InformAction Forums

I noticed scripts from cloudfront that support required functionality on more and more sites. The problem is that they typically (always?) reference subdomain.cloudfront.net where subdomain is a 14 digit code that changes for every script. I don't see a way to 'Trust' all subdomains in the user panel, but I may have missed something? (a lot of the terminology is unfamiliar to me). If that's not possible, is the a wildcard symbol I could add to the cloundfront entry in the Trusted sites list? (export -> edit -> import)

Trusting *.cloudfront.net is about as fine-grained as trusting *.com. Any website can get their own subdomain(s) of cloudfront.net. This is why cloudfront.net is treated as an effective top-level domain and the NoScript popup provides no way to trust *.cloudfront.net.

That said, you can still do it by manually typing cloudfront.net in NoScript Options > Per-site Permissions

barbaz wrote: ↑Sat Aug 16, 2025 4:07 amTrusting *.cloudfront.net is about as fine-grained as trusting *.com.... That said, you can still do it by manually typing cloudfront.net in NoScript Options > Per-site Permissions

Noted, and thanks for the suggestion. I didn't realize that I could edit the Trusted list without export/import (I failed to notice "Search or add a web site:" on the Per-site page!), nor did I realize that a domain alone in the list would cover all subdomains! Thanks for the assist.

You're welcome

For completeness, should also note that if what you want is a contextual permission where *.cloudfront.net is trusted only when browsing specific site, you can make the contextual permission in the NoScript popup and then edit it in NoScript Options > Advanced, check "Debug" and change "§:d....cloudfront.net" to "§:cloudfront.net", then un-check "Debug"

barbaz wrote: ↑Sat Aug 16, 2025 5:22 pmFor completeness, should also note that if what you want is a contextual permission where *.cloudfront.net is trusted only when browsing specific site, you can make the contextual permission in the NoScript popup and then edit it in NoScript Options > Advanced, check "Debug" and change "§:d....cloudfront.net" to "§:cloudfront.net", then un-check "Debug"

Thanks for explaining the 'Debug' option. I never tried clicking that button so I didn't know I could edit the settings file from the Options menu! But please explain how one sets a contextual permission. Maybe I have a misunderstanding how NS works, but when I Trust a script source from the popup for a given site, I thought that permission becomes global. For example, if I Trust facebook.net on anysite.com, then it becomes Trusted on everysite.com, right?

This exchange reminds me of the old adage: If all else fails, read the instructions!

ginahoy wrote: ↑Sun Aug 17, 2025 2:59 pm when I Trust a script source from the popup for a given site, I thought that permission becomes global. For example, if I Trust facebook.net on anysite.com, then it becomes Trusted on everysite.com, right?

Yes, TRUSTED is a global permission. Only CUSTOM can be contextual. If you set a site to CUSTOM, you'll see "Enable these capabilities when top page matches" drop-down. To open the interface for contextual permissions, change that drop-down from "ANY SITE" to a specific site. Then permissions you set there will apply only where the site directly loaded in your browser tab is the site you picked in the drop-down.

Thanks. I (obviously) never used Custom, other than noting that a recent upgrade changed the behavior of the "Temporarily set top-level sites to TRUSTED" option such that top level sites are now marked as Custom unless already Trusted. I found the discussion where that change was being debated.

BTW, what's the purpose of the § symbol in the settings file?

ginahoy wrote: ↑Sun Aug 17, 2025 3:52 pm BTW, what's the purpose of the § symbol in the settings file?

That's how NoScript stores that the "Match HTTPS content only" padlock is enabled when it isn't self-evident that the entry should match HTTPS content only (i.e. the entry is domain/subdomains, not an exact full address that already contains the https: protocol)