ScriptSafe

Sunday, August 14, 2011 @ 8:11 pm

This post is a quick walkthrough of the features of my Chrome extension, “ScriptSafe”: https://chrome.google.com/webstore/detail/oiigbmnaadbkfbmpbfijlflahbdbdgdf

ScriptSafe is quite feature-rich, so hopefully this helps walk you through setting it in such a way where it works best for you.

Just to clarify: ScriptSafe leverages the “beforeload” handler in Chrome, blocking SCRIPT, OBJECT, EMBED, IFRAME, FRAME, IMG elements before they are loaded (while APPLET, AUDIO, VIDEO, and NOSCRIPT are removed after the page has been loaded; this is a limitation in the Chrome API).

Recommendations:

  • all of the default settings to be their default settings
  • Trust” sites sparingly (only if absolutely necessary)
  • tick “Antisocial Mode” (not ticked by default) <= ticking this will ensure Facebook widgets/junk on non-Facebook domains to be blocked even if you whitelist Facebook (not to mention other widgets, such as Twitter and Google +1).

Options Page:

Enable: pretty straightforward; dictates whether or not ScriptSafe is enabled

Default Mode: Block or Allow sites that you haven’t whitelisted or blacklisted (best-practice: if you decide to be brave and select Allow, I recommend ticking “Block Unwanted Content“; otherwise I’d recommend setting Default Mode to “Block“)

Disable and Remove: straightforward; tick the elements you want to block and remove

Block Unwanted Content: removes resources/elements from domains that are associated with spam, phishing, malware, and/or ads. Integrates MVPS HOSTShpHOSTS (ad / tracking servers)Peter Lowe’s HOSTS Project, and MalwareDomainList.comDNS-BH – Malware Domain Blocklist.

Unwanted Content Mode: you get to choose “Relaxed” or “Strict“:

  • Relaxed: unwanted content will be blocked unless you have added the domain to your whitelist. In this mode, you will also be able to see the Whitelist/Blacklist/Bypass buttons in the tab options popup for domains that are in the unwanted content domains list. Note that these domains will differ from other domains by having “Blocked” instead of “Deny“.
  • Strict: unwanted will be blocked even if whitelisted. In the tab options popup, you will not see the Whitelist/Blacklist/Bypass buttons for blocked domains that are classified as unwanted content providers.

Antisocial Mode: social widgets/buttons (e.g. Facebook Likes) will be removed, even if the domain has been whitelisted.

Remove Webbugs: removes “invisible” external, non-whitelisted iframeembedobject, and img elements on sites

Block Click-Through Referrer: prevents your browser from sending referrer information when clicking on external, non-whitelisted sites (adds the rel=”noreferrer” attribute to links that match the criteria of being external and non-whitelisted)

Page Link Opening Behaviour: here you can set how links on a page will always open (unchanged; same tab; new tab).

Respect Same-Domain: always allow same-domain elements and resources

Auto-Refresh Page: ticking this will automatically refresh the page you’re on after you’ve changed the settings for the page in the tab options popup (which is detailed in the next section)

Show Rating Button: adds a “Rating” button to the tab options popup, where if clicked, you will be brought to the Web of Trust page for the domain

Classic Options Mode: if this is ticked, once a change has been made in the tab options popup (below), the tab options popup will close automatically

Tab Options Popup:

Allow: adds the respective domain to the whitelist (will whitelist the domain only (e.g. forums.domain.com, NOT *.domain.com)

Trust: adds the entire top-level domain to the whitelist (*.domain.com)

Deny: adds the domain at question to the blacklist

Clear: removes the domain at question from the whitelist/blacklist

Temp.: temporarily bypasses/blocks the domain for the rest of the browser session (until the browser is closed or if you click on Temp. again to toggle the setting)

Allow All Blocked For Session (if Default Mode is “Block”) / Block All Allowed For Session (if Default Mode is “Allow”): temporarily bypasses/blocks all blocked/allowed domains for the rest of the browser session (until the browser is closed or if you click on Bypass / Temp. Block again for each individual domain to toggle the setting)

Rating: if this button is clicked, you will be brought to the Web of Trust page for the domain at question where you can discern whether or not to block/allow the domain (if needed)

Features:

  • number of blocked elements/resources shown in icon
  • hover over a line item to see what elements have been blocked for that domain
  • shows version number in the bottom-right corner
  • quick links to this post and Options for ScriptSafe
  • if “Always Block Annoyances” is ticked, any blocked resources/elements will not have the usual “Allow/Deny/Bypass” options
  • if you bypass/temp. block a domain which has been whitelisted/blacklisted before, once you “untoggle” it, it will revert back to its original whitelist/blacklist setting