InformAction Forums

After updating noscript from an older to the current version 2.9.0.11, access to the whitelisted URL fails, since the browser forces a connect to the SSL port via https which is not requested and not possible with several URL targets (e. g. device administration interfaces). Non-SSL connects to these whitelisted URLs is not possible any more. As soon as the affected URL is deleted from the whitelist, access to that URL without SSL is possible again. Only workaround seems to be to disable the whitelist.

As I do not see a relation between the scripting-oriented whitelisting of domains and the SSL access to these domains, nor an option to toggle this, I assume it a bug and kindly ask for a fix. Thanks

about:config > set noscript.httpsDefWhitelist to false
enjoy the insecure connections

(ok yeah, i run with that disabled all the time...)

You are not the only user reporting such breakage. Can you please post which URLs you're visiting that are broken by httpsDefWhitelist?

This thread is a little "dead" but I feel that some enlightenment is required.

bugzillus wrote:As I do not see a relation between the scripting-oriented whitelisting of domains and the SSL access to these domains, nor an option to toggle this, I assume it a bug and kindly ask for a fix. Thanks

Whitelisting and SSL have a very important relationship. I wasn't aware of this feature
until I had a run-in with not being able to connect to a site. Though, once I became aware
I am amazed at how great a tool NoScript really is.

Onto the subject of SSL. When connecting through HTTPS two things are occurring,
one is verifying the identity of who your talking to and the second is encrypting the
communication. The important bit for NoScript is verifying the identity. Let's look
at an example.

Alice wants to talk to Bob, so she sends out a request to talk and ask for encryption.
Bob accepts and sends back his information. Alice verifies the identity information
Bob sent back and if it matches Bob's they start talking.

Now, again, without identification, Alice wants to talk to Bob, so she sends out a
request to talk and asks for encryption. Evil-Man sees this request and sends out
a response claiming to be Bob. Without any identity verification Alice will think
she's talking to Bob, but Evil-Man is actually receiving the data. This makes having
encryption pretty useless.

How does this apply to NoScript? Well, when you whitelist a script you're, presumably,
saying that "Script-A.js from example.com is safe and I want to run it" (doing all the
safety checks and whatnot). Without HTTPS / SSL then Evil-Man can send his own
version of Script-A.js claiming to be from example.com. From your end it looks like
Script-A.js was received from example.com and therefore NoScript will allow it to
run. You are now running Evil-Man's code.

--

Now, one thing I can think of to help mitigate this issue is to store a checksum for
each allowed script. That way if the received Script-A.js is different from the one
that was allowed the user can be notified and asked to reallow.

I don't know if NoScript implements checksumming. Although, it's key to remember
that checksums are not free, it'd introduce overhead.

SxDerp wrote:Now, one thing I can think of to help mitigate this issue is to store a checksum for
each allowed script. That way if the received Script-A.js is different from the one
that was allowed the user can be notified and asked to reallow.

I don't know if NoScript implements checksumming. Although, it's key to remember
that checksums are not free, it'd introduce overhead.

NoScript doesn't do checksumming, the reasons has been discussed before:
viewtopic.php?f=8&t=17045
viewtopic.php?f=10&t=17874

In NS 2.9.0.14 in Fx 49 Win (Firefox, not TBB), this seems to recently started breaking sites .
My circumstances are a bit different than OP's.

When OP said, "access to whitelisted sites," I assume some sites that failed were user added?
For me, NS seems to force https for all sites not supporting https, as soon as I click "temporarily allow" the base domain.
It reloads the page & switches to https - which fails.

The sites are not in my whitelist (Options / Whitelist) & scripts are blocked globally.
In Firefox, setting "noscript.httpsDefWhitelist" pref to false solved the problem (for now).
Note: In Tor Browser, "noscript.httpsDefWhitelist" is True, and it doesn't force https on non whitelisted sites (they work OK).

If the bug was fixed, this pref shouldn't affect sites not in whitelist(s) - correct? But it is affecting non-whitelisted sites.

I uninstalled & reinstalled NS - no change yet. I didn't try a new profile, yet - as this just started.
I disabled all other addons - to test, but sometimes that's not sufficient to fix a problem.

Have anything in NoScript Options | Advanced | HTTPS -> Behavior?