[FIXED] contextual policies: allow scripts from the same site to run on more than one site but block them by default

[User72]

I do not quite understand the options of contextual policies - maybe there is a bug on my old browser FF72? I'm using NoScript 11.3.1rc2.

For example: I would like to run scripts from google.com only on google.com and here, on informaction.com, but not on any other site by default.

When I set these scripts to run them here, on this forum, and then when I enter google.com site to do the separate setup then I can see these scripts are already allowed on google.com as well (the custom tab is on), why? It's even more: on google.com that custom tab tells me the scripts are allowed on "any site" and it seems that this custom tab is indeed turned on for any other site.

[Giorgio Maone]

Please check the explanation here, which will serve as the base of the user documentation on the NoScript website as soon as I manage to update it (the next big task on the roadmap).
If it's not clear enough yet, please come back with more question which will help to improve it.
Thanks.

[User72]

Thank you for the link - it clears some things I was thinking about but not to the end.

There are three main tabs/presets (Default, Trusted and Untrusted) and it seems that when I click on Custom tab/preset then its "ANY SITE" setting inherits the preset from the previous tab which was set to on.

That explains why I had enabled google.com on "ANY SITE" in example from my previous post: before I clicked on "Custom" tab/preset to allow google.com's script's work on informaction.com I had google.com on "Trusted" tab/preset so "ANY SITE" setting copied the "Trusted" preset to itself. Then I switched to "informaction.com" menu to customize it but I did not set anything on "ANY SITE" so google.com remains "Trusted" everywhere, not just on informaction.com.

In my opinion it's kind of counter-intuitive - if default tab/preset for every site is "Default" then default setting for "ANY SITE" should be always copied form "Default" preset as well (no matter what previous tab/preset for that site was on). As a "bonus" there could be three additional buttons inside the "Custom" tab to quickly set the current options to any of defined presets.

I think I also found some bug. I'm not registered here on forum so I need to solve google captcha to post anything. Captcha is connected to scripts from google.com and gstatic.com. Now, If I turn everything connected to google.com and gstatic.com off for "ANY SITE" and turn everything connected to google.com and gstatic.com on for informaction.com then the captcha does not appear. I need to turn on one additional option (gstatic.com > "ANY SITE" > "script") to make captcha visible - should that be like that? After all, I already have "script" for "gstatic.com" on informaction.com enabled.

[Giorgio Maone]

In my opinion it's kind of counter-intuitive

I've already noted it elsewhere, and I had already planned a solution (see below)...

- if default tab/preset for every site is "Default" then default setting for "ANY SITE" should be always copied form "Default" preset as well (no matter what previous tab/preset for that site was on).

The CUSTOM preset has always automatically copied the current one as a convenience feature, and it's been always very convenient indeed. Unfortunately keeping it this way is, in facts, a bit counter-intuitive, and that's the reason for the context-switching animation, for instance, to suggest you're creating a new set of capabilities but you need to take ANY SITE in account anyway.

As a "bonus" there could be three additional buttons inside the "Custom" tab to quickly set the current options to any of defined presets.

And this, in facts, is the "solution" I've been thinking about and I'd like to implement as soon as the other issues arising from having the new version in the hand of millions are settled: a "Copy from:" side panel with the 3 buttons for DEFAULT, TRUSTED and UNTRUSTED to replace the inconvenience of setting ANY SITE always to DEFAULT first time CUSTOM is selected.

I think I also found some bug. I'm not registered here on forum so I need to solve google captcha to post anything. Captcha is connected to scripts from google.com and gstatic.com. Now, If I turn everything connected to google.com and gstatic.com off for "ANY SITE" and turn everything connected to google.com and gstatic.com on for informaction.com then the captcha does not appear. I need to turn on one additional option (gstatic.com > "ANY SITE" > "script") to make captcha visible - should that be like that? After all, I already have "script" for "gstatic.com" on informaction.com enabled.

Could you please send me your NoScript Options>Export file to jhelp me investigate? Thanks.

[User72]

The CUSTOM preset has always automatically copied the current one as a convenience feature, and it's been always very convenient indeed.

Ah, I see. I've never used CUSTOM preset before and, it seems, that is the main reason I went into my problem. I'm glad you are going to "fix" this after introduction of contextual policies - these three buttons will be very useful to quickly create new rules for the sites.
I have one question about this CUSTOM preset tab (I've checked the FAQ and I wasn't able to find the answer): Why are some options "randomly" highlighted here? Is that because NoScript "detects" there is something used from highlighted option on the site I'm on? BTW: The copy of my NoScript options should be in your mailbox. Thank you so much for checking this.

