2
I notice that there has recently been a big update to both Firefox and NoScript and that NoScript appears to white listing certain sites now like Facebook without my permission. It seems to have some list of privileged domains that it is allowing by default.
How can I stop it from doing this? I want to configure NoScript so it only allows JavaScript from domains that I specifically and explicitly allow.
Tyler Durden
Posted 2017-11-29T14:48:23.450
Reputation: 4 710
2
The way to do this is:
That should block the Facebook domain.
NoScript is currently a moving target, be patient. I recommend reading Dedoimedo’s guide, which will continue to get updates. Dedoimedo concludes that the NoScript implementation was rushed to meet the Quantum release deadline. (This is not the developer’s fault.) Since the way NoScript currently works will be changing, any solution for today could be temporary. The good news is it should emerge more powerful than the previous version.
In brief, from the guide: The old NoScript listed sites and their permissions. The new version has scopes, permissions, site and override permissions. Permissions are thus per scope, not per site. Note that the default scope ALLOWS scripts. Until you set a site to be covered by a specific scope, it is covered by the default. Therefore, as I understand it, NoScript is not just allowing Facebook, but all sites that have the default scope. But be careful: NoScript version 10 imports your whitelisted sites from the previous version (v. 5.x), and HTTP and HTTPS settings are independent for each site.
See also:
Mike Chapman
Posted 2017-11-29T14:48:23.450
Reputation: 326
2
NoScript is not automatically white listing facebook.com (for me). I am using FF 57.0.2 (64-bit) with NoScript Version 10.1.6 on 2017-12-19.
I have not allowed facebook.com in the past and when I go to it, I get redirected to https://www.facebook.com/?_fb_noscript=1.
When I am on the facebook.com website (with scripts blocked) and then look at my NoScript settings (by clicking on the NoScript icon) the NoScript settings appear like this: See image
In case the image link doesn't work; it shows the following:
- [Default blocked] ...facebook.com
- [Default blocked] https://www.facebook.com
- [TRUSTED] [red open padlock] ...fbcdn.net
NOTE: I previously allowed the fbcdn.net website and so that is why fbcdn.net shows up as trusted.
PatS
Posted 2017-11-29T14:48:23.450
Reputation: 159
1I know how make trust settings for individual domains. The question is how to stop NS from whitelisting sites I have not specifically approved. As far as I can tell, the default action for a domain is to block scripts. – Tyler Durden – 2017-11-29T16:46:32.360
Hi Tyler, I have cloned my profile and installed a parallel version of FFX 57 so I can test and try to better understand. I will hopefully be able to update my answer. Could you say whether you upgraded to FFX57 and NoScript 10 from an existing profile, and whether Facebook was white-listed or black-listed in that profile? – Mike Chapman – 2017-11-30T10:54:00.427
1
The list of default whitelisted sites for the old NoScript (version 5.x) is short. It inlcudes youtube, netflix, google, yahoo and some Microsoft sites, but not Facebook: https://noscript.net/faq see sections 1.5 and 3.3. There is no reason to believe that Facebook is suddenly whitelisted by default, that's why I ask about any previous settings.
– Mike Chapman – 2017-11-30T10:57:06.253After spending quite some time today working with the new version of NoScript, I have to conclude that, like the old version, it doesn't whitelist sites without your permission, except for the ones listed in the FAQ. If you can give me reproducible examples, I am perfectly willing to check out the behavior with you. Probably they were already whitelisted without you remembering it, or you whitelisted them by accident without realizing. You can view and search the list of your definitions in the Options, which opens in a new tab. – Mike Chapman – 2017-11-30T22:37:16.573
How do you "Find the Facebook entry"? – Peter Mortensen – 2017-12-03T19:24:53.297
Click on the NoScript icon in the toolbar, then select the options button from the drop-down menu (hover over icons to see their function). The options page opens in a new tab; click in the field labeled "Address of the website" and type facebook. It will select all domains containing facebook. Alternatively, you can go to the Facebook website and when you click on NoScript in the toolbar, it will be listed. – Mike Chapman – 2017-12-04T22:13:37.203