InformAction Forums

Posted: **Sat Oct 31, 2009 4:32 am**

Aloha,

Maybe I didn't search with the correct terms on this site because I didn't find an answer, or at least a direct answer, to my question/issue.

I have a site which I use but it's not in my whitelist (to block ads, scripts incompatible with FireFox, etc.). However, there is ONE PAGE where I always have to "Temporarily Allow" for the submit/search buttons to work. The resulting output is then allowed to run all scripts since NoScript has temporarily whitelisted the entire site/domain.

I'd like to know the way to allow a specific URL on that site to allow scripts to run, but not on the rest of the site. Also, vice versa: Allow an entire site, but block a specific page from running scripts (this would be useful on yet another site I visit).

Example: Block http://www.suckydomain.com, but Allow http://www.suckydomain.com/search.jhtml

Any assistance would be appreciated. I read about XSS regular expressions but this is not an XSS-related issue.

Mahalo!

dijitul

P.S. If it's also possible, I'd like to see a feature in future NoScript versions to show a list of scripts blocked or running on a page, then selectively block/allow them (I realize this is quite an advanced feature, but still..)

Posted: **Sat Oct 31, 2009 5:02 am**

That's essentially what I'm asking on
http://forums.informaction.com/viewtopic.php?f=7&t=3038

Except I'm trying to do with Google.

I want to allow subdomains but not the home domain.
EG. allow mail.google.com but block google.com

Posted: **Sat Oct 31, 2009 5:42 am**

I thought you can do that by enabling "Full Domains" in Options > Appearance. This will let you allow mail.google.com without doing the base-level google.com, wouldn't it?

What I'm asking is for controlling down to the file level. More granular than domain level...

Hope that helps!

dijitul

Posted: **Sat Oct 31, 2009 6:07 am**

Wow, yeah, that did it.

Thanks a lot.

I'm sorry to have intruded on your question. I really thought we were asking the same thing but now I see what you mean... you're going the other direction.

By the way, just thought I'd add:
You can access pages by bookmarks and they'll always be allowed but if you navigated to that page any other way, it would be blocked. This would allow you to block suckydomain.com but allow .../search.jhtml by accessing jhmtl through a bookmark.
This is how I was getting around my problem temporarily while I was waiting on an answer.
This is, of course, assuming it's just one page you are trying to work with at the moment.

Thanks a lot,
-Text

Posted: **Sat Oct 31, 2009 6:16 am**

Text wrote:That's essentially what I'm asking on
http://forums.informaction.com/viewtopic.php?f=7&t=3038

Except I'm trying to do with Google.

I want to allow subdomains but not the home domain.
EG. allow mail.google.com but block google.com

Easy. I do that with Yahoo Mail.
mail.yahoo.com is in my whitelist.

Code: Select all

www.yahoo.com

is not.
In your whitelist, enter mail.google.com, but if

Code: Select all

www.google.com

is there, delete it.
I've never used Google Mail, so I can't guarantee that the Mail will still work. It works in Yahoo mail. Please let us know if this works in Google.

@ dijitul: Aloha!
An increased level of fine-grained control is part of the plan for the next-generation NoScript, v.2.x. There is a long-running thread discussing it, http://forums.informaction.com/viewtopic.php?f=10&t=415.

Unfortunately, at this time NoScript is still based on domain-based blocking (far more advanced than certain other browsers and add-ons, cough), so once you have blocked (or allowed) suckydomain.com, everything after the com/ will receive the same permission or denial. However, you can always click "Revoke temporary permissions" once your search is complete. Then the entire site is once again blocked.

You were correct about sub-domains, as above.

Mahalo,
Tom T.

Oops -- looks like Text beat me to the posting. Well, might as well post the whole answer anyway, for others. The bookmark was a great idea, by the way, but *only* if you tell NoScript to allow *all* pages opened through bookmarks. You might not want to give this permission to every bookmarked site, hence the "revoke temporary permissions" suggestion. Cheers.

Posted: **Sun Nov 01, 2009 12:12 am**

Text wrote:Wow, yeah, that did it.

