allowing trusted frames on default (non trusted) sites

[bughit]

For example, youtube iframe embedding (now?) requires scripting.

There is no significant security gain in distrusting trusted frames on non-trusted parents. Such parents can't access the trusted frame because

• they can't script
• even if they could, cross origin access is blocked by the browser

On the other hand there is a security loss if you are forced to trust the parent domain just to have trusted iframe embeds load.

So optionally, trusted frames on default sites should be allowed.

[MikhailRyazanov]

And I think, this is how it was working previously. At least, after updating my Firefox, I was surprised to see black rectangles instead of embedded YouTube videos on some sites where I saw them working before.

I tried to search and could not find what I was doing wrong or which setting are responsible for this, but apparently there are none. The NoScript menu even shows that "...youtube.com" is "TRUSTED" (and "frames" are enabled in the "DEFAULT" settings), but nevertheless it does not work... :–(

So far I'm using "open this frame in new tab" as a workaround, but it would be much better to have frames behaving according to their permissions. Or a separate setting to allow/forbid this.