noscript icon indicating copy to clipboard operation
noscript copied to clipboard

Published 20 hours ago verified publisher icon hackademix

[Feature Request] Trust/Allow script(s) to run on a single site/domain only, instead of globally

Open happeeshopper opened this issue 1 year ago • 7 comments

Reason: Certain scripts can be used to serve either benign or malicious code, depending on the domain owners intentions.

I find myself stuck in the position where I don't want to trust certain scripts globally, because they could potentially be used to serve malicious code, but then always having to 'temporarily allow' said scripts on trusted websites that I frequent.

Being able to 'trust' a script to always run on a certain website only, instead of globally on all websites would be useful.

happeeshopper avatar Mar 23 '24 18:03 happeeshopper

How does this differ (if it does) from Contextual Policies?

hackademix avatar Mar 23 '24 19:03 hackademix

It doesn't, that's exactly what I was asking for, I just hadn't noticed it 👍

ghost avatar Mar 23 '24 21:03 ghost

How does this differ (if it does) from Contextual Policies?

I noticed there's a problem with contextual policies - it can only be set for a single domain, so if a common script such as ajax.googleapis.com is custom set to be 'allowed' on a single domain and then I 'temporarily allow' it on another domain - the contextual policy is reset and it's no longer automatically allowed on the original set domain.

ghost avatar May 16 '24 20:05 ghost

Could it be possible to also set default Custom Contextual Policies (and their default scope, i.e. if selecting CUSTOM, the action I want is that domain.tld be approved by default not for ANY SITE, but only for the site I'm visiting, e.g. example.com)? I never trust domains globally, so I find myself performing the following actions repeatedly:

  • While visiting a website, identify necessary domains to get a workable website and, per domain:
    • Click on CUSTOM
    • Toggle Enable these capabilities when top page matches's value from ANY SITE to the domain of the site I'm visiting
    • Grant only minimum necessary permissions, where possible (script, lazy load, frame, fetch, font)
  • Reload website and assess if there's more domains that need to be granted custom permissions.

rolandog avatar Sep 07 '24 14:09 rolandog

I never trust domains globally, so I find myself performing the following actions repeatedly:

Same here, it's unsafe to do so and defeats the purpose of the extension. But I do want/need some scripts to run on some sites all the time so it's either allow them globally (unsafe) or repeatedly allow them temporarily (PITA).

Edit: I noticed this can be done using ublock which is exactly what's needed:

"Script blocking in uBlock has the option to block / allow scripts both globally and per-site. For example, I can have Google scripts blocked globally by default, but then allow it to run in Youtube specifically, while still blocking those scripts automatically for every other site."

ghost avatar Sep 07 '24 17:09 ghost

@happeeshopper You can do that. Just set to block when TLD is ANY SITE and then set what you allow on the site you want by changing the selected website and setting you allow.

brunoais avatar Feb 01 '25 14:02 brunoais

I just want to also say that having to change the "enable capabilities when the top page matches" from ANY SITE to the specific site every single time is really cumbersome. I never want to trust scripts from a specific site on another site unless it's Stripe or something like that, and maybe even not then.

jimkang avatar Apr 19 '25 22:04 jimkang