Thanks a lot.

I'm sorry to have intruded on your question. I really thought we were asking the same thing but now I see what you mean... you're going the other direction.

By the way, just thought I'd add:
You can access pages by bookmarks and they'll always be allowed but if you navigated to that page any other way, it would be blocked. This would allow you to block suckydomain.com but allow .../search.jhtml by accessing jhmtl through a bookmark.
This is how I was getting around my problem temporarily while I was waiting on an answer.
This is, of course, assuming it's just one page you are trying to work with at the moment.

Thanks a lot,
-Text

@text: I'm glad my input helped you. I wasn't sure if I was going the right direction for your question. Also, thank you for your bookmark suggestion. I had considered this before, but as Tom mentioned, I'd have to enable this for all bookmarks, which is unfortunate because that's how I access the site to begin with -- and that first page is one I need NoScript to continue blocking. I suppose I could find a temporary workaround using shortcuts or the like, though.

@Tom: I will patiently await the next release for the file-specific permissions. NoScript is a very useful and well-written plug-in, and it is taking the right direction in web browsing security. It's the primary reason I switched to FireFox.

In the future, perhaps consider an option where Ctrl- or Shift-clicking a bookmark will "temporarily allow" a bookmark, too. It might also be useful to have such granular permissions where we can see a list of scripts or embedded objects that were blocked at a specific URL (or a URL regular expression), and permit or deny them individually with a simple checkbox! That can be buried in the Options > Advanced > Super-Advanced > Settings-For-Nerds configuration pane!

- dijitul

Posted: **Sun Nov 01, 2009 12:15 am**

Darn -- I forgot to log in before posting! Ha...

- dijitul

Posted: **Sun Nov 01, 2009 4:58 am**

Guest wrote:@Tom: I will patiently await the next release for the file-specific permissions. NoScript is a very useful and well-written plug-in, and it is taking the right direction in web browsing security. It's the primary reason I switched to FireFox.

Thank you for your kind words. It was the reason that I switched to Firefox, too.

IIRC, early this year NoScript developer Giorgio Maone had hoped to have 2.0 released sometime this year. However, two other major enhancements were added, ABE and Strict Transport Security. Plus one or two emergencies arose, and the tasks of meeting emerging threats, fixing bugs, etc. seemed to consume all available time left over after working to make a living. (NoScript is freeware, of course, although some people are kind enough to donate to help support it.)

In the future, perhaps consider an option where Ctrl- or Shift-clicking a bookmark will "temporarily allow" a bookmark, too.

That's a great idea. I'll post that as a feature request, and link to this thread to give you credit for the idea.

It might also be useful to have such granular permissions where we can see a list of scripts or embedded objects that were blocked at a specific URL (or a URL regular expression), and permit or deny them individually with a simple checkbox! That can be buried in the Options > Advanced > Super-Advanced > Settings-For-Nerds configuration pane!

Yes, it would have to be.

Right now, I am logged into Yahoo Mail Classic, and there are 78 scripts and one object running. And I whitelist *only* mail.yahoo.com, not the parent, w w w . yahoo.com, which would undoubtedly contribute more. We already receive frequent complaints that NoScript is too complicated for non-tech users, or requires too many decisions. OTOH, advanced users have asked for that kind of fine-grained control. We will see what magic Giorgio is able to come up with, perhaps adding an "uber-geek" tab

that would be strictly optional, leaving the present setup for the novice-to-average user.

Thanks for your thoughts. Don't worry about the login!

Edit: Your Request For Enhancement is here.

InformAction Forums

How to whitelist or blacklist full URLs?

How to whitelist or blacklist full URLs?

Re: How to whitelist or blacklist full URLs?

Re: How to whitelist or blacklist full URLs?

Re: How to whitelist or blacklist full URLs?

Re: How to whitelist or blacklist full URLs?

Re: How to whitelist or blacklist full URLs?

Re: How to whitelist or blacklist full URLs?

Re: How to whitelist or blacklist full URLs?