Adam H. Kerman wrote:
>> Yeah, I recently installed NoScript in Firefox, was surprised just how
>> broken some websites became. I had to manually enable GitHub because I
>> use it a lot.
> That's the whole point of NoScript! You enable just enough js to get the
> Web site to work and you don't enable any more. Then you revoke
> permissions.

The adventure is often with sites that make a lot of use of Google-based
scripting.

I do a lot of temporary whitelisting in this form, enabling as needed,
and then disabling when the need passes. For some scripting hosts that
I go past frequently enough, I will permanently whitelist. In other
other cases, I've found enough known tracking hosts that I permanently
blacklist so that even a "temporarily whitelist all" will be ignored for
those sites.

Google stuff is hit-and-miss. Some sites that use things like
googletagmanager or Google's AJAX API work with those disabled, and
others don't. I've seen it happen enough where googletagmanager is used
to validate every line of input on a form, or where it's necessary to
click on a supplied link. If it's not enabled, the page is useless.
But not all the time.

If a site uses Google's CAPTCHAs then you can't get past that without
enabling google.com (and I'm inclined to believe that some sites are
more likely to throw CAPTCHAs at you when scripting is blocked,
especially google.com). If a site has a search bar that's a front end
to Google, then the search bar won't work with google.com blocked.

Relative to this discussion, I default block YouTube.com unless I'm
looking for something there, and then I will temporarily enable.
However, if I actually play content there, then I have to also enable
googlevideo.com, although I don't see that one unless I'm trying to
launch content. To that end, I'm inclined to leave googlevideo enabled,
because I think it won't work until I've been through stuff delivered by
youtube.com.

gstatic.com is interesting -- it's Google's hosted fonts, and if it's
active on a page, then it frequently doesn't appear until most other
scripting hosts have run stuff. I find plenty of pages that won't
behave correctly, even after multiple launches of temporary whitelisting
of everything that gstatic eventually turns up. When I enable gstatic,
everything starts behaving. I have been tempted to just permananently
whitelist gstatic, but I've found that some pages do behave with gstatic
blocked, and I'd rather not blanket whitelist. That said, I have a
second profile that I use only for a handful of selected sites, where
the purpose of the profile is a different set of whitelistings, and I do
permanently whitelist gstatic on in that profile, even if I don't in my
primary profile.

On the other hand, there are scripting hosts that I've generally found
safe to permanently blacklist. The primary one is google-analytics,
which does nothing for you, just reports your activities back to the
site owner, so that they can see how you interact with their site. I've
done a little bit with that on the site side, with a small site that I
occasionally provide support for, so I've seen the other side. For a
user, blocking google-analytics is a zero-loss proposition. And I've
found a number of ad delivery sites that seem also to be safe to block.

On the other hand, sites that are content delivery networks (including
ones with cryptic names, or ones with "cdn" in their names) are also
something of a hit-and-miss. Sometimes, I will temporarily whitelist to
get to content, but again, there are some that I see frequently enough
that it's useful to simply whitelist that server permanently.

Ultimately, NoScript is a tool for a power user -- if you are patient
with tinkering, it can be really useful, but it takes time and sometimes
trial-and-error to get it to behave without being overly intrusive.
It's definitely not a "set and forget" tool.

Smith

"NFN Smith" <worldoff9908@gmail.com> wrote

| I've seen it happen enough where googletagmanager is used
| to validate every line of input on a form,

Googletagmanager is for ads. If they're somehow using
it for other things then it may be an effort to stop
ad blockers. I've never seen a site where that business
works if script is blocked altogether.

| If a site uses Google's CAPTCHAs then you can't get past that without
| enabling google.com

Captchas need gstatic.

| gstatic.com is interesting -- it's Google's hosted fonts

Fonts are at fonts.googleapis.com. There shouldn't be any
reason that you have to enable those.

| The primary one is google-analytics,
| which does nothing for you, just reports your activities back to the
| site owner, so that they can see how you interact with their site.

Yes, it's web stats, for people who don't know how
to process their own server logs. Google makes it easy
for people to enable their spying by being stupid and/or
lazy. That's arguably their specialty. Stats, maps, fonts,
gmail, search... All are based on providing a very solid
service that's so convenient that people feel they can't
do without it.

| Ultimately, NoScript is a tool for a power user -- if you are patient
| with tinkering, it can be really useful, but it takes time and sometimes
| trial-and-error to get it to behave without being overly intrusive.
| It's definitely not a "set and forget" tool.
|

Indeed. I tried to set it up for the woman I live with.
She was having none of it! I couldn't blame her. It requires
understanding a whole new angle on webpages. And it's
usually not a simple affair. With many sites, such as department
stores, enabling 2 domains for script loads 6 more. It just
doesn't work.

I ran into an interesting case recently with Starz. I decided
to try their service. It worked fine only enabling their domains.
But then after a couple of weeks the login was broken unless
I enabled several spyware domains that have nothing to do
with the streaming service. So I quit Starz. There was no way
around the sleaze. (And I'm flexible. I get most of the movies
I see from the local library. Not everyone has that option.)

I block all but google.com in my HOSTS file. That's 20-odd
items. I can still use search, which I do occasionally. Captchas
are broken completely. In fact, they're not visible at all. The
rest is not a problem. But of course I also don't try to use
gmail, google maps, etc.

I generally don't allow script and so far haven't found
a website that blocks me. They can't test for adblocking
without script! But I do find an increasing number of sites
that will do something like cover the whole page with an
opaque DIV. I have a CSS toggle button for those.

I'm afraid the Internet is changing fundamentally. More
and more it's corporate pages, made by automated
software with heavily obfuscated code. More and more
the purpose is primarily to track, collect personal data,
and show ads. 20 years ago it was a public space where
people needed functional, adaptable webpages to take
part. Today it's an interactive shopping mall. If you don't
have the latest Chrome with all spying enabled then you
may not be able to access things like youtube, but you
also may not be able to access your doctor's online intake
form, because almost no one is actually writing their own
webpages. The page is now 20 MB of javascript software
coming to you from a special service that your doctor,
dentist, Tom, Dick and Harry all subscribe to.

Here's my HOSTS Google list. I'm using Unbound
and Acrylic DNS resolvers which allow for wildcards.

127.0.0.1 *.googlesyndication.com
127.0.0.1 *.googleadservices.com
127.0.0.1 *.googlecommerce.com
127.0.0.1 *.1e100.com
127.0.0.1 *.1e100.net
127.0.0.1 *.doubleclick.net
127.0.0.1 *.doubleclick.com
127.0.0.1 *.googletagservices.com
127.0.0.1 *.googletagmanager.com
127.0.0.1 *.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 fonts.googleapis.com
127.0.0.1 *.2mdn.net
127.0.0.1 googleadapis.l.google.com
127.0.0.1 *.gstatic.com
127.0.0.1 plusone.google.com
127.0.0.1 cse.google.com
127.0.0.1 www.google.com/cse
127.0.0.1 www.youtube-nocookie.com
127.0.0.1 *.appspot.com

And of course I also block noscript.net. :)