"Javascript is disabled on non-HTTPS sites" from security slider has regressed in TBB 8 / NoScript 10
Formerly this feature was accomplished by a NoScript setting that allowed scripts on HTTPS sites. Allowing scripts on an HTTP site through the NoScript button only allowed them for that particular site.
Now, this feature relies on a per-site permission in NoScript that applies the Untrusted rules to the special "http://http:" site. Allowing a single HTTP site to run scripts requires applying the Default or Trusted rules to the "http://http:" site in the NoScript button UI. This has the undesired effect or granting these permissions to all HTTP sites for the browsing session.
Furthermore, changing a per-site permission to default deletes it from the per-site permissions list in NoScript settings. Users cannot restore the setting manually because "http://http:" is not accepted by the settings UI as a valid input. To stop allowing scripts on subsequent visits to HTTP sites they must toggle the security slider settings, or import a settings backup to NoScript, or restart the browser.
If the above were fixed, and each HTTP site was given its own per-site permission there is an additional problem. There is no "Temp. Default" option, only "Temp. Trusted," but only the default rules are required to allow script execution. This makes it tempting to give HTTP sites Temp. Trusted permissions so that the Revoke Temporary Permissions button will apply to them. At present, restarting the browser will reset all per-site permissions, but this may be changed (see #27175 (moved)). If per-site permissions are saved, users will be forced to choose between granting temporary but excessive permissions, or risk storing a record of their browsing history.
Trac:
Username: cypherpunks_reply