Noscript won't block embeddings

[plingpling]

Hello,

When I set the "Allow scripts globally (dangerous)" option, FLASH and Java works on every site even though they are blocked in the embeddings tab. If I unset this option, nothing works including Javascript, as intended. What I want to do is to allow Javascript only, and block Java etc. Can I do this?

Thanks...

[therube]

Is Apply these restrictions to whitelisted sites too also enabled?

[plingpling]

No it's not. Should it be?

[therube]

If you have Allowed Scripts Globally then you have effectively whitelisted sites too, so yes, you'll need to enable that option.

[plingpling]

If you have Allowed Scripts Globally then you have effectively whitelisted sites too, so yes, you'll need to enable that option.

Thanks therube, but then I can't use objects on trusted sites as well. I want to allow Javascript on all sites, and allow embedded objects only on whitelisted sites.

[Tom T.]

I want to allow Javascript on all sites, and allow embedded objects only on whitelisted sites.

If you allow Javascript on all sites, then you have in fact whitelisted all sites.

If you want to create whitelists for specific plugins at specific sites, please go to NoScript "Features" Page and search for "mime". This will require some knowledge of regular expressions, but we can help if the FAQ and other resources don't do the job for you.

[plingpling]

Hi Tom,

I see, I can use that feature.

Also it would be nice if we could do this through the GUI, which shouldn't be so hard I think, you just need to make "Allow scripts globally" allow only javascript, and allow objects by whitelisting pages. Otherwise this option is misleading, for that it makes you think you're just allowing javascript, but actually you're allowing all potentially harmful objects too.

Thanks...

[Tom T.]

Also it would be nice if we could do this through the GUI...

You can. http://noscript.net/faq#qa1_12

which shouldn't be so hard I think, you just need to make "Allow scripts globally" allow only javascript, and allow objects by whitelisting pages. Otherwise this option is misleading, for that it makes you think you're just allowing javascript, but actually you're allowing all potentially harmful objects too.

Which is why there is the option to "Apply these restrictions to whitelisted sites too", in bold, on the Embeddings tab, as described also on the NoScript "Features" Page page. This time, search for "apply these restrictions".

It's theoretically possible that reading the FAQ and Features page (i. e., the owner's manual and guide) could provide a lot of other useful information, too, as would searching them before posting.

Thanks...

You're quite welcome.

[Thrawn]

<snip> this option is misleading, for that it makes you think you're just allowing javascript, but actually you're allowing all potentially harmful objects too.

But since JavaScript itself is potentially harmful, if you want safety, then you should not be globally allowing anything. Allowing JavaScript but blocking objects is basically a nuisance-blocker, like FlashBlock (except more reliable than FlashBlock).

JavaScript may not have as many 0-day vulnerabilities as eg Flash/Java, but it's a vital part of most pure web-based attacks.