This one has *two* above the line, and the usual four below.
It might look like the top one is best, because it grants Flash permission specific to that (magnificent) artist. However, clicking on one of the song titles still gives a Flash placeholder to click. So we don't
need to allow that one, and therefore, we don't.
It turns out that the third one below the line is best, because as we can see from the tooltip (of the highlighted blue one), it does indeed provide source of the object (Soundclick) and the recipient of the object. In this case, that is also Soundclick, but at other sites, e. g., attachments at Yahoo Mail, the IFRAME source is a different domain name from the mail page itself.
As said, sites vary -- such as the two above the line, each of which were both
unnecessary and
insufficient.
So it's a case-by-case basis. But if the third below the line (or any other) defines both sides of the equation, and is the most restrictive, and is sufficient, bingo.
btw, to test this, I had to reset
about:config
noscript.allowedMimeRegExp
back to the default (none). This wonderful enhancement eliminated the need for these permissions at trusted sites, and the addition of the non-MIME-types FRAME and IFRAME in NS 2.9 took care of those pesky Yahoo Mail attachment objects. Thanks again to Giorgio!
EDIT what I forgot to answer
@Tom: On a side note, which one do you think is safer, 'Allow all Flash at this site', or 'Allow this specific Flash object on any trusted site'? I'm guessing the former, because non-trusted top-level sites would still be restricted in any case, whereas the other Flash objects from a site are likely junk.
The safest, which does give you your site-specific permission without NS 3
, is to not use Blocked Objects menu at all; configure NS to show placeholders for blocked objects; and to ask for confirmation before temp-unblocking. Then the confirmation box gives you something like this:
Code: Select all
Temporarily allow http://s.ytimg.com/yts/swfbin/watch_as3-vflry7sRc.swf#!flashvars#video_id=e7-QBw862zk
(application/x-shockwave-flash <EMBED> / http://www.youtube.com)
.... which is in fact unique to that particular video, and does *not* allow all (or any other) Flash at YouTube.
Less convenient than the BO menu if you're going to view multiple videos, but completely restrictive to a single video.
Othewise, I agree with your assessment.
Convenience >< Safety = always a trade-off.
FunctionForm wrote:They'll help with the rest of my question, which is about the various Blocked Objects sub-menu icons.
The curvy F appears to be specific to Shockwave and Flash (they're actually two different products), whereas the blue S, which is the NoScript logo, appears to be for generic permission (*@http:/site.com).
The rather indistinct coffee cup is a reflection of Java's icon in your system tray (bottom bar of the display itself, not the browser).
I don't use MS Silverlight.
The one for (I)FRAME is similar to the Windows logo for a generic file of unknown type. To see this, create a new text file, then remove the extension from it. This doesn't work if you have automatic extensions enabled. Uncheck it, or go to C:\WINDOWS\system32\drivers\etc and observe the HOSTS file, which has no extension.
That path includes hidden and system folders. so it might be easier just to do a Search for HOSTS, and in Advanced Options, include subfolders and hidden and system folders.
, I'll take the compliment, thanks. Users who have a lower bar, or find max security too inconvenient (being compromised is *really* inconvenient), are welcome to choose their own level, of course... btw, didn't you do 
