noscript icon indicating copy to clipboard operation
noscript copied to clipboard

Published 20 hours ago verified publisher icon hackademix

Allow A Script Through On A Per Site Level

Open seniorm0ment opened this issue 5 years ago • 6 comments

Would be very nice to allow a script through on a per site level. For example:

Google Captcha on a site you post on a lot, that requires it often. But block it on all other sites. So say Github for example required reCaptcha to post.

You would be able to allow reCaptcha always on Github, but still have it blocked on all other sites.

This is the one killer feature I wish Noscript had. It's an absolute PITA to have to temporarily allow a domain then block it again everytime you want to post on a site that requires recaptcha, but don't want recaptcha loading everywhere else. Especially seeing a lot of the time, upon temporarily whitelisting it, it requires more stuff to be whitelisted to work, and you end up needing to refresh the page 2 times. It's quite a pain.

seniorm0ment avatar Dec 05 '19 21:12 seniorm0ment

Yes, if I visit example.com and allow it to load scripts from example.org, it does seem unnecessary to allow every other domain to also load scripts from example.org. I'm guessing that implementing this is a fairly large task...

quite avatar Jan 15 '20 13:01 quite

Looks related to #72.

liujed avatar Jul 11 '20 23:07 liujed

Hey.

Several months ago google has consolidated their scripts of captcha under the same domain name so now it's harder to block it by domain (previously it was captcha.googleapis.com and now it's just google.com and gstatic.com (googletagmanager.com didn't happen to be hosted on google.com but who knows what they're thinking)). So now I can't use this extension to selectively allow only captcha but not other stuff.

This feature would help.

One more thing would be to consider per-request blocking as well. Do you think any of these are a good idea?

Invertisment avatar Nov 10 '22 16:11 Invertisment

Agreed - the security model of permissions based on external resource URL seems out of sync with the reality, which is that we associate trust with the main URL at least as much, probably much more. I hope everyone that can afford to will donate to the developer so they have the resources to make this happen, because it's needed!

chconnor avatar Nov 10 '22 19:11 chconnor

It's also worth mentioning that adblockers already do it on HTTP request level (but globally, not per-site) although configuring it by hand in any way would be an overkill. AND there is a huge issue with WebSockets and service workers that can open additional WebSockets which are basically wild west (for instance LinkedIn uses a WebSocket that isn't filtered by blockers).

I think that per-site-script-URL-matching is still a good approximation because it would prevent WebSockets from happening (if blocked script would open it) and in that case those wouldn't need protocol-level solution such as current state of adblockers for HTTP.

IMO it would be easier to manually maintain per-site configs than to match each packet without becoming an adblocker. And it would also be possible to keep the backwards compatibility with the current state of the plugin.

Also maybe my thinking is not enough and it still needs more thought to take the best approach.

I'll think about donation or something.

Invertisment avatar Nov 10 '22 20:11 Invertisment

Has anyone tried editing a per-site setting with a longer URL?

If you have a less popular site which implements it, I'd definitely like to test it. 👍

Only there was a thread that actually mentioned the old ABE firewall rule for handling Recaptcha. It was only mentioned as an example, but I believe that (essentially) they're asking the same thing.

Relatedly, maybe this will help with the above testing of fuller URLs in an edited options file, I dunno.

I've adapted the linked poster's rules for my own NoScript Classic with ABE, the changes are purely in the regex, if I remember correctly.

I just add INSERT_YOUR_SITE to the Accept in my recaptcha rule (I don't think the recaptcha URLs need to be added to the INSERT_YOUR_SITE's own ruleset) and it's usually good to go:

### recaptcha rule
## possibly a thing https://www.google.com/recaptcha/api.js
Site .recaptcha.com .recaptcha.net .google.com/recaptcha/* .gstatic.com/recaptcha/* https://www.google.com/recaptcha/api2/
Accept from INSERT_YOUR_SITE
Deny INC

### google.com rule
Site ^\Qhttps://\E(?:[^\/:]+\.)?google\.com((?!recaptcha).)*$ .google.co.uk accounts.google.com .android.com .blogspot.com mail.google.com consent.google.com .gmail.com https://content-people-pa.googleapis.com https://content.googleapis.com drive.google.com https://developers.google.com/ https://google.dev.android.com
Accept from allllll the google sites
Deny INC

### google static
## replace ^(https|http):\/\/(www\.|) to fix image issues on startpage
Site ^\Qhttps://\E(?:[^\/:]+\.)?gstatic\.(?:net|com)((?!recaptcha).)*$
Accept from allllll the google sites
Deny

(apparently you don't need to escape slashes in abe, force of habit)

influential-eliot avatar Jan 19 '23 12:01 influential-eliot