InformAction Forums

Desired Effect In Short:
if I visit a new website that has a ton of 3rd party flash or javascript content, and some 1st party javascript such as MySpace, whitelisting myspace.com will only allow MySpace's 1st party scripts to run, which means I can use the navigation bars and whatnot as MySpace intended, but not have to deal with a million videos from youtube.com loading, while still being able to watch YouTube videos on youtube.com.



Details:
First of all, I love NoScript, so great work to the developers. But what bugs me is that there is no feature to allow/deny scripts from 3rd party domains based on the first party domain. Here's the best example I can give:

When I go to facebook.com, I would like to have both facebook.com and fbcdn.net (which Facebook uses for content) whitelisted. In this scenario, facebook.com is the 1st part, and fbcdn.net is the third party. But when I go to another website that has Facebook integration (which I don't like), such as cnn.com, both facebook.com and fbcdn.net should be blocked, since they are both 3rd parties. Additionally, let's say I want Facebook integration on YouTube; on youtube.com, fbcdn.net should be allowed.

In other words, users should be able to add a rule that tells NoScript:
1. allow facebook.com only if 1st party domain is facebook.com
2. allow fbcdn.net only if 1st party domain is facebook.com or youtube.com

There should also be an option to for these rules to refer to more specific (base 3rd level and so on) 1st party domains. For example, I want youtube.com whitelisted when I read my Gmail (mail.google.com), but not on the rest of Google. So I should be able to specify "allow youtube.com only if 1st party domain is mail.google.com"

nakdee11 wrote:
In other words, users should be able to add a rule that tells NoScript:
1. allow facebook.com only if 1st party domain is facebook.com
2. allow fbcdn.net only if 1st party domain is facebook.com or youtube.com

I haven't tried it, but FAQ 8.10 should help.

tlu wrote:

nakdee11 wrote:
In other words, users should be able to add a rule that tells NoScript:
1. allow facebook.com only if 1st party domain is facebook.com
2. allow fbcdn.net only if 1st party domain is facebook.com or youtube.com

I haven't tried it, but FAQ 8.10 should help.

Thank you for your help. However, this doesn't work at all like what I think a lot of people would want to use. Using ABE completely blocks the script on 3rd party domains, never allowing them whatsoever (no temporarily allow option). In addition, editing ABE rules is a pain in the ass.

What I'm suggesting has not been implemented, but should be implemented exactly as described - using the MySpace example: which means that if I am on mysapce.com, when clicking on the NoScript icon, youtube.com would appear blocked with an option to allow youtube.com on myspace.com, or to temporarily allow youtube.com on myspace.com. But when visiting youtube.com, when clicking the NoScript icon, youtube.com would appear whitelisted. The real beauty is that the blocked YouTube videos on myspace.com would appear covered with NoScript blocking window and icon in the middle, allowing the user to click and unblock just that one particular YouTube video without reloading the page and having all YouTube videos unblocked. ABE does not allow this.

I know that currently this can be achieved by blocking youtube.com and clicking on NoScript's blocking window with the icon in the middle to unblock a particular video, but this quickly becomes tiring when surfing youtube.com where every video has to be allowed individually. Also, for scripts without a visible object, such as scripts from Facebook's fbcdn.net, allowing scripts to run individually cannot be done at all.

Another simple example can be seen from this Arstechnica story: http://arstechnica.com/business/news/20 ... u-love.ars

Essentially even when you whitelist Ars in ad-block plus, and whilelist it in NoScript you won't get ads because they are forced by their parent company to have doubleclick serve their ads with javascript. With this feature you could say: "Allow all javascript on arstechnica.com even if its from a third party", or say: "Allow all javascript from doubleclick if on arstechnica.com".

I second that request ! I think it was already discussed some time ago, but i don't remember the response of Giorgio.

It seems like the ABE script listed in the FAQ would do the second half of what you want.
http://noscript.net/faq#qa8_10

2. allow fbcdn.net only if 1st party domain is facebook.com or youtube.com

If that doesn't do that part of the job, please clarify.

It looks like the language may be a bit weak in not having a way to say that something should be semi-blocked versus fully blocked. (i.e., blocked like it was on the blacklist, versus blocked but NoScript provides an unblock prompt).

I haven't studied ABE in detail - looks like it may not have the facilities to do the other part of the request. (Need to indicate that access is allowed if it is being requested by browser or local host, but not if from other sources. Looks like the language would need a little extension to allow one to say this (without having to totally duplicate the function of NoScript).)

Edit:
I wonder if this would work for item 1: (Don't have time to test it right now.)
End Edit

The requested feature seems useful - and having a more convenient interface to the feature would be nice. (e.g. permit/deny sites for scripting access as: primary site, as secondary site, or as secondary from specific primaries, and distinguish fully blocked from block but let user enable access).

An earlier discussion of same sort of thing is in the thread:
trusting called sites based upon calling site
http://forums.informaction.com/viewtopi ... =10&t=3462

and:
Discussion: Site Specific Permissions Policy
http://forums.informaction.com/viewtopi ... &start=120

I would also like this feature (or, this feature more readily accessible). I would like to be able to, for example, allow my favorite sites, but only my favorite sites, to serve adds via "googleadservices.com".