XHR/JS...Objects.. NoScript and uBo. Help me understand

[pbc]

Some sites with uBO when blocking 3rd party scripts and frames (but allowing 1st party scripts), allow 3rd party scripts. NoScript does not. I have seen this before in comparing uMatrix with NS awhile back. Things like fonts and buttons get through with UB, but not with NS.

My curiosity is peaked by the domain graph.facebook.com on Wired.com. When using NS, that XHR/JS object never connects with FB when allowing wired.com but blocking 3rd party scripts. With uBO, blocking all frames, 3rd party scripts, and inline scripts allows the FB domain connection, as well as the script.

http://www.wired.com/2015/11/david-burd ... ell-apart/

What is happening here? What is the fundamental difference that allows the FB script in uBO, as compared to NS? is it trivial? I can appreciate that here, none may speak for UB, and if that is the case, then how does NS so effectively handle these 'objects.'

[barbaz]

What is uBO and what is UB? Sounds from your description like they're both not working at all. If this is really the case I would suggest you remove them and look for alternatives that work.


Please note that µMatrix is not a NoScript equivalent by any means, the two tools are mostly orthogonal in purpose and functionality, the only real overlap being µMatrix's ability to block scripts. NoScript uses its script permissions to determine much more about a site than just whether or not to allow scripts - including XHR permission, strictness of XSS filtering, and embeddings permissions, among other things.

Why not just run NoScript concurrently with µMatrix, let NoScript manage all the script blocking, and leave it at that? viewtopic.php?f=18&t=20815


Also as to µMatrix I think you might have been misunderstanding it. NoScript blocks various objects and embeddings as well as scripts, depending on its configuration the "Allow" (and "Temporarily allow") permission may apply to several things. Did you set µMatrix to block ALL of the same types of embeddings etc as you had NoScript set up to block, and that both tools can block?

[pbc]

What is uBO and what is UB? Sounds from your description like they're both not working at all. If this is really the case I would suggest you remove them and look for alternatives that work.

UBlock Origin. It worked. But not with FB and the link given.

.... the only real overlap being µMatrix's ability to block scripts

Yes, that was the purpose of the inquiry... uBO (uBlock Origin) not blocking scripts.

NoScript uses its script permissions to determine much more about a site than just whether or not to allow scripts - including XHR permission, strictness of XSS filtering, and embeddings permissions, among other things.

Thx, how so?

Did you set µMatrix to block ALL of the same types of embeddings etc as you had NoScript set up to block, and that both tools can block?

Define embeddings please. I set up both add-ons to block 3rd party scripts, frames.

[barbaz]

UBlock Origin. It worked. But not with FB and the link given.

Oh. I've never tried out any flavour of ublock, I don't see the point given how I have set myself up with my personal fork of Adblock Plus. I can't help out with ublock specifics, sorry. (Anyone on forum staff use ublock?)

Please post the exact custom filters you're using and which filter subscriptions you have, in case it's a filters issue and not a ublock issue.

NoScript uses its script permissions to determine much more about a site than just whether or not to allow scripts - including XHR permission, strictness of XSS filtering, and embeddings permissions, among other things.

Thx, how so?

Can you clarify this question please?

Are you asking about NoScript internals? If so, why ask - it's open source...

Define embeddings please. I set up both add-ons to block 3rd party scripts, frames.

By Embeddings I mean the stuff listed under NoScript Options > Embeddings. So yeah that's maybe not enough.

[barbaz]

Yes, that was the purpose of the inquiry... uBO (uBlock Origin) not blocking scripts.

Then this will be moved to Web Tech as it's not really about NoScript.

[gorhill]

With uBO, blocking all frames, 3rd party scripts, and inline scripts allows the FB domain connection, as well as the script.

That is incorrect: when blocking 3rd-party scripts everywhere, scripts from Facebook are not loaded when visiting Wired.

What exactly led you to your conclusion? Also, why would you not open an issue on the GitHub project if you think there is something wrong with uBlock Origin? I am quite sceptical about what you are trying to achieve here.

[barbaz]

@gorhill: Thank you for chiming in regarding ublock specifics.


We don't yet know if they're using subscriptions that are whitelisting the items they want to block. For example, there are a lot of Facebook domain whitelists in the Easy project's lists...

[pbc]

With uBO, blocking all frames, 3rd party scripts, and inline scripts allows the FB domain connection, as well as the script.

That is incorrect: when blocking 3rd-party scripts everywhere, scripts from Facebook are not loaded when visiting Wired.

What exactly led you to your conclusion?

This



vs this



Both add-ons are set to default (filters, etc). I just allow the 1st domain.

Also, why would you not open an issue on the GitHub project if you think there is something wrong with uBlock Origin? I am quite sceptical about what you are trying to achieve here.

I have no obligation to register with Git-Hub. This is an old account used once or twice. Just looking for some answers. Is it an issue when allowing 1st party scripts only, that graph.facebook.com can run a script regardless?

[barbaz]

Please test the same version of Firefox in both cases. Otherwise it's not very meaningful as there could be an issue with ublock for Fx dev edition (either ublock bug or Fx bug) that is not present in release. Comparing apples to oranges, so to speak.

[pbc]

Please test the same version of Firefox in both cases. Otherwise it's not very meaningful as there could be an issue with ublock for Fx dev edition (either ublock bug or Fx bug) that is not present in release. Comparing apples to oranges, so to speak.

I have double checked it. It occurs with FF 41 and today with 42 32bit.

[pbc]

FF 42

[gorhill]

This

Alright, I can't find the recipe for me to post an answer without tripping the spam filter. Issue opened here and my answer in it.

[barbaz]

Alright, I can't find the recipe for me to post an answer without tripping the spam filter.

You can private message a moderator and we can try to post it for you. The spam filter can be very finicky about certain things.

[Thrawn]

I've never tried out any flavour of ublock, I don't see the point given how I have set myself up with my personal fork of Adblock Plus. I can't help out with ublock specifics, sorry.

Sounds like you just answered your own question (emphasis mine).

(Anyone on forum staff use ublock?)

No, but you know what, from reading the wikis on uBlock Origin and uMatrix, I'm definitely curious. They sound like a good mix of RP - which was a great tool to have, unfortunately its future seems unclear - and ABP, which has been taken in unfortunate directions (eg styling everything out instead of blocking it) but introduced a great interface for managing specific page elements, plus valuable community-provided filter lists. And the u* tools have a strong emphasis on efficiency.

[barbaz]

ABP, which [...] (eg styling everything out instead of blocking it)

Where are you getting that info?