[Giorgio Maone]

Why are some options "randomly" highlighted here? Is that because NoScript "detects" there is something used from highlighted option on the site I'm on?

Yes, exactly. The capabilities highlighted in red are those which the site is apparently trying to use (and therefore a good hint at what you would need to enable if you want it to work as intended).

I'm looking into your settings, thank you.

[Giorgio Maone]

I need to turn on one additional option (gstatic.com > "ANY SITE" > "script") to make captcha visible - should that be like that? After all, I already have "script" for "gstatic.com" on informaction.com enabled.

Fixed in latest development build, thanks.

11.3.3rc2
============================================================
x Use correct context for all subresources checks (thanks
user72 for reporting)

[User72]

Your latest fix works indeed, thank you!

[User72]

I have one more question/idea: When I enter NoScript options > Per-site Permissions > google.com I can see (and access) the settings for all sites this site was customized for. But when I enter a CUSTOM tab for google.com from the level on this forum, I can see only "ANY SITE" and "informaction.com" on the list of sites - would be that hard to implement to be able see (and access) all sites also from the level of CUSTOM tab, not just from NoScript options?

PS. I'm not sure if that was ok to post this in the thread which is marked as "[fixed]"?

[barbaz]

when I enter a CUSTOM tab for google.com from the level on this forum, I can see only "ANY SITE" and "informaction.com" on the list of sites - would be that hard to implement to be able see (and access) all sites also from the level of CUSTOM tab, not just from NoScript options?

The popup is only for active content sources on the current page. Unless a contextual permission for "allow google.com scripts on google.com" is relevant for the specific forum page you're referencing, it doesn't belong in the popup.

PS. I'm not sure if that was ok to post this in the thread which is marked as "[fixed]"?

"[FIXED]" just means the thread was a bug report that has been resolved in a newer version of NoScript. If we wanted people not to post here we would lock the thread.

[Quest]

I suppose now that I don't understand this contxtualisation at all, so I don't know if these are now fixed or problems at all, but on version 11.3.2 I notice:

1. From the Per-site permissions I change Twitter.com match from any site to twitter.com.
Next time I go there, the match is still any site. ??

2. I put twitter.com to default on the list and go to Twitter and put there (on the drop down menu) twitter.com to custom with scrips allowed and match to twitter.com.
Then I go to the Per-site permission, twitter.com is custom with scripts allowed and match any site.

Now, is twitter.com still allowed everywhere?
Has anything happened compared to non-contextual era?

What should I do if I want allow twitter.com scripts only on Twitter?

[barbaz]

@Quest Try clicking things in the other order. The contextual permission drop-down is not itself a setting. It's only a selector for which context you want to set the permission for. You have to actually change a permission in the context for it to be saved.

[User72]

The popup is only for active content sources on the current page. Unless a contextual permission for "allow google.com scripts on google.com" is relevant for the specific forum page you're referencing, it doesn't belong in the popup.

My idea was just to have a little more convenience - it's all about "less amount of mouse button clicks".
First example: I'm trying to set the same CUSTOM settings for google.com which I have already set and tested some one other site but I can't remember what they are exactly - it'd be faster to let me peek at them from the level of this popup than to go from here to full NoScript options.
Second example: I'm trying to set the same CUSTOM settings for google.com and I'm noticing that I set something wrong on other pages - again, it'd be faster to let me correct them "at once", from the level of this popup than to go from here to full NoScript options.

[barbaz]

First example: I'm trying to set the same CUSTOM settings [...]
Second example: I'm trying to set the same CUSTOM settings [...]

This sounds like why I would like to see viewtopic.php?f=7&t=26551 (and viewtopic.php?f=10&t=26548 too, but that's another level)

[User72]

After reading the mentioned links: yes, it's very similar idea, but not the same, my idea is "in the middle".

It is "a little more advanced" than first link - I would like to be able not to copy but to set (or correct) some CUSTOM setting when peeking in NoScript popup at the settings for from the same site but while being on other site.
It is "a little behind" the second link - I would like to be able to set (or correct) all CUSTOM settings for just one site (on all sites where this site was already set before or on the site I am currently on) with just a NoScript popup. Right now I do not need such "general view" in the NoScript popup - for this I would go to NoScript options (and here is the place where the improvement from the second link can be used indeed).

I'm not 100% sure if everyone understands what I mean - if you need any more detailed example of my idea then let me know.