Why do temporary permissions remain after the site is closed?

Ask for help about NoScript, no registration needed to post
LMHmedchem
Posts: 1
Joined: Sat Dec 03, 2022 7:17 pm

Why do temporary permissions remain after the site is closed?

Post by LMHmedchem »

Hello,

I am a long time noscript user and have become frustrated with some of the changes that have been made to the system over time. I liked the older interface better, but I am sure there were good reasons for changing it. At least now you can have a default setting where everything is blocked.

One thing I don't like is that temporary permissions remain stored after the site is closed out. This is noscript 11.4.13 on Firefox 91.13.0esr (64-bit) under CentOS if that matters to anyone. If I go to google to look for something and then go to a site, even if I close the tab I used for the google search google is still listed as temp trusted and I have to manually change it back to default. This allows google to run scripts in the browser at pages other than google.com. It seems to me that in older versions that temp permissions went away when you closed all of the tabs to a site.

It seems like the best method would be to allow storage of permissions for scripts from a given domain only on specific sites. For instance, if I go homedepot.com, I need to allow scripts from thdstatic.com if I want to see the prices for items. It would be optimal to be able to allow thdstatic.com, but only for browser pages from homedepot.com. With that functionality the user could accumulate a good set of permissions that would make sites they visit frequently fully functional without letting scripts run anywhere. It would be very helpful to allow google.com to run scripts on google.com but nowhere else unless I specifically want to allow it for a given site.

I really do like noscript so thanks to all who contribute.

LMHmedchem
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Why do temporary permissions remain after the site is closed?

Post by barbaz »

LMHmedchem wrote: Sat Dec 03, 2022 7:38 pm It seems to me that in older versions that temp permissions went away when you closed all of the tabs to a site.
It was never that way.

Such approach would only give you a false sense of security. A site is either malicious or not, and if it is it would only need one chance to do its evil. By the time you've finished using a site and closed all the tabs to it, revoking permissions at that point is way too late to prevent anything.

As you're using CentOS, you might consider something like viewtopic.php?p=83662#p83662 to get an effect like what you want while mitigating some of the security considerations.
LMHmedchem wrote: Sat Dec 03, 2022 7:38 pm It seems like the best method would be to allow storage of permissions for scripts from a given domain only on specific sites. For instance, if I go homedepot.com, I need to allow scripts from thdstatic.com if I want to see the prices for items. It would be optimal to be able to allow thdstatic.com, but only for browser pages from homedepot.com.
This functionality already exists:

1) go to homedepot.com

2) NoScript popup, set thdstatic to CUSTOM

3) use the check boxes to configure its permissions for "ANY SITE" if you haven't already, then change the "ANY SITE" dropdown to ...homedepot.com and likewise configure the more relaxed per-site/contextual permissions you're seeking.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply