antipop wrote:Can someone explain to me, or point to a link for an explanation, what security implications I should bear in mind when deciding whether I should enable the option shown on the top of the "General" tab, where it says "Temporarily allow top-level sites by default".
It is a convenience feature, for those who want to always trust the site they visit, without taking time to investigate it first, and only block third-party scripts.
Right now I do not have it checked because I do not understand whether doing so would make my browser more vulnerable.
It will make you more vulnerable. If you inadvertently go to an attack site (via a Google search maybe), and it uses its own scripts to attack you, then you will not be protected.
You will still be protected against most attacks involving compromises of real, trusted sites, because normally they involve injecting the attackers' script(s) from another site.
If I do not allow (something) there, will I be able to see an indication that something was prevented, or will I just see nothing, like a blind monkey?
You'll be in the same position as always, with the Noscript icon showing whether scripts were blocked, and by default, there will be a message bar to let you know too.
You might notice that the NoScript icon shows a large red prohibition symbol if the top-level site (the one in the address bar) is blocked, but a small one if the top-level site is trusted and only third-party scripts are blocked.
Additionally, why does it matter that I might pick on of those three secondary options under that choice?
Well, if you were to visit
http://www.google.com, does that mean that Google Maps (
http://maps.google.com) is automatically trusted? What about
https://encrypted.google.com?
If you visit
http://mail.yahoo.com, does that mean that ads.yahoo.com should be trusted?
The answer depends on which option you pick. The first option says "No, only the exact address that I visit is automatically trusted", the second says "No, only the exact domain I visit is trusted, but for both http and https", and the third says "Yes, all subdomains of the site I visit are trusted".
