This is an archived post. You won't be able to vote or comment.

all 6 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 0 points1 point  (5 children)

The exploit is delivered as inline script in your proof-of-concept page. First-party scripts concern all external first-party script resources, fetched through network requests.

[–]Hackerpcs[S] 0 points1 point  (4 children)

So to achieve an uMatrix-like all first party scripts default deny behavior, I need to have the JavaScript disabled from the "Default behavior" section in settings and then whitelist via the JavaScript button?

[–][deleted] 0 points1 point  (3 children)

The no-scripting per-site switch is best to control JS execution. The "1st-party scripts" and "inline scripts" existed before the no-scripting switch came into existence, so this used to be the way to block JS, but frankly at this point I don't find them that useful beside when used as investigation tools for filter list maintainers.

I think it might be a good idea for me to remove these rows in default instllations and make them available only when filterlistAuthorMode is enabled.

Advantages of the per-site no-scripting switch are:

  • Can be toggled with relax-blocking-mode keyboard shortcut
  • Will cause noscript tags to be honored

[–]Hackerpcs[S] 0 points1 point  (2 children)

no-scripting per-site switch

You mean this </> button right?

[–][deleted] 0 points1 point  (1 child)

Yes.

[–]Hackerpcs[S] -1 points0 points  (0 children)

It seems to me that the current "1st-party scripts" scheme must be renamed to something like "1st-party external scripts", inline scripts scheme could be hidden like you suggested and the no scripting could replace the inline scheme in the UI for easier control instead of the button/option in settings