Discussion: Site Specific Permissions Policy

Bug reports and enhancement requests
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Discussion: Site Specific Permissions Policy

Post by al_9x » Mon Feb 07, 2011 4:55 pm

Giorgio Maone wrote:Still I can't understand how ABE doesn't suffice for a power user with this kind of needs.
Please name a policy which cannot currently be expressed by ABE grammar, in one or more chained rules.


I think I already explained it, but will try again. As sites/apps grow more complex (composed), they tend to require various cross site utility iframes and plugins for normal operation. So whereas you want maximum embedding blocking in general, for specific, trusted, frequently accessed sites, you need to loosen permissions for specific (types and locations) embeddings to avoid constant fiddling with temp permissions upon every visit.

ABE is not capable of loosening embedding permission, only tightening. If the default is to block everything even on trusted, which is what it should be, no abe rule can currently, AFAICT, express an exception to it. I am all for doing it in ABE, but to do it at all and in a reasonably friendly manner, you would need something like this:

Code: Select all

Origin site1
Accept embedding(IFRAME, FLASH) to site2


Alternatives to "origin":

From site1
On site1
Last edited by al_9x on Mon Feb 07, 2011 5:12 pm, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Discussion: Site Specific Permissions Policy

Post by Giorgio Maone » Mon Feb 07, 2011 5:12 pm

For doing it the ABE way, uncheck NoScript Options|Embeddings|Apply these restrictions to trusted sites as well, and put the following at the bottom of your USER ABE ruleset:

Code: Select all

Site *
Deny INCLUSION(OBJ,SUBDOC)

Then you can insert your fine-grained exceptions before the deny rule:

Code: Select all

Site trusted-widgets.com
Accept from *

Site .youtube.com
Accept from .youtube.com .ytimg.com

Site .google.com
Accept from .google.com

and so on.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Discussion: Site Specific Permissions Policy

Post by al_9x » Mon Feb 07, 2011 5:25 pm

This "solution" is extremely unfriendly, it kills placeholders, the blocked objects menu, the embeddings icon feedback, requires fiddling with rules for every unblocking. This solution is more painful than the problem, no one is going to do this.

On the other hand this:

Code: Select all

On site1
Accept embedding(IFRAME, FLASH) to site2


is very intuitive and completely non-disruptive.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Discussion: Site Specific Permissions Policy

Post by Giorgio Maone » Mon Feb 07, 2011 5:32 pm

Placeholders and one-click permissions don't belong in ABE.

I believe your user-friendly use case would be better served by giving persistence to the current embedding allowance options (e.g. Allow shockwave-flash@widgets.com from site.com), which is coming as a side benefit of the E10s/Mobile porting project.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Discussion: Site Specific Permissions Policy

Post by al_9x » Mon Feb 07, 2011 6:13 pm

Giorgio Maone wrote:I believe your user-friendly use case would be better served by giving persistence to the current embedding allowance options (e.g. Allow shockwave-flash@widgets.com from site.com), which is coming as a side benefit of the E10s/Mobile porting project.


How do you plan to express the rules and persist them? It would be nice if they could be viewable and editable, and have some flexibility, which is why I suggested ABE-like syntax, which I thought would be more useful than a long space delimited string of rigid rules:

Code: Select all

noscript.persisted_embeddings_permissions="iframe@www.site1.invalid,www.site2.invalid application/x-shockwave-flash@www.site1.invalid,www.site2.invalid"
Last edited by al_9x on Mon Feb 07, 2011 6:37 pm, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Discussion: Site Specific Permissions Policy

Post by al_9x » Mon Feb 07, 2011 6:34 pm

Giorgio Maone wrote:Placeholders and one-click permissions don't belong in ABE.


True, ABE was intended for network request blocking, but is there any reason why it shouldn't be extended to also control other aspects of NS behavior? In fact, doesn't it do so already? The Sandbox action doesn't modify the request but instructs NS about the permissions of the retrieved page. Is that so different than rules for embedding permissions?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Discussion: Site Specific Permissions Policy

Post by dhouwn » Mon Feb 07, 2011 6:47 pm

al_9x wrote:but is there any reason why it shouldn't be extended to also control other aspects of NS behavior?
Maybe because the plan on making ABE into a separate extension (and preferably a slim one I would guess) still stands?

Giorgio, can you please confirm whether that's true?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b12pre) Gecko/20110206 Firefox/4.0b12pre

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: Discussion: Site Specific Permissions Policy

Post by tlu » Tue Mar 01, 2011 2:00 pm

Giorgio Maone wrote:Placeholders and one-click permissions don't belong in ABE.


And they don't need to, IMHO. For example, in the "Embeddings" tab I've checked "Apply these restrictions to whitelisted sites too" in order to mitigate java/flash related risks. This means, of course, that, e.g, java is blocked on whitelisted sites, and in the Noscript menu there is an entry "temporarily allow java-vm@..." under "Blocked objects" . Wouldn't it be a good idea to add an entry "always allow ..." for objects? I understand that this would result in several whitelists, but I think this would be an excellent improvement for advanced users who want to use this feature.

I believe your user-friendly use case would be better served by giving persistence to the current embedding allowance options (e.g. Allow shockwave-flash@widgets.com from site.com), which is coming as a side benefit of the E10s/Mobile porting project.


