InformAction Forums

Dear Giorgio, forum

Is there an option with NoScript Quantum to set all websites by default to Untrusted? Since NoScript Quantum I noticed certain website elements are loaded by default (like an embedded video or other content). I have to set all domains by hand to untrusted to block this behavior. With the old NoScript I could block all site elements by default, so I'm hoping this is also possible, or will be possible, with NoScript Quantum (which is great btw!).

Thanks,

LoveNoScript

LoveNoScript, make sure your Default preset is set properly, that would be all boxes unticked except frame, fetch and other. That would be default for the Default preset. Or, you could untick all boxes, which would give you a more restricted experience than what we had in version 5 regarding Deault domains.

If that doesn't work, then its likely your NoScript settings are corrupted. To fix the problem you can Reset settings. Click NoScript Options>Reset.

Bo

Bo,

Thank you so much!!! I always thought that the "default" button (and underlying settings) were for the corresponding domain.

You just made my day

LoveNoScript

LoveNoScript wrote:I always thought that the "default" button (and underlying settings) were for the corresponding domain.

The checkboxes under DEFAULT and TRUSTED are global — they apply to every domain set to DEFAULT or TRUSTED (respectively). However, the checkboxes under CUSTOM are unique to the corresponding domain.

EDIT: Thanks to Pansa for correcting my misunderstanding of how CUSTOM works. As he describes in the below reply, CUSTOM is global like DEFAULT and TRUSTED but for just one domain. CUSTOM settings for domain E are distinct from CUSTOM settings for domain D. I've removed the rest of this reply, which was bad advice based on my misunderstanding. Apologies to all for the confusion.

LoveNoScript wrote:Bo,

Thank you so much!!! I always thought that the "default" button (and underlying settings) were for the corresponding domain.

You just made my day

LoveNoScript

You are welcome, I am glad to help.

Bo

FranL wrote:

1. Never use TRUSTED, and only grant trust using CUSTOM, so that when page P1 grants CUSTOM trust to domain D, it does NOT cause pages P2, P3, ... to trust domain D. If you need page P2 to trust domain D, then you must grant CUSTOM trust to domain D on page P2.
2. Never/rarely use CUSTOM, and only/mostly grant trust using TRUSTED, so that if page P1 trusts domain D, then all other pages also trust domain D.

The benefit of the 1st use case is that different pages can allow different content types from the same domain (i.e., page P1 only allows domain D to run scripts, but page P2 only allows domain D to load fonts). The theory behind the 2nd use case is that if you trust scripts and other content from domain D on page P1, then you can probably also trust it on pages P2, etc.

I think all of that is very confusing. It confuses me and surely will confuse basic NoScript users. Your description surely aint the right way for using NoScript. #1 sounds more like UBO and Umatrix, thats not for NoScript.

Bo

FranL wrote:

LoveNoScript wrote:I always thought that the "default" button (and underlying settings) were for the corresponding domain.

The checkboxes under DEFAULT and TRUSTED are global — they apply to every domain set to DEFAULT or TRUSTED (respectively). However, the checkboxes under CUSTOM are unique to the corresponding domain. This allows for two different ways of using NoScript:

1. Never use TRUSTED, and only grant trust using CUSTOM, so that when page P1 grants CUSTOM trust to domain D, it does NOT cause pages P2, P3, ... to trust domain D. If you need page P2 to trust domain D, then you must grant CUSTOM trust to domain D on page P2.
2. Never/rarely use CUSTOM, and only/mostly grant trust using TRUSTED, so that if page P1 trusts domain D, then all other pages also trust domain D.

The benefit of the 1st use case is that different pages can allow different content types from the same domain (i.e., page P1 only allows domain D to run scripts, but page P2 only allows domain D to load fonts). The theory behind the 2nd use case is that if you trust scripts and other content from domain D on page P1, then you can probably also trust it on pages P2, etc.

What you describe in case 1 is not the case.

If you look into the debug log you can see how the custom rules work.
The custom rules are like the other rulesets, in that it applies to the domain D regardless of which page tries to call scripts from that domain D.

Custom is merely not a preset. The specific permissions you grant to a domain D are applied to ANY call to domain D, but are not shared between all other domains (e f g) which are set to custom. If you change the custom rule for a domain on page A it will be change on page B (after reloading the tab), and the old custom rule will be overwritten.
The ONLY difference is that domains set in custom have individual rules and aren't shared between all custom domains.


Example: If you make a custom rule for ...google.com to enable the captcha for guestposts in this forum, the same custom rule is applied for ...google.com for any page that calls a captcha from google, or for using google's search engine.

LoveNoScript wrote:Bo,

Thank you so much!!! I always thought that the "default" button (and underlying settings) were for the corresponding domain.

You just made my day

LoveNoScript

That's what the "custom" button is for.
If it was the way you thought, the custom button would have been pointless.

Pansa wrote:

FranL wrote: The custom rules are like the other rulesets, in that it applies to the domain D regardless of which page tries to call scripts from that domain D.

Exactly.

Bo

bo elam wrote:I think all of that is very confusing.

Not just confusing but wrong. Thanks to Pansa for correcting my misunderstanding of the CUSTOM preset. I've edited my reply above accordingly. My apologies for creating confusion.

FranL wrote:

bo elam wrote:I think all of that is very confusing.

Not just confusing but wrong.

Yes, I was being a little more diplomatic, what you wrote is for UBO and Umatrix, not NoScript. FWIW, I do not want anything like that for NoScript. I read plenty UBO/Umatrix users in another forum complaining that NoScript doesnt have those settings. To those boys, being able to do what you descibed is the end of the world. Personally, I dont want it and they cant understand it.

Bo

bo elam wrote:

FranL wrote:

bo elam wrote:I think all of that is very confusing.

Not just confusing but wrong.

Yes, I was being a little more diplomatic, what you wrote is for UBO and Umatrix, not NoScript. FWIW, I do not want anything like that for NoScript. I read plenty UBO/Umatrix users in another forum complaining that NoScript doesnt have those settings. To those boys, being able to do what you descibed is the end of the world. Personally, I dont want it and they cant understand it.

Bo

Well... technically there are a few domains which I repetitively set to "temp trusted" for exact that reason basically. Namely that I don't want them to run, other in the rare cases that I want. Most domains do quite a lot of different scripts, and allowing them on one page != allowing them on others (above mentioned google is such a prime candidate. they don't put the captchas on "captcha.google" so I can JUST allow that, so I temp allow it when I need it.

No script classic did this optionally with ABE rules, and when Mozilla is ready with the API it will probably be back in Noscript 10 too.
So I can understand that some people are impatient with this lacking feature, when they used it just a couple of weeks ago.

Pansa wrote:Well... technically there are a few domains which I repetitively set to "temp trusted" for exact that reason basically. Namely that I don't want them to run, other in the rare cases that I want.

Yes, there are a few like that, but they are only a few. I keep them in my mind, I call them my Limbo list. I ll name them for you. google, facebook, fbcdn, twitter, twimg, instagram, cdninstagram, cloudflare and ajax.googleapis. Thats about it. Those are the only domains that I would allow in this webpage and that webpage and not in the rest. Most of this domains I keep as Default and temporarily trust them. The exceptions are, cloudflare, I keep that one as Untrusted and with version 10, I created a Custom rule for ajax.googleapis (scripts only), while I used to keep it as Default. For me personally, the rest of the universe of domains, are clear cut Default, Trusted or Untrusted. Sometimes temporarily allowing Default domains in webpages I land at random.

Bo