The option is in NoScript’s preferences, under
Options > Advanced > HTTPS > Permissions. As long as the global block is on (which it is by default), I found that setting the drop-down menu, “Forbid active web content unless it comes from a secure HTTPS connection” actually works best when set to “Never”—or if you’re a frequent Tor user, to “When using a proxy”. 1This setting is pretty counter-intuitive to me, but if it is set to “Always” I experienced some funny interactions with manual permission changes. Then the checkbox below, “Allow HTTPS scripts globally on HTTPS documents”, should be checked.
|↑1||This setting is pretty counter-intuitive to me, but if it is set to “Always” I experienced some funny interactions with manual permission changes.|