noscript icon indicating copy to clipboard operation
noscript copied to clipboard

Published 20 hours ago verified publisher icon hackademix

Enabling Domain A's scripts, but only when requested by a page in Domain B

Open jimbobmcgee opened this issue 6 years ago • 4 comments

I'm looking for the possibility to allow/trust scripts served by a CDN (such as ajax.googleapis.com), but only when the page that embeds/links those scripts is in a specific trusted domain.

I think this used to be possible in the 'old' interface, where the option was listed in the menu as: domain.a (domain.b), but I may have been misinterpreting/misremembering what that interface could do.

Is this (still) possible in 10.x? Am I missing an obvious UI option?

jimbobmcgee avatar Apr 10 '19 21:04 jimbobmcgee

My understanding is that this used to be doable (though confusing for many) through ABE rules, but the current webextensions version of the extension does not support it.

I really hope that per-site permissions can be implemented some day -- it would be a tremendous change for the better. Having to temporarily allow third-party sites over and over and over for trusted websites that I visit daily is very tiring.

I have to believe that this would also be hugely important for overall security on the web. How many people have the discipline to temporarily allow a site over and over, rather than just permanently allowing it, and thereby enabling it everywhere they go on the web? If that site is a generic script serving site, or a privacy-invading tracking site, your security is lost, which means that for this issue the current noscript GUI is working against security.

I would love to click the noscript icon, see a checkbox that says "enable per-site permissions for this page", and then enable/disable various sites as usual and have it remember that setup for that page. No need for more GUI than that -- the user can return to that page and turn off the checkbox if they want. I don't even mind if I have to do this for "domain.com" and again for "www.domain.com". Doing that twice and being set for life, as opposed to doing it every day for the rest of my life, would be a huge win.

Thanks for considering!

chconnor avatar Dec 01 '20 05:12 chconnor

Note: the developer mentioned in 2017:

"Next to come (already implemented in the backend, working on the UI) contextual permissions (e.g. "Trust facebook.net on facebook.com only")."

...that's a while ago, but still, that's exciting! Hopefully this can happen some day. Now that uMatrix is not being developed anymore, this request seems more important. (Note that the developer is using the term "contextual permissions" which might be nice to remember since "per-site permissions" is already used to mean global permissions for individual sites.)

Related thread.

chconnor avatar Dec 01 '20 05:12 chconnor

Related with:

  • https://github.com/hackademix/noscript/issues/79
  • https://forums.informaction.com/viewtopic.php?t=26153

kanlukasz avatar Dec 01 '20 06:12 kanlukasz

See also: https://forums.informaction.com/viewtopic.php?f=10&t=25643

chconnor avatar Dec 01 '20 06:12 chconnor