Page 1 of 1

Sites which constantly spawn new scripts

Posted: Fri Feb 26, 2016 1:38 am
by McKFC
About a couple of years ago, the BBC started using a new system for live update pages on their website (for instance, football updates) which pulls from various IPs. Presumably this is to manage server load, but it causes problems for the NoScript addon as - even with bbc.co.uk and the other constants allowed - the new IPs have to be set to Allowed before the new information comes in. This is really frustrating!

With an update to the site, it's now occurring everywhere on BBC Sport! You can see for yourself, try http://www.bbc.co.uk/sport/football
(might need to be from a UK IP, don't know if this still applies to the international site)

You can click "Allow all this page" but it'll throw more scripts at you that get caught by NoScript and you have to allow. On a live update page, this can be seemingly unending, and constantly disrupting the new updates on the page.

I've tried adding bbc.co.uk to the whitelist, but of course all the IPs count as separate protocols. Is there anyway I can permanently allow any script called by a BBC page?

Re: Sites which constantly spawn new scripts

Posted: Fri Feb 26, 2016 1:48 am
by barbaz
No, there isn't, because such an option is NOT safe. You really don't know what these IP addresses are or whose stuff they're hosting. I think there was an example of this where hackers were swapping legit IPs for their own malicious IPs...

see viewtopic.php?f=7&t=21156

You can sort-of achieve what you want by Cascading Permissions mode, but that'd set NoScript to act much differently - it'd behave that way for ALL sites, and you would have no immediate control over unknown script sources included on trusted pages.

If these IP address are all in same subnet, can whitelist the whole subnet and restrict it with ABE. But again, this is not necessarily safe.

Re: Sites which constantly spawn new scripts

Posted: Fri Feb 26, 2016 2:52 am
by Thrawn
Perhaps this could be best solved with a separate profile in a VM or sandbox?