InformAction Forums

In "apply these restrictions to whitelisted" mode, allowing domains affects only script permissions (is that right?). The objects and iframes are allowed or not based only on the global embeddings settings, irrespective of the whitelist. Therefore, optionally at least, it would make sense to not show the domains for non-script resources in the NoScript menu, since allowing them makes no difference (currently allowing such a domain refreshes the page, needlessly, I think). Hiding them makes the menu better reflect the permission needs of the page and less cluttered.

Test page: http://djeault.blogspot.com/2007/02/iframe-test.html

You can Allow the 'object' *@http://www.djo.ca which will then show the center page IFRAME contents - without clicking the placemarker.

Now, not sure what that means ?

In your example, per my proposal, djo.ca would not be shown as a candidate for whitelisting. When "apply to trusted" is checked, the whitelist does not affect embeddings permissions. Allowing djo.ca or even showing it, serves no purpose, and if anything, is misleading, as it suggests that the page might benefit or at least change from allowing it, whereas, in fact, it will make no difference.

It does make sense, indeed.
Actually I'd make it a default, controlled by an about:config preference.

I just noticed something, when "no placeholders from untrusted" is checked, the embedding domains should appear in the untrusted menu.

Looking into that, thanks.

al_9x wrote:I just noticed something, when "no placeholders from untrusted" is checked, the embedding domains should appear in the untrusted menu.

Could you make a more detailed test case?

Giorgio Maone wrote:Could you make a more detailed test case?

The page therube posted can serve as an example. djo.ca is no longer a candidate for whitelisting (in apply to trusted mode), which is good, since whitelisting it will not make a difference, but if "no placeholder from untrusted" is set, it should be available for blacklisting, because blacklisting it will alter the page (remove the placeholder)

in .63

1) http://www.djo.ca and http://djo.ca appear in the untrusted menu. It seems to be ignoring the domain level setting. Should be just djo.ca (2nd level is the default)
2) with alwaysShowObjectSources=true, djo.ca is shown in addition to http://www.djo.ca and http://djo.ca, and they are in different places in the menu

It looks like there are two different pieces of code putting domains in the untrusted menu. The old code (alwaysShowObjectSources=true) knows how to do it right.

al_9x wrote:in .63

1) http://www.djo.ca and http://djo.ca appear in the untrusted menu. It seems to be ignoring the domain level setting. Should be just djo.ca (2nd level is the default)
2) with alwaysShowObjectSources=true, djo.ca is shown in addition to http://www.djo.ca and http://djo.ca, and they are in different places in the menu

It looks like there are two different pieces of code putting domains in the untrusted menu. The old code (alwaysShowObjectSources=true) knows how to do it right.

Yes, since the source of the needed information is different than the "normal" flow, I've been forced to slap an extra patch locally, where the untrusted menu is built one site after another.
Making it behave the way you're suggesting requires a major refactoring in several places and likely a performance penalty too.
I'm looking into that, but it definitely couldn't make into this release which needed to be pushed today because Stefano Di Paola will give a public talk tomorrow about a Base64 issue which is covered by it.

.64 is not hiding embedding domains.

Please check .65, thanks.

in .65 you're hiding (main menu) blogspot.com and showing blogger.com and djo.ca, should be the reverse.

Please check .66, thanks.

Giorgio Maone wrote:Please check .66, thanks.

Main menu looks ok. If it's not too difficult, consider (when alwaysShowObjectSources=false) showing embedding only domains in the untrusted menu only if "no placeholders from untrusted" is set (otherwise marking such a domain untrusted has no effect). In .66 they are shown regardless, which is better than never, as it was .62. That would be in the spirit of this RFE, of only showing items that make a difference.