InformAction Forums

For all those users out there who feel NoScript is a PAIN to use, it just got a whole lot better.

Navigate to Preferences > Advanced > Trusted > and enable "Cascade top document's permissions to 3rd party scripts."

What this does is prevent you from constantly having to allow stuff that loads after you temporarily allow a top level domain. A lot of the time a site just plain won't work until you let a bunch of stuff load. So you are left Temp allowing over and over again before the site works. This cascade feature has made it so you only have to do it once per top level domain. Pretty cool.

Thanks Giorgio. This made NoScript a lot more user-friendly.

A lot of the time a site just plain won't work until you let a bunch of stuff load. So you are left Temp allowing over and over again before the site works. This cascade feature has made it so you only have to do it once per top level domain.

For purposes like that, I agree.
And I think it should be more discoverable.
Even to the point where there might be an option to have Cascade take preference over Allow Globally (such that the context-menu might read, Cascade (dangerous) rather then Allow Scripts Globally (dangerous).

Bear in mind that there is no per-site cascade. So this is helpful for minimising effort, but you run a much higher risk of, eg, a legitimate site being compromised by a persistent XSS.

How does it differ from "Allow all this page" by the way ? I never used that feature, so not sure.

I'd guess, allow all this page allows what can be seen and then reload, sometimes bumping into new domains that won't be allowed, whereas cascading allows any domain that may come up after reload as long as first party domain is whitelisted.

Also, allow all this page actually adds domains to the whitelist whereas cascading only whitelists the first party domain, ensuring that if you visit one of the 3rd party domains in the future, it won't be allowed to run JavaScript.

Is that correct ? If so, I do prefer cascading and it indeed sounds both safer and almost as user friendly as "allow scripts globally".


Edit: It might be incorrect. If it's correct, then the "Temporarily allow first level domains by default" options in NoScript's General tab should maybe be tweaked so that, like cascading, domains are not automatically added to the whitelist, only allowed upon meeting criterias (here: Be loaded as a first party domain. for cascading: Be loaded as third party from a 1st party domain that is allowed to cascade), and disallowed when not meeting such criterias. (The whitelist is all or nothing.)

bgmnt wrote:How does it differ from "Allow all this page" by the way ? I never used that feature, so not sure.

I'd guess, allow all this page allows what can be seen and then reload, sometimes bumping into new domains that won't be allowed, whereas cascading allows any domain that may come up after reload as long as first party domain is whitelisted.

Also, allow all this page actually adds domains to the whitelist whereas cascading only whitelists the first party domain, ensuring that if you visit one of the 3rd party domains in the future, it won't be allowed to run JavaScript.

Is that correct ?

You have it right

bgmnt wrote:If so, I do prefer cascading and it indeed sounds both safer and almost as user friendly as "allow scripts globally".

It's not any safer than Allow Scripts Globally... however you _may_ get privacy benefit from Cascade compared to Allow Scripts Globally.

Well it's not any safer on a given site that has been whitelisted. But all non whitelisted sites are almost as safe as they are with NoScript's default config (i.e. JS disallowed).

Now if only this behaviour was used with the "Temporarily allow first level domains by default" feature, where instead of automatically adding any visited domain to the whitelist, you simply allow it without whitelisting, ensuring that they will not run JS as 3rd party, that would be nice. That would prevent redirection from adding unwanted domains to the whitelist (e.g. mainSite -> adSite -> mainSite, we only wanted to visit mainSite but adSite ends up whitelisted, and later allowed as third party anywhere on the web). At some point in the past, Paypal had such a redirect to DoubleClick, and I don't think anyone here wants to whitelist DoubleClick

bgmnt wrote:Now if only this behaviour was used with the "Temporarily allow first level domains by default" feature, where instead of automatically adding any visited domain to the whitelist, you simply allow it without whitelisting, ensuring that they will not run JS as 3rd party, that would be nice.

I don't understand what you're suggesting. If you allow something it goes on the whitelist, if you Temporarily allow something it gets temporarily added to the whitelist. Cascading just changes the extent of the meaning of being on the whitelist.
There isn't another way to allow a site...

bgmnt wrote:That would prevent redirection from adding unwanted domains to the whitelist (e.g. mainSite -> adSite -> mainSite, we only wanted to visit mainSite but adSite ends up whitelisted, and later allowed as third party anywhere on the web).

adSite isn't 3rd-party there, it's temporarily 1st-party and a top-level site...

If you don't like that, Mark adSite as Untrusted - that way it can't be automatically (Temp-)Allowed even through cascading permissions.

Cascading just changes the extent of the meaning of being on the whitelist.
There isn't another way to allow a site...

If it makes things clearer you could imagine a special whitelisted item such as "$first-party", translated by NoScript's whitelist parser as "allow first party site to run JS". This way the actual domain isn't added to the whitelist per se and, not being whitelisted, won't run JS if encountered as third-party. (Just like 3rd party domains allowed through cascading won't be allowed if encountered as first party later on)

adSite isn't 3rd-party there, it's temporarily 1st-party and a top-level site...

Yes, but as you continue browsing the web you may stumble upon siteB that loads adSite as a third party. adSite has been whitelisted already and will be able to run JS. This problem doesn't exist if first party domains are not allowed because of their name, but because they are first party. i.e. they are not allowed individually, it's the entity *first-party* that is allowed. I hope it's a little more clear

If you don't like that, Mark adSite as Untrusted - that way it can't be automatically (Temp-)Allowed even through cascading permissions.

Blacklists are never ideal but that's a very nice suggestion

Yes, that makes it much clearer.
Such permissions management might be part of NoScript 3.

Ok

I thought the cascading feature had some code that could be tweaked to improve the auto-allow thing without too much work. From what I understand, NoScript 3 is scheduled for whenever Firefox release channel has e10s enabled by default ? Like, maybe July or something. Sounds good enough