Is there a "better NoScript" that makes more sense?

Fri Jan 22 12:18:42 EST 2021

I've been trying out NoScript in Firefox on one of my computers after having seen people recommend it for years,
and I'm finding that NoScript's whole permissions model just seems..., how do I put this nicely...:
stupid. Or maybe just `stupidly antiquated'?

Is there something better? More sensible? Let me explain my frustration with NoScript, first...:

While it does an OK-ish job of preventing the "some piece of javascript has decided to peg my CPU"
problem (but only OK-ish, because that problem really seems to be more due to bugs than malice in the JS code),
it seems to be largely useless as far as a `privacy tool'--which is weird, because most of the
NoScript advocacy seems to have come from self-styled privacy wonks.

To start with, it's whitelisting-only--so while I can deny JS and some other permissions
*to everything by default*, and then whitelist some domains to let everything from them in.

Once something (JS loaded from a given site) is enabled, it's *enabled globally*--
there's no way of saying "I'm actually _generally_ OK with javascript but specifically want
to block this site because it's pegging my CPU [or whatever reasons]". The user has to just
accept the much more arduous path of specifically whitelisting `the whole world minus this one thing'.

There's no way to just "disable JavaScript [or whatever] it in this container", or "disable it in this tab",
or "disable it for this site".

That last one sounds like an oxymoron--like, "what do you mean, once you've whitelisted a specific site
there's no way to de-whitelist that site?"..., but actually this takes us to the next issue:
that the "per-site whitelisting" is whitelisting of the sites
*from which separate/auxiliary (often third-party) resources are loaded*, not whitelisting of
sites that *that load those resources*.

Not only is it "whitelisting-only", the whitelist isn't even governing the right things.

So for example, if I ever want to use one of Google's websites, for example Google Meet
in my `Work' Firefox container, then I have to whitelist "google.com" as a source
of auxiliary JavaScript resources--and I have to do that *globally*, which means
that now every site website out there trying to load a fragment from google.com
as part of a Google advertising-and-tracking campaign will now be allowed to do that.

There's no way to say "allow loading google.com trackers and scripts when I'm specifically
using a google.com website, but elsewise refuse cross-site loads of google.com resources
when I'm just using some random non-Google website that has no business making me send info to Google".

If I ever want to use any Google site, I'm stuck having to do the "disable NoScript entirely for this tab"
every time, or loading it in an Incognito tab with the NoScript extension itself set to
`do not run in Incognito tabs at all' (which is a situation that a bunch of other caveats itself).

And Google's just an example of when that situation is even easy to recognize;
a lot of sites load resources from something like "fjr88fghdjt92838ngjfhgg82hgjfdskg2388gg22sg.cloudfront.net"--
good luck figuring out what that even is or how many other sites might also be calling out to it.

There's a "Temp. TRUSTED" option, but that's `temporary' meaning `until the browser exits'
and is still completely global for the duration of the session AFAICT (it doesn't appear
to be not per-tab, or per-container, or per-site, or per *anything* that I can identify).

In a WWW where practically every resource is loaded cross-site, and where both security
and privacy issues (and even `stability' and `usability' issues too!) can have as much to do
with the relationships and access-patterns *between* those sites and the user as
with the origin from which any *particular* resource is served..., this just
isn't making a lot of sense to me.

Is there a well-regarded Firefox extension out there that actually does
anything like I would have expected? Or is there something that's actually
already *in NoScript* that I'm somehow overlooking?

Or have I just gone completely mad?

-- 
Connect with me on the GNU social network: <https://status.hackerposse.com/rozzin>
Not on the network? Ask me for an invitation to a social hub!