[tor-talk] noscript 10.2 default mandatory sites, trusted sites

Joe joebtfsplk at gmx.com
Thu Dec 20 04:29:08 UTC 2018


Many of these settings aren't brand new (some are fairly new), but I'm 
not sure how some of these settings are actually used in NoScript.
If they are used "as is," or if settings in one file (say, defaults.js) 
interacts w/ or is overridden by other NS files.  Has anyone seen 
official explanations how these sites shown as default or trusted 
actually work in TBB?

All of these are from TBB 8.4, noscript 10.2.
To see the files / settings, you have to copy or extract the noscript 
.xpi file to a different location (has an alpha-numeric name: 
{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi, from 
profile.default/browser-extension-data.

These are from the NS /legacy/defaults.js file:

"mandatory": "[System+Principal] about: about:addons about:blocked 
about:certerror about:config about:crashes about:feeds about:home 
about:memory about:neterror about:plugins about:preferences 
about:privatebrowsing about:sessionrestore about:srcdoc about:support 
about:tabcrashed blob: chrome: mediasource: moz-extension: 
moz-safe-about: resource:",
   "default": "about:blank about:pocket-saved about:pocket-signup 
addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com 
bootstrapcdn.com code.jquery.com firstdata.com firstdata.lv gfx.ms 
google.com googlevideo.com gstatic.com hotmail.com live.com live.net 
maps.googleapis.com mozilla.net netflix.com nflxext.com nflximg.com 
nflxvideo.net noscript.net outlook.com passport.com passport.net 
passportimages.com paypal.com paypalobjects.com securecode.com 
securesuite.net sfx.ms tinymce.cachefly.net wlxrs.com yahoo.com 
yahooapis.com yimg.com youtube.com ytimg.com",

Note sites like google.com, googlevideo.com, hotmail.com, 
maps.googleapis.com, paypal, yahoo & yahooapis.com and many others.
Are the legacy/default.js sites applied "as is" in TBB?  Where is that 
explained?

If they're allowed as shown, for example, I wouldn't want anything for 
yahoo & their horrible security record, always enabled by default.

The following are from the noscript /common/Policy.js file. I only 
scratched the surface:

  function defaultOptions() {
     return {
       sites:{
         trusted: `addons.mozilla.org
           afx.ms ajax.aspnetcdn.com
           ajax.googleapis.com bootstrapcdn.com
           code.jquery.com firstdata.com firstdata.lv gfx.ms
           google.com googlevideo.com gstatic.com
           hotmail.com live.com live.net
           maps.googleapis.com mozilla.net
           netflix.com nflxext.com nflximg.com nflxvideo.net
           noscript.net
           outlook.com passport.com passport.net passportimages.com
           paypal.com paypalobjects.com
           securecode.com securesuite.net sfx.ms tinymce.cachefly.net
           wlxrs.com
           yahoo.com yahooapis.com
           yimg.com youtube.com 
ytimg.com`.split(/\s+/).map(Sites.secureDomainKey),
         untrusted: [],
         custom: {},
       },
       DEFAULT: new Permissions(["frame", "fetch", "other"]),
       TRUSTED: new Permissions(Permissions.ALL),
       UNTRUSTED: new Permissions(),
       enforced: true,
       autoAllowTop: false,
     };
   }
Again, are these used "as is," or is there a reason they're shown here 
as (always) trusted?
Many users wouldn't want some of them Trusted by default - maybe never.

Note also - Policy.js shows the Default tab permissions are only 
supposed to be: "frame, fetch & other."
Everytime I start TBB, *ALL permissions* are enabled again under Default 
tab, not just the 3 shown.  NoScript 10 in Firefox saves custom settings 
& only has the 3 permissions enabled under Default tab.

This was reported right after NS 10 landed in TBB & still not fixed.  
Like users aren't supposed to touch them. NoScript saving settings 
between sessions - if users choose - should be fairly simple.  Most apps 
outside of TBB allow it.
In TBB 8.0 - 8.4, backing up NS settings after changes still doesn't 
work, but works OK in Firefox.

It's one thing if all permissions are enabled by default so non-tech 
users can browse most sites with no interaction.  It's quite another if 
NS won't save changed settings or export them.


More information about the tor-talk mailing list