noscript
noscript copied to clipboard
hackademix
Why does noscript allow youtube.com javascript by default?
Is this not a bug?
The README states,
Allow active content to run only from sites you trust
What if I did not trust youtube.com ?
Everywhere I have read that Noscript blocks all javascript by default, but this does not seem to be the case for youtube.com and I wonder what other websites allow javascript by default, too?
A quick grep of the source code shows the offending areas:
find . -type d \( -path \*/SCCS -o -path \*/RCS -o -path \*/CVS -o -path \*/MCVS -o -path \*/.src -o -path \*/.svn -o -path \*/.git -o -path \*/.hg -o -path \*/.bzr -o -path \*/_MTN -o -path \*/_darcs -o -path \*/\{arch\} \) -prune -o \! -type d \( -name .\#\* -o -name \*.o -o -name \*\~ -o -name \*.bin -o -name \*.lbin -o -name \*.so -o -name \*.a -o -name \*.ln -o -name \*.blg -o -name \*.bbl -o -name \*.elc -o -name \*.lof -o -name \*.glo -o -name \*.idx -o -name \*.lot -o -name \*.fmt -o -name \*.tfm -o -name \*.class -o -name \*.fas -o -name \*.lib -o -name \*.mem -o -name \*.x86f -o -name \*.sparcf -o -name \*.dfsl -o -name \*.pfsl -o -name \*.d64fsl -o -name \*.p64fsl -o -name \*.lx64fsl -o -name \*.lx32fsl -o -name \*.dx64fsl -o -name \*.dx32fsl -o -name \*.fx64fsl -o -name \*.fx32fsl -o -name \*.sx64fsl -o -name \*.sx32fsl -o -name \*.wx64fsl -o -name \*.wx32fsl -o -name \*.fasl -o -name \*.ufsl -o -name \*.fsl -o -name \*.dxl -o -name \*.lo -o -name \*.la -o -name \*.gmo -o -name \*.mo -o -name \*.toc -o -name \*.aux -o -name \*.cp -o -name \*.fn -o -name \*.ky -o -name \*.pg -o -name \*.tp -o -name \*.vr -o -name \*.cps -o -name \*.fns -o -name \*.kys -o -name \*.pgs -o -name \*.tps -o -name \*.vrs -o -name \*.pyc -o -name \*.pyo \) -prune -o \( -path ./.idea -o -path ./.ensime_cache -o -path ./.eunit -o -path ./.git -o -path ./.hg -o -path ./.fslckout -o -path ./_FOSSIL_ -o -path ./.bzr -o -path ./_darcs -o -path ./.tox -o -path ./.svn -o -path ./.stack-work -o -path ./TAGS \) -prune -o -type f \( -name \* -o -name .\* \) -exec grep --color -i -n --null -e youtube /dev/null \{\} +
./src/xss/Exceptions.js\073: if (srcOrigin === "https://www.youtube.com" &&
./src/xss/Exceptions.js\077: logEx("YouTube comments exception");
./src/legacy/defaults.js\036: "default": "about:blank about:pocket-saved about:pocket-signup addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com bootstrapcdn.com code.jquery.com firstdata.com firstdata.lv gfx.ms google.com googlevideo.com gstatic.com hotmail.com live.com live.net maps.googleapis.com mozilla.net netflix.com nflxext.com nflximg.com nflxvideo.net noscript.net outlook.com passport.com passport.net passportimages.com paypal.com paypalobjects.com securecode.com securesuite.net sfx.ms tinymce.cachefly.net wlxrs.com yahoo.com yahooapis.com yimg.com youtube.com ytimg.com",
./src/legacy/defaults.js\0178: "httpsForcedBuiltIn": "www.youtube.com",
./src/legacy/defaults.js\0186: "clearClick.exceptions": ".mail.yahoo.com https://mail.google.com/ *.ebay.com *.photobucket.com .youtube.com",
./src/common/Policy.js\0311: yimg.com youtube.com ytimg.com`.split(/\s+/).map(Sites.secureDomainKey),
./src/content/PlaceHolder.js\059: destStyle.top = "0"; // fixes video player off-display position on Youtube
./TLD/public_suffix_list.dat\010625:// youtube : 2014-05-01 Charleston Road Registry Inc.
