Feature Request: Plays nice with Containers!

[SoItBegins]

Firefox recently introduced a feature called Containers, which is still in development. In it, users can open a tab in a 'container' that provides a context different from the regular browsing environment. (See https://wiki.mozilla.org/Security/Conte ... Containers for more information.)

Most importantly, cookies, localStorage, etc., that are in a container are kept separate from other containers and the main browser context. The effect is to create a 'bubble' where a site has no knowledge of what goes on in the rest of the user's browsing session.

Would it be possible to update NoScript so that preferences are normally the same in a container as elsewhere, but can be customized? So, for example, Facebook is not allowed to run Javascript most of the time, except in the Facebook container.

[barbaz]

This only makes sense for A) script permissions, B) the "Forbid WebGL" setting under NoScript Options > Embeddings, and C) the XSS filter.

The benefits of (A) are obvious.

(B) is useful if you're playing online HTML5 games in one container and doing other stuff in another. As someone who currently uses something similar to "containers", I find myself un-checking that option when I'm playing HTML5 games, but leaving it checked elsewhere. Don't need hardware-accelerated stuff running on every JS-enabled website under the sun.

(C)... well, some sites are stupidly designed and trip the XSS filter with their normal activity. So if you disable the XSS filter in just the one container, and visit ONLY that one site in that container, that's a lot safer than the status quo isn't it?

[Thrawn]

I hadn't heard of the Containers initiative, but having read through that page, I like it. It's basically "do your banking in a separate profile" without the hassle of actually managing multiple, simultaneous, profiles.

For NoScript's primary use case - stopping malicious sites from exploiting vulnerabilities via JavaScript and other active content - it's less important, but for all the cross-site protections (XSS, CSRF, Clickjacking), this seems like the ultimate defence.

[adamhotep]

I think it's time to reconsider Containers support.

Nowadays, Firefox Containers are built-in (though iirc there is extra functionality if you still install the Firefox Multi-Account Containers add-on).

As noted in prior posts to this topic, this is not as much a security request as it is a privacy and trust request. I don't trust Google but I have to use it for work, so I want to allow its services solely within the container I've set up for that. I also want to limit Facebook's scripts to the Facebook Container (which is a separate add-on because it forces external links to external containers, but I expect it to be identical to standard containers from NoScript's perspective).

See also Security/Contextual Identity Project/Containers on the Mozilla Wiki. Feel free to reference Cookie AutoDelete (MIT/X11 License, compatible with GPL), which supports Containers (including Facebook Containers).

[cpx]

First I want to thank to all developer for bringing this great software. It help me quite a lot to avoid unnecessary tracking and javascript.

I also would like to voice to +1 this idea.

This is my use-case. I just don't trust google this day. But i still depend on their product. namely google.
I want to mainly enable google in my personal tab. So I can open google related product there but disable it on everywhere else.

I guess that's this is probably huge changes in the codebase to support this. But would be grate to have this a feature.

Cheers !

[Mad_Man_Moon]

+1

[barbaz]

I've been developing and using a PR for NoScript with separate policies for each container without requesting the "management" permission.

[ZeroUnderscoreOu]

I know there is already a topic on this, but I cannot post anything there because of antispam protection.

I'd like to be able to set container-specific page permissions. For example, set Google as trusted in a Google-dedicated container but untrusted by default.

[barbaz]

I know there is already a topic on this, but I cannot post anything there because of antispam protection.

It's trying to tell you that isn't the correct thread to post in You are asking for Firefox Containers support, while the thread you linked is requesting support for the Firefox Multi-Account Containers extension.

Merged your post to the correct thread. If the spam filter gives you trouble, note that you can private message what you want to post to an active Support Team member and we will try to post it for you. PMs to forum staff are not spam-filtered, and the spam filter is more lenient on us.

[therube]

Depending on what google service you're using, you might be able to do something like,
Allow mail.google.com (for gmail), but leave google.com itself set at default, so not allowed - in my case.
(I also Allow gstatic.com, which I suppose is needed ? but don't really know.)


So gmail always works, & all other google services are blocked unless I specifically allow them (on an as needed basis).


(gmail is utter drek since they disallowed the "Classic" layout.)