InformAction Forums

Would it be possible to implement a functionality whereby specific sites can execute SPECIFIC pre-approved scripts? For example, the pre-approved script could be stored as a .js file in a "whitelist" folder, and would be linked to a specific domain (or subdomain or even a single page), and in order for that page to execute the script it would have to a) be stored entirely as a separate .js file on the server (no inline code) and b) have to be EXACTLY the same as the script file in the whitelist folder.

There could even be three different "modes": Strict, where everything (including comments and spacing) has to be EXACTLY the same, Normal, where the "minified" form of the script has to be the same as the minified form of the whitelist script, and possibly Loose, where the script simply requires to be signed by a valid signature for a pre-approved public key.

I think you would be better off blocking the JS in question with ABE rules, then executing your local file(s) on the page in question through either NoScript surrogates or Scriptish, depending on your needs.

This sounds somewhat like an earlier request for a mode where NoScript would warn you if scripts change for a whitelisted site.

There are two problems with it:

1. NoScript blocks scripts from being downloaded, so at the time it's making a decision, it doesn't know the script contents.
2. The NoScript trust model is "trust = accountability" (FAQ 1.11). If you would be able to sue the site (or hold it accountable in some other way) for hosting malicious content, then you don't need to verify signatures of scripts. If not, then it's not really a trusted site.

As barbaz mentioned, if you need specific site functionality, then you can build it yourself with a surrogate script.

Maybe if SubResource Integrity ever gets off the ground, that would make this more feasible.

Update: this is coming for scripts and stylesheets, at least, in Firefox 43.