hackademix / noscript

The popular NoScript Security Suite browser extension.
https://noscript.net/
GNU General Public License v3.0
851 stars 90 forks source link

[Feature Request] Trust/Allow script(s) to run on a single site/domain only, instead of globally #345

Open happeeshopper opened 7 months ago

happeeshopper commented 7 months ago

Reason: Certain scripts can be used to serve either benign or malicious code, depending on the domain owners intentions.

I find myself stuck in the position where I don't want to trust certain scripts globally, because they could potentially be used to serve malicious code, but then always having to 'temporarily allow' said scripts on trusted websites that I frequent.

Being able to 'trust' a script to always run on a certain website only, instead of globally on all websites would be useful.

hackademix commented 7 months ago

How does this differ (if it does) from Contextual Policies?

happeeshopper commented 7 months ago

It doesn't, that's exactly what I was asking for, I just hadn't noticed it 👍

happeeshopper commented 5 months ago

How does this differ (if it does) from Contextual Policies?

I noticed there's a problem with contextual policies - it can only be set for a single domain, so if a common script such as ajax.googleapis.com is custom set to be 'allowed' on a single domain and then I 'temporarily allow' it on another domain - the contextual policy is reset and it's no longer automatically allowed on the original set domain.

rolandog commented 2 months ago

Could it be possible to also set default Custom Contextual Policies (and their default scope, i.e. if selecting CUSTOM, the action I want is that domain.tld be approved by default not for ANY SITE, but only for the site I'm visiting, e.g. example.com)? I never trust domains globally, so I find myself performing the following actions repeatedly:

happeeshopper commented 2 months ago

I never trust domains globally, so I find myself performing the following actions repeatedly:

Same here, it's unsafe to do so and defeats the purpose of the extension. But I do want/need some scripts to run on some sites all the time so it's either allow them globally (unsafe) or repeatedly allow them temporarily (PITA).

Edit: I noticed this can be done using ublock which is exactly what's needed:

"Script blocking in uBlock has the option to block / allow scripts both globally and per-site. For example, I can have Google scripts blocked globally by default, but then allow it to run in Youtube specifically, while still blocking those scripts automatically for every other site."