I'm sorry, but what is the E10/Mobile porting project?
Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110301 Firefox/4.0b13pre

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Discussion: Site Specific Permissions Policy

Post by Giorgio Maone » Tue Mar 01, 2011 2:05 pm

tlu wrote:I'm sorry, but what is the E10/Mobile porting project?

http://noscript.net/nsa/
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: Discussion: Site Specific Permissions Policy

Post by tlu » Tue Mar 01, 2011 2:33 pm

Giorgio Maone wrote:
tlu wrote:I'm sorry, but what is the E10/Mobile porting project?

http://noscript.net/nsa/


Ah, thanks - very interesting!
Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110301 Firefox/4.0b13pre

F-3000
Junior Member
Posts: 25
Joined: Sun Mar 06, 2011 12:36 pm
Location: Next to polarbear
Contact:

Re: Discussion: Site Specific Permissions Policy

Post by F-3000 » Sun Mar 06, 2011 12:52 pm

I must say that I hunger for option to "allow some site on some domain only (untrust elsewhere)". For example, I would like to have it so that facebook.com is allowed at that site, yet denied everywhere else. Two reasons: I don't trust them, and I don't like the FB "like this" crap. I wouldn't want to be backstabbed by something by permanently allowing it, only to find out later that it screwed me as 3rd party stuff.

If that feature appears quickly, I definitely would make a donation.
Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:1.9.2.14) Gecko/20110221 Ubuntu/9.10 (karmic) Firefox/3.6.14

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Discussion: Site Specific Permissions Policy

Post by Giorgio Maone » Sun Mar 06, 2011 1:22 pm

F-3000 wrote:I must say that I hunger for option to "allow some site on some domain only (untrust elsewhere)". For example, I would like to have it so that facebook.com is allowed at that site, yet denied everywhere else. Two reasons: I don't trust them, and I don't like the FB "like this" crap.

Did you actually check this FAQ first?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15

F-3000
Junior Member
Posts: 25
Joined: Sun Mar 06, 2011 12:36 pm
Location: Next to polarbear
Contact:

Re: Discussion: Site Specific Permissions Policy

Post by F-3000 » Sun Mar 06, 2011 1:32 pm

Giorgio Maone wrote:Did you actually check this FAQ first?

I didn't, thank you for pointing that out. Yet, I dearly hope that's not the final solution, because if it is, I invite YOU to teach my girlfriend how to use it. ;)

[EDIT]
Plus, it is very clumsy, and you keep getting those "Request {...} filtered by ABE <...> Deny" (raw translation) notifictations that appear every single time you browse on a site that triggers it.

I don't want to sound rude, I'm just pointing this out.

I would be very happy and utterly satisfied, if the "ABE"-way would be like: You could add permanent allow on specific site with a click or two as it is with current main-way of allow/deny, and it wouldn't produce those notifications - or at least you could control (like time limiting) them as you can do with the ordinary info-strip.

Then, I would use it as my main way of allowing/denying sites' javascript.

This question is a bit OOT, but I'm eager to have an answer to this: Is it better to have NoScript with "allow js to all" than no NoScript at all?
Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:1.9.2.14) Gecko/20110221 Ubuntu/9.10 (karmic) Firefox/3.6.14

dushanm
Posts: 1
Joined: Mon Jun 06, 2011 7:19 pm

tool-tip showing needed permission?

Post by dushanm » Mon Jun 06, 2011 7:36 pm

I'm using NoScript with Firefox under Mac OS X.6.5.

One thing I've found frustrating is not knowing which of possibly many blocked sites needs (or need) to be unblocked to access a particular link. Clicking on the NoScript Options button of the browser brings up a list of blocked sites for the page being viewed (and more frustratingly this is often a multi-nested list) but generally I have no clue which of these should be Allowed to let me get to the desired link.

If there's an NS Preferences option to reveal this information, I've not recognized it. Does such an option exist? If not, is it feasible to incorporate it into NoScript?

- Dushan
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: Discussion: Site Specific Permissions Policy

Post by tlu » Sat Jun 11, 2011 4:24 pm

al_9x wrote:This "solution" is extremely unfriendly, it kills placeholders, the blocked objects menu, the embeddings icon feedback, requires fiddling with rules for every unblocking. This solution is more painful than the problem, no one is going to do this.

On the other hand this:

Code: Select all

On site1
Accept embedding(IFRAME, FLASH) to site2


is very intuitive and completely non-disruptive.


As long as Noscript 3 isn't available yet, there is a workaround using AdblockPlus. If you want to block flash by default just add this custom filter:

swf|

In order to create a whitelist you just have to right-click the ABP symbol, chose the list of blockable items, select the rule that blocked flash on the respective site and create an exception rule. This is relatively easily done for the trusted sites which you visit regularly, like youtube. For any other sites where you would want to see flash videos, you could temporarily disable ABP by middle-clicking its symbol. If you replace above rule with

$object

any content handled by plugins is blocked, including java. However, ABP shows a snail for this rule indicating that it's slow/inefficient.

Again, this is only a temporary workaround which is probably a bit easier for many users than specific ABE rules.
Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Post Reply