NoScript allows all 3rd party scripts when base domain is blocked
An odd behavior if "Cascade top document's permissions to 3rd party scripts" is enabled in Advanced > Trusted tab.
- With this enabled, even when the base domain - top document - is intentionally blocked, NoScript still allows all 3rd party scripts. I think this is incorrect behavior and not what users expect, when base domains are still blocked.
Then it lists the 3rd party sites under NS menu "Untrusted" group - but not marked untrusted. Normally, when 3rd party sites are allowed, they're listed in main menu (where users can see them), with the option to Forbid individual sites.
At best, it makes no sense to load 3rd party scripts - or show them as loaded, when the base domain is blocked. It's also confusing and misleading, based on NoScript's verbiage on this option's page. It seems a waste of time, bandwidth to load 3rd party scripts if they're not going to be used. At worst, a 3rd party developer learns to exploit 3rd party scripts being loaded when base domains are blocked.
- The description in Trusted tab is, "Additional permissions for trusted sites."
Keyword being "Trusted." Blocking the base domain implies it is not trusted.
- The option is called, "Cascade top document's **permissions...." **If the top document's permission status is blocked, then it's doing the opposite of its current permissions. Only load 3rd party scripts if a base domain is allowed.
Tor Project opted to override NoScriptallowing some 3rd parties by default, via the extension-overrides.js file; e.g., google.dom gstatic.dom ajax.googleapis.dom, etc. But the Cascade option allows all 3rd party scripts when users have chosen not to allow scripts on the current page.
Trac:
Username: joebt