InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Allow first party scripts by default

https://forums.informaction.com/viewtopic.php?t=20409

Page 1 of 1

Allow first party scripts by default

Posted: Tue Dec 23, 2014 1:05 pm
by Zanen
Hi,

Maybe it's a dumb question, but is there a way to have all first party sites automatically allowed ? Allowing JS globally is a little overkill for me, but I have to have a Firefox profile around for non technical people.

Thanks!

Re: Allow first party scripts by default

Posted: Tue Dec 23, 2014 8:13 pm
by barbaz
Not quite, the closest you can get is
NoScript Options > General > Temporarily allow top-level sites by default

but that Temp-Allows those top-level sites *everywhere*, so their scripts will run even as 3rd-party scripts.

The most dangerous part of turning that option on is if there's a redirect through some random site, then that site will seem to Temp-Allow itself... I've seen at least two different threads here about that (one of which was quite extensive)

Re: Allow first party scripts by default

Posted: Tue Dec 23, 2014 11:13 pm
by Thrawn
You might also want to run that profile in a sandbox or VM.

Re: Allow first party scripts by default

Posted: Sun Dec 28, 2014 4:00 pm
by Zanen
Thank you both for the suggestions :)

I'm already using Sandboxie, but even so blocking 3rd party JS is still good for CPU load and battery life.
The auto-temp allow thing will indeed become problematic but it's an improvement over allowing globally, so I'll take that for now.

Could "allow first party JS" be worth proposing as a feature suggestion ?

Re: Allow first party scripts by default

Posted: Sun Dec 28, 2014 11:15 pm
by barbaz
You're welcome.
Zanen wrote:Could "allow first party JS" be worth proposing as a feature suggestion ?
I think so, although I wouldn't use it; however, bear in mind that it's possible a site will work without any JS but not work at all if 1st-party JS is enabled but it has a CDN (e.g. some Akamai or cloudfront domain or some domain that looks similar to that of the site but has something like 'img' or 'static' or 'cdn' in it) or 3rd-party dependency that is script-blocked...
(Example: YouTube - *if you use their HTML5 player* - requires s.ytimg.com and an entire type of video objects from googlevideo.com Allowed in NS in order to watch video)

If you would like to make that RFE you can either just post it at the end of this thread; or, if you register first, post it at the end of this thread under your registered account and I'll change the topic title to 'RFE: Easy option to auto temp-allow only first party scripts' and move the whole thread to NoScript Development as an RFE, so it's more likely to be spotted, if you like.

Bear in mind that Giorgio has a lot on his plate NS-wise so it may be a while before he gets to this

Re: Allow first party scripts by default

Posted: Thu Jan 01, 2015 11:23 pm
by Thrawn
Zanen wrote:Could "allow first party JS" be worth proposing as a feature suggestion ?
Well, it's already possible using ABE, but then you would only be able to make exceptions using ABE...
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited