The heart of ScriptSafe are the domain lists, which consist of a whitelist and blacklist.
Supported expressions include:
- * – match any characters that are not a period
- ? – match any single character
- **. – match an entire domain
Trusted/distrusted domains are identified by having two asterisks and a period (e.g. **.domain.com).
If two or more conflicting rules exist for the same domain in the whitelist and blacklist, the whitelist will take priority.
Some technical details on ScriptSafe follow (regular expressions). Read through the examples section for more clarity.
- The “www.” prefix is automatically handled (e.g. if domain.com is whitelisted, www.domain.com is inherently whitelisted)
- **. is replaced with: (?:.+\.|^) <= matching everything up until the specified domain (e.g. **.domain.com => (?:.+\.|^)domain.com)
- * is replaced with: [^.]+ <= matching any characters that are not a period
- ? is replaced with: . <= matches any single character
- IPv6 URLs must include square brackets (e.g. [2001:4860:0:2001::68])
- cat.com – matches cat.com and www.cat.com
- cat?.com – matches cats.com, catt.com, and even cat5.com
- cat*.com – matches cats.com, catalogue.com, and even catsareawesome.com
- *.cat.com matches www.cat.com, 123.cat.com, but not cat.com or ooo.a.cat.com
- cat?.c? matches cats.ca, cats.co, cat5.ch
- ?at*.c* matches catsssssssss.ca, catatonic.com, catering.com, but not cats.co.uk
- **.cat.com – matches cat.com, hello.cat.com, wheres.the.cat.com, and even this.is.a.cat.com