Page 1 of 1
option to prevent new sites from being whitelisted on update
Posted: Sat Dec 06, 2014 4:05 pm
by Thencent
Upon installing NoScript, I remove all domains from the Whitelist tab, leaving only the Firefox "about:" etc. items in the list. Unfortunately, NoScript adds new domains to the list sometimes when updating. Could you please provide an option (whether in about:config or the UI) to prevent domains from being automatically added to the list? I don't mind if new "about:" type items are added to the list.
Re: option to prevent new sites from being whitelisted on up
Posted: Sat Dec 06, 2014 5:42 pm
by therube
If you created a user.js file & added this, does that do it?
user.js overriding other settings, hopefully.
user_pref("capability.policy.maonoscript.sites", "");
(Actually suppose you'd have to edit out everything from the existing list except for the about: entries.)
Perhaps this:
Code: Select all
user_pref("capability.policy.maonoscript.sites", "about: about:addons about:blank about:blocked about:certerror about:config about:crashes about:home about:memory about:neterror about:plugins about:privatebrowsing about:sessionrestore about:srcdoc about:support blob: chrome: moz-safe-about: resource:");
Re: option to prevent new sites from being whitelisted on up
Posted: Sat Dec 06, 2014 6:03 pm
by Thencent
I see a couple issues with your suggestion ...
First, it would be nice if a user wouldn't have to keep track of when new Firefox "about:" pages are added and manually add them to the list.
Second, I'm not sure when user.js is executed in relationship to when NoScript modifies the about:config entries ... my guess is that on first run (at least) the new domains wouldn't be removed because user.js is executed first.
Re: option to prevent new sites from being whitelisted on up
Posted: Sat Dec 06, 2014 6:06 pm
by therube
> it would be nice if a user wouldn't have to keep track of when new Firefox "about:" pages are added
Maybe if there were separate Prefs, one for about: & the like & a separate one for actual whitelisted domains. Then you could just nix the second & be done.
> I'm not sure when user.js is executed in relationship to when NoScript modifies the about:config entries
Nor I.
But you can test & see
.
(Wonder what happens with Tor if you were to update to a newer NoScript version?)
Re: option to prevent new sites from being whitelisted on up
Posted: Sun Dec 07, 2014 4:38 am
by barbaz
Thencent wrote:Unfortunately, NoScript adds new domains to the list sometimes when updating.
What domain(s)?
From what version to what version did you update NoScript?
Note this code in components/noscriptService.js:
Code: Select all
onVersionChanged: function(prev) {
// update hacks
var versions = {
"2.1.1.2rc6": {
"hotmail.com": "wlxrs.com", // required by Hotmail/Live webmail
"google.com": "googleapis.com gstatic.com", // required by most Google services and also by external resources
"addons.mozilla.org": "paypal.com paypalobjects.com" // required for the "Contribute" AMO feature not to break badly with no warning
},
"2.2.9rc2": {
"addons.mozilla.org": "persona.org"
},
"2.4.9rc2": {
"!browserid.org": "persona.org"
},
"2.5.9rc3": {
"live.com": "gfx.ms afx.ms" // fully Microsoft-controlled (no user content), now required by MS mail services
},
"2.6.5.9rc2": {
"live.com": "sfx.ms" // fully Microsoft-controlled (no user content), now required by MS mail services
},
"2.6.6rc5": {
"live.com": "outlook.com live.net" // fully Microsoft-controlled (no user content), now required by MS mail services
},
"2.6.9.4rc1": {
"vimeo.com": "vimeocdn.com" // no movie will play anymore without this
}
};
for (let v in versions) {
if (this.versionComparator.compare(prev, v) < 0) {
let cascading = versions[v];
for (let site in cascading) {
let newSite = cascading[site].split(/\s+/);
let replace = site[0] === "!";
if (replace) site = site.substring(1);
if (this.isJSEnabled(site)) {
this.jsPolicySites.remove(newSite, true, false);
this.setJSEnabled(newSite, true);
if (replace) this.jsPolicySites.remove(site, true, false);
}
}
}
}
},
If it happened other than one of those updates and the changes weren't as specified, either you've found a bug or something else is tampering with your whitelist; otherwise, it's by design.
Thencent wrote:Could you please provide an option (whether in about:config or the UI) to prevent domains from being automatically added to the list? I don't mind if new "about:" type items are added to the list.
+1 bigtime, but I don't think it's technically possible. NoScript is just a browser extension, so it can't do anything that other components of the browser can't do. Any malicious anything with sufficient privileges could find a way to add its domain(s) to the NoScript whitelist and override whatever protection is in place.
Re: option to prevent new sites from being whitelisted on up
Posted: Fri Dec 12, 2014 10:43 pm
by Giorgio Maone
Please check
latest development build 2.6.9.7rc1, thank you.
Re: option to prevent new sites from being whitelisted on up
Posted: Fri Dec 12, 2014 11:15 pm
by barbaz
... oh, Thencent didn't mean generically.
Nice, thanks Giorgio!