./TLD/public_suffix_list.dat\010626:youtube
./TLD/public_suffix_list.dat\011909:withyoutube.com
Grep finished with 10 matches found at Sat Feb 29 02:27:34
The same reason because it contains a whitelist of scripts and the same reason why you cannot deny script for trusted. Because it is dev's position. We really need some parts of noscript be merged into umatrix and noscript be discarded.
It would be best for the developer to clarify his reasons for whitelisting certain domains. I am all for merging some parts of noscript into umatrix, but I hope the developer will offer a proper response.
The reason is pretty straightforward, it's remained the same for more than a decade (since NoScript classic) and explained in this FAQ.
You can remove any site you don't trust from the (pretty short) default whitelist at any time.
You cannot deny [script] in the TRUSTED preset because, well, it's a preset for the least strict setting available. It would be very confusing if you set something to TRUSTED and nothing works, wouldn't it? You already have a lot of leverage with the DEFAULT, the UNTRUSTED (where, for the symmetric reason, you're not allowed to enable [script]) and the CUSTOM settings.
In other words, they're all design UX choices made to prevent users from shooting themselves in the foots and avoid to scare them away on first usage, which would defeat NoScript's purpose. But they don't prevent anybody from tuning it up at the most paranoid level they prefer.
Just like nobody prevents you, since you're so keen to fork and discard NoScript, from modifying just the bits which annoy you the most for your personal usage.
[EDIT] updated the link to the FAQ, pointing to https://classic.noscript.net/ now.
It would be very confusing if you set something to TRUSTED and nothing works, wouldn't it?
No, it wouldn't. Noscript is a tool for advanced users ("serious people" who "need to do the work not to fight the browser and website owners" just say "I am an ordinary person, not a secret agent and not a paranoid psycho, so I don't object that they spy on me, they will find nothing worthing attention, it's better to allow everyone to spy on me than to make my use of sites unbearable"), so presets should be what we define them to be. In fact I had to be one of them not so long ago, when I have had to visit a website with browser fingerprinting recaptcha v3 and had no time to invent the way to bypass this heavily VM-obfuscated masterpiece of shit. Fortunately, it was not my PC, but of the people who don't care. IDK what I will do if I would be blackmailed to allow recaptcha again.
In fact I'd like to have more than 3 presets, fully configurable. For example IMHO "trusted" preset is completely useless, the only point to have noscript is to give websites the least privileges possible. In fact I only use custom.
Also I dislike that noscript privilege grant is global. For example, if one has allowed yandex.com at mail.yandex.com, he has allowed it on other sites too, so it can be used for cross-site tracking. umatrix allows to set the restrictions per-source-destination pair, but lacks some features of noscript, like blocking webgl and detecting XSS. I also remember ABE (BTW, there is now WE API for DNS lookups and it is already utilized in uBlockOrigin), but it is currently non-functional :( So I currently have to use both. And the settings in them are not synchronized, so I have to set them manually.
So please consider merging the 2 addons.
The reason is pretty straightforward, it's remained the same for more than a decade (since NoScript classic) and explained in this FAQ.
The FAQ no longer mentions anything about the existence of a default whitelist.
i guess due to some hidden partnership as usual with all those blockers. btw the code is here so you can fork it and remove what is not desirable for advanced peoples like you said
i guess due to some hidden partnership
No hidden partnership, much less with Google :imp:
And yes, you can fork it, but maybe it's just much simpler just removing all the stuff you don't need as explained in this previous comment :wink:
The FAQ no longer mentions anything about the existence of a default whitelist.
Sorry, in the new site I've been rebuilding the FAQ with the actually frequently (now) asked questions. The old "classic" faq is already available here (and I'm, updating the link comment above, too): https://classic.noscript.net/faq#qa1_5
i thank you so much for this extension, by the way im in trust with 0 peoples.
trust is the shortest way for been fucked😀
like i can't be sure than the distributed extension on firefox have the same code of this repo.
but i modified it for my own purpose. os its ok