noscript icon indicating copy to clipboard operation
noscript copied to clipboard
verified publisher icon hackademix

[feature-request]: add an ABE implementation to 10.x

Open aead opened this issue 7 years ago • 10 comments

This is a feature request for ABE being added to NoScript 10.x / quantum.

Use case (example): I'm using firefox containers to ensure that e.g. twitter.com only has access to a pre-defined scope (cookies, local storage, ...). (Actually I'm redirecting twitter.com -> mobile.twitter.com). Now I want to allow JS for *.twitter.com and *.twimg.com but only if I'm on mobile.twitter.com. So the current state is that I'm redirecting any twitter.com link to mobile.twitter.com and firefox containers ensure that all tabs are running the same "twitter" container. The only two options at the moment are:

  • allowing twitter.com / twimg.com scripts permanently. That would also allow e.g twimg.com JS on <some-domain.com>.
  • always enable twitter.com / twimg.com scripts temporally when I visit mobile.twitter.com (which is kind of annoying). But even worse as soon as I've visited mobile.twitter.com once the twimg.com JS on <some-domain.com> would also e loaded. So to ensure that specific JS is only loaded in certain situations (e.g. I'm on a specific host) ABE would be the right tool.

BTW: Thank you for this amazing addon which makes the web a lot safer and increases peoples privacy :tada:

aead avatar Nov 22 '18 12:11 aead

IIUC the underlying implementation of the regular script-blocking is flexible enough to handle this in 10.x, although the interface may not be complex enough to expose it.

ThrawnCA avatar Nov 22 '18 22:11 ThrawnCA

@ThrawnCA That may be the case. I'm not sure whether it's okay to expose an ABE rule set as part of the policy.json and incrementally build a UI for ABE or whether it's better to add everything at once...

In general, IMO, it would be sufficient for many users to have a 4-th option - e.g. "allow on this domain" additionally to "allow", "allow temporally" and "block".

aead avatar Nov 22 '18 23:11 aead

In general, IMO, it would be sufficient for many users to have a 4-th option - e.g. "allow on this domain" additionally to "allow", "allow temporally" and "block".

Another possibility would be another button like the red/green padlock for HTTP/HTTPS. This would offer full flexibility without taking much space.

musonius avatar Nov 25 '18 22:11 musonius

#40 would cover this nicely if feasible.

ThrawnCA avatar Nov 25 '18 23:11 ThrawnCA

@musonius For the described use-case that would be an option, too. E.g. a button with the semantics: rule apply only on this domain. For example setting Domain-A as trusted on Domain-B and clicking this button would cause Domain-A be trusted only on Domain-B but not on Domain-C.

aead avatar Nov 27 '18 11:11 aead

The ABE-feature is still mentioned at the official website (https://noscript.net/abe/ and https://noscript.net/faq) even though it is not implemented/visible in the webextension (i got version 10.6.3). I do think in todays days where most people use plenty of 3rd-party cdns' and js-dns', the opportunity to only allow scripts (fetch,img,media,...) from thoose sites only when neccessary. --> some sites i use include the kind of cdn' i'd like not to have allowed in other sites (mostly gstatic... and similiar/partially tracking ones).

possible implementation-ideas

  • 1rst-party check, - allow 3rd party only at specific 1rst-party

PatrickJRed avatar Jul 20 '19 11:07 PatrickJRed

just checked your homepage again

you should really update the abe-section with the information that abe isnt supported in webextension (now have 11.0.7)

PatrickJRed avatar Nov 12 '19 10:11 PatrickJRed

just checked your homepage again

you should really update the abe-section with the information that abe isnt supported in webextension (now have 11.0.7)

I just checked myself and still see no mention, at least anything I could find, of ABE not being supported. I've been using uMatrix to supplement things like this; I can get everything tweaked from the GUI without leaving the tab when advanced settings are turned on.

TFWol avatar Dec 14 '19 22:12 TFWol

Checked again, ABE is still not supported in latest stable version. ABE-section has not been updated either. Please at least update ABE section, so it states, that ABE is not currently part of latest version,

I had to ask on noscript's forum, because I simply couldn't find ABE in latest version, while ABE section said, it's there (https://forums.informaction.com/viewtopic.php?f=7&t=25962&sid=1d8a03f352ba790476829620e138f1a5).

IanNov avatar May 20 '20 12:05 IanNov

Checked again, ABE is still not supported in latest stable version. ABE-section has not been updated either. Please at least update ABE section, so it states, that ABE is not currently part of latest version,

I had to ask on noscript's forum, because I simply couldn't find ABE in latest version, while ABE section said, it's there (https://forums.informaction.com/viewtopic.php?f=7&t=25962&sid=1d8a03f352ba790476829620e138f1a5).

I concur.

TFWol avatar May 21 '20 21:05 TFWol