InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[BUG] Temporarily allow top-level sites and untrusted

https://forums.informaction.com/viewtopic.php?t=3159

Page 1 of 1

[BUG] Temporarily allow top-level sites and untrusted

Posted: Sat Nov 14, 2009 8:48 am
by Alan Baxter
Cannot merely remove another site from the whitelist if Temporarily allow top-level sites is checked. The site is marked untrusted too.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
NoScript 1.9.9.14, no other extensions, default theme.

Steps to reproduce:
1) Change the default settings as follows:
  • Temporarily allow top-level sites
  • Full addresses only
  • (under Contextual menu, which is not selected)
  • Base 2nd level Domains
  • Full Domains
  • Full Addresses
2) Load http://social.msdn.microsoft.com/Forums/
3) Click Allow social.microsoft.com
4) Click Forbid social.microsoft.com

Expected result: social.microsoft.com is removed from the whitelist and not marked untrusted.
Actual result: social.microsoft.com is marked untrusted
The expected behavior happens if I uncheck Temporarily allow top-level sites and temporarily allow social.msdn.microsoft.com manually.

Re: Bug: Temporarily allow top-level sites and untrusted problem

Posted: Sat Nov 14, 2009 3:04 pm
by therube
Maybe it is intended behavior, similar to this:
when you use "Allow scripts globally", whatever you forbid from then on is automatically marked as untrusted and prevented from running.
In other words, you go in "Blacklist Mode". It's like YesScript, but with much more protection features (anti-XSS, anti-Clickjacking, ABE and so on)

http://forums.informaction.com/viewtopi ... 058#p13058

Re: [BUG] Temporarily allow top-level sites and untrusted

Posted: Sat Nov 14, 2009 8:20 pm
by tuggyne
I've seen this behavior too, but like therube I'm not sure if it's intended or not. I don't particularly like it, but it does seem like a potentially useful default.

Re: [BUG] Temporarily allow top-level sites and untrusted

Posted: Sat Nov 14, 2009 11:32 pm
by GµårÐïåñ
I believe that it is intended because by having the top level temporary allowed, when you forbid it, it assumes you want it untrusted not just laying out and about. I am sure if its a bug that Giorgio will weigh in but I wouldn't worry about that, I think we discussed it a while back and it was said to be intentional. If I can find the link I will post it.

Re: [BUG] Temporarily allow top-level sites and untrusted

Posted: Sat Nov 14, 2009 11:51 pm
by Alan Baxter
Thanks for the input, everyone. Unlike Globally Allowed mode, the only reason the site was Allowed is because it was explicitly whitelisted. I still don't see any reason for thinking it's intended behavior. I'm not worried about it in the slightest, but unintended behavior is often related to subtle bugs in other areas too. That's why it's important to bring it to Giorgio's attention.

Re: [BUG] Temporarily allow top-level sites and untrusted

Posted: Tue Nov 17, 2009 4:51 pm
by Giorgio Maone
It's intended (for the reasons GµårÐïåñ guessed).
Debatable, but not a bug.

Re: [BUG] Temporarily allow top-level sites and untrusted

Posted: Tue Nov 17, 2009 5:28 pm
by Alan Baxter
Giorgio Maone wrote:Debatable, but not a bug.
And easily worked around, thanks to the NoScript sticky menu.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited