InformAction Forums

I noticed a phenomenon with some websites some time ago. More specifically, I've noticed other websites using javascripts from facebook.com and fbcdn.net. Naturally, after enabling those domains (yes, I am a facebook user), other websites are allowed to load javascripts from there.
This makes me a little paranoid and after a quick google search, I came across this: http://superuser.com/questions/146400/b ... 141#440141

The idea of restricting allowed javascript domains to only be loaded by the site where I originally allowed those domains (and not allowing ANY website to get javascripts from facebook.com / fbcdn.net, for example) would increase the security provided by NoScript.

Would perhaps having a little checkbox somewhere which allowes for this increased granularity in javascript control be in order?

Hopefully this idea isn't completely redundant, in that it may already exist somewhere in the settings... I am not a web developer, so I can only make some guesses on what the really advanced features and options actually do.

This infrastructure already exists. You can use ABE, the rules are provided under the FAQ and throughout the forum. In addition, if you have some sites allowed, when you go to another site that uses them, unless the parent site is allowed, it won't have access to those scripts, even though individually they are allowed. There are alot of existing infrastructure to do exactly what you are asking and much more.

GµårÐïåñ wrote:This infrastructure already exists. You can use ABE, the rules are provided under the FAQ and throughout the forum. In addition, if you have some sites allowed, when you go to another site that uses them, unless the parent site is allowed, it won't have access to those scripts, even though individually they are allowed. There are alot of existing infrastructure to do exactly what you are asking and much more.

I agree. If you only want this to apply to a couple of sites - eg Facebook - then ABE is ideal. If you want this to apply globally, then you can use ABE, but I highly recommend RequestPolicy.

And since the original comment was about a future release - this is already what NoScript 3.x for the desktop is about .

I use RequestPolicy myself as well, agreed its a worthwhile addition. However, what OP was asking is easily achieved within the existing infrastructure, that's my point, nothing new to put in a future release. Also by toggling the option to block all resources from and untrusted site, I ensure that even if I have allowed a portion of it somewhere else, it won't be usable or invoked on an untrusted site, such as googleapis.com being a good example. I have it allowed permanently and I don't worry about some baddie exploiting it because unless the parent of that site is allowed, this portion being allowed won't give it access to use it.