitter.com, *.twitimg.com
that would help me a lot
if it's too much work, I understand and continue to r43p the temporarily allow button
Re: Block scripts from domain, except when visiting that dom
Posted: Sat Oct 20, 2012 6:58 am
by Thrawn
henryphelps wrote:Thanks, sorry I haven't read the FAQ before posting.
<snip>
however, if there is an option to manually add domains which you only want to run when the domain name is in the top url
There are at least three options:
- You can use ABE, as mentioned in the linked thread;
- You can wait for NoScript 3.x for the desktop, also mentioned in the linked thread;
- Or you can try RequestPolicy, if you're willing to manually control all cross-site requests (not just blocking scripts). Most of the moderators here use it.