InformAction Forums

A lot of sites include the google recaptcha script. Unfortunately, it does not have its own subdomain, but is hosted directly on google.com. Whitelisting the whole google.com domain is not funny. Can this be sorted out somehow within the current NoScript framework?

Allow google.com in script blocking, then use ABE to allow only select google scripts - Replace <whatever-google.com-stuff-recaptcha-needs> with the scripts you want to allow. See ABE Rules .pdf for how to specify it.

I only spent a few minutes on it, but "Site ^https://www.google.com/recaptcha/" is good enough for me. Thank you very much for this info.

You're welcome.

ultramage wrote:"Site ^https://www.google.com/recaptcha/"

In regex, a plain . means 'any character', so your Site line would match e.g. "https://www-google.com/recaptcha/". So you might want to change it to this -

I have a followup to this. Whenever a captcha loads, the firefox debugger reports Failing to load this out-of-scope script causes the google server to request 5+ valid answers before accepting, compared to the usual 1-2 if the script is allowed.
I wish NoScript would ship with a narrowly scoped surrogate-like thing that deals with these sorts of shenanigans. Or that google made their recaptcha easier to whitelist.