InformAction Forums

Hi,

Let's say I want to permanently allow ajax.googleapis.com ONLY on a given site. How would I do this ?

Curiosity question: If that site is allowed normally (i.e. not using the solution to this thread's question), but the website I am currently on doesn't have JS enabled, will ajax.googleapis.com scripts be downloaded ? If so, will they be run ?
Looks like the answer to both questions is "no", but that could be because I checked on a site that uses JS to download and run Ajax. I'm thinking Ajax always needs to be called by the first party script otherwise it never runs, but it can be downloaded without JS. Is that correct ?


Thanks!

Sam wrote:Hi,

Let's say I want to permanently allow ajax.googleapis.com ONLY on a given site. How would I do this ?

http://noscript.net/faq#qa8_10

Sam wrote:Curiosity question: If that site is allowed normally (i.e. not using the solution to this thread's question), but the website I am currently on doesn't have JS enabled, will ajax.googleapis.com scripts be downloaded ?

Not unless they are in an iframe from ajax.googleapis or another allowed site.

Sam wrote:If so, will they be run ?

JS files called by the forbidden site: no
scripts inlined in or requested by an iframe from an allowed site: yes, unless you set about:config -> noscript.restrictSubdocScripting to true

Sam wrote:I'm thinking Ajax always needs to be called by the first party script otherwise it never runs, but it can be downloaded without JS. Is that correct ?

The second part only. A simple script tag will get the ajax script to run, but it may not actually do anything if it's just defining a set of APIs that never get used.

Thanks.


Just to make sure I got it:

The second part only. A simple script tag will get the ajax script to run, but it may not actually do anything if it's just defining a set of APIs that never get used.

But the script tag will not run if the first party site has JS forbidden, so in that case both parts of my assumption are correct right ?


I didn't think of using ABE. I was hoping for something more straightforward like a whilelist item ajax.googleapis.com@example.com
ABE is fine though, but I'd be glad to hear it if there is a way to do it with the whitelist

I'm thinking Ajax always needs to be called by the first party script otherwise it never runs

Sorry bad wording, let's assume <script> tag is included in that "first party script" thing
But IFrame and anything else is not.

Sam wrote:But the script tag will not run if the first party site has JS forbidden

Sorry about the misunderstanding. No script tags on a forbidden site will run, even if the JS file originates from an allowed site.

Sam wrote:I was hoping for something more straightforward

IIUC there will be, in NoScript 3..

NoScript 3 ? Yay, I wonder what's cooking now. We've been on 2.x for what feels like 5 years or more ^^
Here's hoping for an easier way to allow WebGL games to run.


Oh sorry, I forgot to ask for confirmation: A 3rd party script blocked with ABE amounts to it being forbidden in that, in the eyes of the first party, it doesn't exist. So NoScript surrogates do kick in right ?


PS: The captchas are wayyyyy too hard I failed like 10 times in a row

Sam wrote:Here's hoping for an easier way to allow WebGL games to run.

That is viewtopic.php?f=7&t=19289

Sam wrote:Oh sorry, I forgot to ask for confirmation: A 3rd party script blocked with ABE amounts to it being forbidden in that, in the eyes of the first party, it doesn't exist. So NoScript surrogates do kick in right ?

Yes but only as of NoScript 2.6.8.27

Oh right! Can't believe I forgot the changelog since it is so recent. Well I'm good to go now, thanks for all the fish!

*rolls up his sleeves to take on Doom Captcha the Arch-nemesis*

(Yay, only 60 seconds to beat it this time!)

From the changelog of NoScript 2.6.8.31:

+ "NoScript Options|Advanced|Untrusted|Block scripting in whitelisted
subdocuments of non-whitelisted pages" user-facing preference

According to what I understood from the discussion in this thread, notably this:

Sam wrote:If so, will they be run ?

JS files called by the forbidden site: no
scripts inlined in or requested by an iframe from an allowed site: yes, unless you set about:config -> noscript.restrictSubdocScripting to true

No script tags on a forbidden site will run, even if the JS file originates from an allowed site.

There shouldn't be a need to block whitelisted subdocuments because they already can't run in a JS-disabled page. What am I missing ?

Sam wrote:There shouldn't be a need to block whitelisted subdocuments because they already can't run in a JS-disabled page. What am I missing ?

yes, they can run scripts when they're included by a JS-disabled page. that's what i meant by

barbaz wrote:scripts inlined in or requested by an iframe from an allowed site: yes, unless you set about:config -> noscript.restrictSubdocScripting to true

So if this necessitates an IFrame containing an allowed site, then if IFrames are forbidden there's no way for Untrusted|Block scripting in whitelisted subdocuments of non-whitelisted pages to come into play, right ?

Did I completely get it right this time ?

Oh f*, yes! IFrames are "subdocuments", dumbhead.
Since the changelog doesn't use the name IFrame directly, I assume there are other types of subdocuments. The question then is, what are they ? Normal Frames ? What else ?

And as long as they're all forbidden, then this feature by definition (if I read correctly) is never triggered.

Sam wrote:So if this necessitates an IFrame containing an allowed site, then if IFrames are forbidden there's no way for Untrusted|Block scripting in whitelisted subdocuments of non-whitelisted pages to come into play, right ?

I think it doesn't come into play before you click the placeholder to allow the iframe, but it would after you allow the iframe.

Sam wrote:Since the changelog doesn't use the name IFrame directly, I assume there are other types of subdocuments. The question then is, what are they ? Normal Frames ? What else ?

Yes. In practice I've only seen it used for frames and iframes. More generally, presumably anything that is labeled by the browser as

https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIContentPolicy wrote:TYPE_SUBDOCUMENT 7 Indicates a document contained within another document (for example, IFRAMEs, FRAMES, and OBJECTs).

I think it doesn't come into play before you click the placeholder to allow the iframe, but it would after you allow the iframe.

Yes that would be expected in that case
I turned the feature on, let's hope that it will be easy to understand why something is broken next time I need an IFrame to have JS. (It barely ever happens so I guess I'll completely forget this feature until it breaks something in an eon or two. Hope the regular NS drop down will help whitelisting the subdocument then)

Yes. In practice I've only seen it used for frames and iframes. More generally, presumably anything that is labeled by the browser as

Thank again for clearing that up. If it's basically plugins, frames and iframes, then it's fine.