Difference between revisions of "User:Hendy:Noscript"
(Added some NoScript behaviour notes) |
|||
Line 1: | Line 1: | ||
[https://bugzilla.mozilla.org/show_bug.cgi?id=303760 Request for "No Script"-like Java Script whitelist in Camino.] | [https://bugzilla.mozilla.org/show_bug.cgi?id=303760 Request for "No Script"-like Java Script whitelist in Camino.] | ||
+ | |||
+ | NoScript maintains its own list of trusted and untrusted sites. When a site is added to either of these lists, the effect is propagated to all websites you visit. | ||
+ | |||
+ | For example, foo.com links to the script foo.com/jquery.js. bar.com links to foo.com/jquery.js. When the user loads foo.com, NoScript allows them to set foo.com as untrusted. The page then reloads and foo.com/jquery.js is not executed. If bar.com is open, it is also reloaded without foo.com/jquery.js. | ||
+ | |||
+ | If foo.com is set as untrusted, when foo.com is visited all scripts referenced by it (inline, same domain, other domains) are prevented from executing. | ||
+ | |||
+ | If we use CAPS in our own utility, we must make sure that this behaviour is kept. | ||
+ | |||
+ | Untrust foo.com -> foo.com becomes a Javascript-free zone. | ||
+ | Untrust bar.com -> ditto, and any scripts from bar.com that foo.com references are not executed when visiting foo.com (if foo.com is trusted). | ||
+ | |||
+ | |||
+ | == Using CAPS == | ||
+ | |||
To set up a system to block javascript by default, set javascript.enabled = true and have | To set up a system to block javascript by default, set javascript.enabled = true and have |
Revision as of 20:50, 4 May 2009
Request for "No Script"-like Java Script whitelist in Camino.
NoScript maintains its own list of trusted and untrusted sites. When a site is added to either of these lists, the effect is propagated to all websites you visit.
For example, foo.com links to the script foo.com/jquery.js. bar.com links to foo.com/jquery.js. When the user loads foo.com, NoScript allows them to set foo.com as untrusted. The page then reloads and foo.com/jquery.js is not executed. If bar.com is open, it is also reloaded without foo.com/jquery.js.
If foo.com is set as untrusted, when foo.com is visited all scripts referenced by it (inline, same domain, other domains) are prevented from executing.
If we use CAPS in our own utility, we must make sure that this behaviour is kept.
Untrust foo.com -> foo.com becomes a Javascript-free zone. Untrust bar.com -> ditto, and any scripts from bar.com that foo.com references are not executed when visiting foo.com (if foo.com is trusted).
Using CAPS
To set up a system to block javascript by default, set javascript.enabled = true and have
user_pref("capability.policy.policynames", "jsok");
user_pref("capability.policy.default.javascript.enabled", "noAccess");
user_pref("capability.policy.jsok.javascript.enabled", "allAccess");
in user.js, or with PreferenceManager
to add sites to the whitelist:
[[PreferenceManager sharedInstance] setPref:"capability.policy.jsok.sites" toString:@"http://www.ballcocknuts.com"];
where the string is a space-delimited list of the sites to have in the whitelist
a reload is necessary after a setPref