InformAction Forums

Firefox 25.0 (64-bit)
Windows 7 (64-bit)
NoScript 2.6.8.4

I keep my noscript config fairly generic. However, I change the temp allow top level domains to 'Base 2nd level'.

When I was visiting one site that had a few sites blocked, I wanted to see what was being blocked (to know if it was a site I really wanted to block or not). So I opened a new tab and visited that domain. Stupid move? Maybe. But I refreshed the original page, and the domain I visited (to checkout) is now no longer being blocked.

For example, I was on domain.com. After visiting domain.com, I noticed domain2.com was being blocked. I navigated to domain2.com in another tab. Then refreshed the tab for domain.com, and domain2.com is no longer blocked. By visiting domain2, I white listed it for my session. I never actually told noscript to whitelist domain2.com.

is this intentional due to the initial change I made to allow all 2nd level domains?

Edit: clarified my instructions.

Are you sure you wanted:

Options | General -> Temporarily allow top-level sites by default...

& not

Options | Appearance -> Base 2nd level Domains

?

If the former, then what you described is exactly what it should have done.

> After visiting domain.com, I noticed domain2.com was being blocked

Correct.

> navigated to domain2.com in another tab

At that point, because you 'allow top-level sites by default', & as you loaded it directly, it was then a top-level site, so Allowed.

> Then refreshed the tab for domain.com, and domain2.com is no longer blocked

Correct.
You allowed it by visiting it.

> I never actually told noscript to whitelist domain2.com

But you did, earlier.
You said to "allow top-level sites by default".


Allow top-level sites by default, would be considered, IMO, dangerous.
Setting, Options | Appearance -> Base 2nd level Domains, is fine (& I'm pretty sure, the default).

therube wrote:Are you sure you wanted:

Options | General -> Temporarily allow top-level sites by default...

& not

Options | Appearance -> Base 2nd level Domains

?

If the former, then what you described is exactly what it should have done.

No, that's what I wanted. I want it to default allow *.domain.com when I visit the domain. That's made my experience a bit less cumbersome (I get the privacy vs. usability paradigm).

therube wrote: > I never actually told noscript to whitelist domain2.com

But you did, earlier.
You said to "allow top-level sites by default".


Allow top-level sites by default, would be considered, IMO, dangerous.
Setting, Options | Appearance -> Base 2nd level Domains, is fine (& I'm pretty sure, the default).

I just never thought it through before. Thank-you for the clarification. I had this idea in my head that tabs were segregated. And activity in 1 tab didn't impact the activity in the other. I still don't like it, but now I know. Thank-you!

matthewdavis wrote:I had this idea in my head that tabs were segregated. And activity in 1 tab didn't impact the activity in the other.

Not at all!

The only 'isolation' is that you can disable the auto-refresh of all tabs when permissions change.

But there are no per-tab permissions.

And from a security perspective, they wouldn't be all that helpful anyway. One malicious tab is enough to attack you, and 20 safe tabs are not.

Thanks all for the clarification. Makes more sense now. May revisit the 'allow top level domain' setting afterall.