Difference between revisions of "User:Hendy:Noscript"
(Added permissions.sqlite stuff) |
|||
Line 20: | Line 20: | ||
This latter technique will not prevent inline scripts from being executed, so both CAPS and permissions.sqlite need to be used to provide a total blocking solution. | This latter technique will not prevent inline scripts from being executed, so both CAPS and permissions.sqlite need to be used to provide a total blocking solution. | ||
− | There must be a way to manipulate permissions.sqlite via Gecko, as the popup blocker seems to use it to set exceptions. | + | There must be a way to manipulate permissions.sqlite via Gecko, as the popup blocker seems to use it to set exceptions. -> CHPermissionManager! |
Latest revision as of 21:46, 4 May 2009
Request for "No Script"-like Java Script whitelist in Camino.
NoScript maintains its own list of trusted and untrusted sites. When a site is added to either of these lists, the effect is propagated to all websites you visit.
For example, foo.com links to the script foo.com/jquery.js. bar.com links to foo.com/jquery.js. When the user loads foo.com, NoScript allows them to set foo.com as untrusted. The page then reloads and foo.com/jquery.js is not executed. If bar.com is open, it is also reloaded without foo.com/jquery.js.
If foo.com is set as untrusted, when foo.com is visited all scripts referenced by it (inline, same domain, other domains) are prevented from executing.
If we use CAPS in our own utility, we must make sure that this behaviour is kept.
Untrust foo.com -> foo.com becomes a Javascript-free zone. Untrust bar.com -> ditto, and any scripts from bar.com that foo.com references are not executed when visiting foo.com (if foo.com is trusted).
CAPS will prevent javascript executing on foo.com if the appropriate prefs are set. It will not however prevent bar.com from loading and executing scripts from foo.com. To do this, permissions.sqlite needs to be fiddled with. eg:
INSERT INTO "moz_hosts" VALUES(11,'foo.com','script',2);
to prevent all scripts from foo.com from being loaded.
This latter technique will not prevent inline scripts from being executed, so both CAPS and permissions.sqlite need to be used to provide a total blocking solution.
There must be a way to manipulate permissions.sqlite via Gecko, as the popup blocker seems to use it to set exceptions. -> CHPermissionManager!
Using CAPS
To set up a system to block javascript by default, set javascript.enabled = true and have
user_pref("capability.policy.policynames", "jsok");
user_pref("capability.policy.default.javascript.enabled", "noAccess");
user_pref("capability.policy.jsok.javascript.enabled", "allAccess");
in user.js, or with PreferenceManager
to add sites to the whitelist:
[[PreferenceManager sharedInstance] setPref:"capability.policy.jsok.sites" toString:@"http://www.ballcocknuts.com"];
where the string is a space-delimited list of the sites to have in the whitelist
a reload is necessary after a setPref