(_HOWTO_ domain exceptions permissions javascript)
Regarding permissions and especially whitelists, Mozilla has it all BACKWARDS - a pure nightmare, a complicated mess, obviously trying to make whitelisting JS as useless as possible, grrr
And so convoluted and confusing, every time I try to dig into it and get this nonsense into my head, soon keep forgetting it again. Now, yet another try again, after studying again Johns explanations here:
http://kmeleonbrowser.org/forum/read.php?1,138148#msg-138158
and considering how exceptions work in my own daily use, in an older KM-version.
No solution, just to sum up my current understanding, for anyone interested (no guarantee for correctness):
- the GLOBAL settings do work as expected: Block all / allow all / block 3rd-party
- but the EXCEPTIONS work backwards!!
Not target, but source matters.
Black/Whitelisting for example images on "counter.com", does NOT mean ON that domain (in urlbar), but FROM that domain - EVERYWHERE!
(okay, bad example, counters usually need JS+Frames, even 10x more complicated)
Better example:
https://mobile.twitter.com
BLACKLIST "mobile.twitter.com": images=Deny or Site (no 3rd party)
=> useless, user thumbnails (hosted on pbs.twimg.com) still showing
BLACKLIST "pbs.twimg.com": images=Deny or Site
=> NOW the user thumbnails on "mobile.twitter.com" (and whole web) are gone!
Same for "subdocuments" (frames, iframes):
BLACKLIST "example.com": subdocuments=Deny or Site
=> useless, counter in iframe (hosted elsewhere) is still showing, and other frames too
BLACKLIST "counter.com": subdocuments=Deny or Site
=> NOW the counter frames on "example.com" (and whole web) are gone!
Same for script permissions etc.
Not the target domain matters for exceptions, only the source domain.
ATTENTION iframes!!
If you have GLOBALLY blocked "3rd party" stuff, but have
SUBDOCUMENTS ALL allowed, then other domains inside frames/iFrames can still run "their own" stuff inside "their own frame"! (for example those tiny omnipresent FB, twitter, etc. iframes)
Test page:
https://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe
(for example show in the frame the KM-forum, and block GLOBALLY 3rd party stylesheets => the KM-frame will load the KM-style)
JAVASCRIPT exceptions
Now the nightmare is even multiplied, because there are not just 1, but several prefs involved!!
1) global: javascript.enabled = true/false
=> Blocks ALL script stuff+files. If blocked, end of story, no exceptions, the other pref is dead too. Absolute priority.
2) global: default.permission.scripts = allow / site / block
This pref is only for linked script FILES, which are imported with a source-tag. It can NOT block inline script lines or DOM-events like "onload" or "onclick" etc.
http://kb.mozillazine.org/Hostperm.1#script (ignore the obsolete hostperm, find nothing newer, but sure still same exception definition)
If script FILES are blocked by THIS global pref, exceptions can be whitelisted!
BUT: pref-1 must be allowed, that means inline-script lines etc. must run everywhere.
Notes:
if js-files files are blocked, those inline-scripts cannot open them either, as tested by John last year. And also exceptions definitely work only "from" a domain, not "for" a domain.
Little
JS Test Page for mixing prefs 1+2, it calls a local js-FILE. Really works only if BOTH prefs are allowed. The file-pref must either be globally allowed or this domain whitelisted (if works, shows alert box)
http://xahlee.info/js/ex/js_unicode.html
Ah yes, and very important for exception handling too:
google.com is NOT a domain!
Weird but true, "google.com" is not treated like a domain, like e.g. "example.com". Instead, it's merely considered by the servers like a double country code of the sort "co.uk".
That means, unlike all other (normal) sites, you cannot catch all subdomains of xyz.google.com at once. The only chance is to list every subdomain individually, because for the machines only the "xyz" part is considered as main domain. That's also why listing just google in a host file doesn't work to catch everything from it.
Have found that explanation for this curiosity awhile ago on some expert site, probably stackoverflow. They wrote they find it very strange too, but obviously someone with the power to define those country lists deliberately wanted it this way.
CONCLUSION:
Exceptions (for everything except scripts) are fine only in the few cases when you know their SOURCE domain.
If you want to globally block 3rd-party stuff, that block is rather useless unless you globally block 3rd-party "subdocuments" too (frames/iframes)
Without additional ADDONS it is NOT possible to block javascript completely and whitelist any exceptions. Also not possible to allow JS globally and blacklist a domain FULLY. Inline scripts and events will still run on that domain.
If some of the above is nonsense please tell
(And in a few days I will have this sick convoluted system forgotten yet again...)
-----------
unsure, newer KM-versions:
KM-command "
navToggleJS": toggles pref "javascript.enabled", global default for all windows and tabs.
KM-command "
pageToggleJS":
not sure what this does exactly, and how long valid?? Set domain exception (or URL)? Source exception (or target)? for session? for one page-load? permanently? What about frames on current URL?
And what does this exactly?
http://kmeleonbrowser.org/forum/read.php?1,143316,143389#msg-143389
-----------
My personal choice:
That stuff is just too complicated!! And I prefer to have the current settings clearly visible in the toolbars anyway. Want and need as much as possible blocked by default, JS, media objects, DOMstore etc. Subdocuments are globally restricted to domain-only (locks out the omnipresent Facebook etc. iframes tracking you on just about ALL websites nowadays). Exceptions are quickly set with great addon ExExceptions, mostly for blacklisted stuff. For whitelisting I prefer to just toggle global settings back and forth on the very few sites where needed, then (re)loading only those single pages. No prob, and the toolbars always show the current setting. Long live the Privacy Bar, with more extra buttons!! And also my macros Blockeria (multi-toggle with 1 click) and Priv3buttons (triple toggle for 3rd-party), those buttons were long since worn out too if they were physical
-----------
Suggestion for a lightly bothersome workaround if anyone needs JS often, and has no addon for it:
Perhaps try working with two independant, parallel sessions, in 2 windows. One has JS blocked, the other allowed. Both must use different profile folders. KM can be set to ask at startup which of several profiles shall be started (Edit > Manage Profiles > Ask). The commandline for starting parallel sessions needs a parameter " -new" added at the end (e.g. desktop link with "c:/programs/K-Meleon76/kmeleon.exe -new")
Edited 6 time(s). Last edit at 07/08/2018 07:38PM by siria.