XHR/JS...Objects.. NoScript and uBo. Help me understand
XHR/JS...Objects.. NoScript and uBo. Help me understand
Some sites with uBO when blocking 3rd party scripts and frames (but allowing 1st party scripts), allow 3rd party scripts. NoScript does not. I have seen this before in comparing uMatrix with NS awhile back. Things like fonts and buttons get through with UB, but not with NS.
My curiosity is peaked by the domain graph.facebook.com on Wired.com. When using NS, that XHR/JS object never connects with FB when allowing wired.com but blocking 3rd party scripts. With uBO, blocking all frames, 3rd party scripts, and inline scripts allows the FB domain connection, as well as the script.
http://www.wired.com/2015/11/david-burd ... ell-apart/
What is happening here? What is the fundamental difference that allows the FB script in uBO, as compared to NS? is it trivial? I can appreciate that here, none may speak for UB, and if that is the case, then how does NS so effectively handle these 'objects.'
My curiosity is peaked by the domain graph.facebook.com on Wired.com. When using NS, that XHR/JS object never connects with FB when allowing wired.com but blocking 3rd party scripts. With uBO, blocking all frames, 3rd party scripts, and inline scripts allows the FB domain connection, as well as the script.
http://www.wired.com/2015/11/david-burd ... ell-apart/
What is happening here? What is the fundamental difference that allows the FB script in uBO, as compared to NS? is it trivial? I can appreciate that here, none may speak for UB, and if that is the case, then how does NS so effectively handle these 'objects.'
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
What is uBO and what is UB? Sounds from your description like they're both not working at all. If this is really the case I would suggest you remove them and look for alternatives that work.
Please note that µMatrix is not a NoScript equivalent by any means, the two tools are mostly orthogonal in purpose and functionality, the only real overlap being µMatrix's ability to block scripts. NoScript uses its script permissions to determine much more about a site than just whether or not to allow scripts - including XHR permission, strictness of XSS filtering, and embeddings permissions, among other things.
Why not just run NoScript concurrently with µMatrix, let NoScript manage all the script blocking, and leave it at that? viewtopic.php?f=18&t=20815
Also as to µMatrix I think you might have been misunderstanding it. NoScript blocks various objects and embeddings as well as scripts, depending on its configuration the "Allow" (and "Temporarily allow") permission may apply to several things. Did you set µMatrix to block ALL of the same types of embeddings etc as you had NoScript set up to block, and that both tools can block?
Please note that µMatrix is not a NoScript equivalent by any means, the two tools are mostly orthogonal in purpose and functionality, the only real overlap being µMatrix's ability to block scripts. NoScript uses its script permissions to determine much more about a site than just whether or not to allow scripts - including XHR permission, strictness of XSS filtering, and embeddings permissions, among other things.
Why not just run NoScript concurrently with µMatrix, let NoScript manage all the script blocking, and leave it at that? viewtopic.php?f=18&t=20815
Also as to µMatrix I think you might have been misunderstanding it. NoScript blocks various objects and embeddings as well as scripts, depending on its configuration the "Allow" (and "Temporarily allow") permission may apply to several things. Did you set µMatrix to block ALL of the same types of embeddings etc as you had NoScript set up to block, and that both tools can block?
*Always* check the changelogs BEFORE updating that important software!
-
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
UBlock Origin. It worked. But not with FB and the link given.barbaz wrote:What is uBO and what is UB? Sounds from your description like they're both not working at all. If this is really the case I would suggest you remove them and look for alternatives that work.
Yes, that was the purpose of the inquiry... uBO (uBlock Origin) not blocking scripts..... the only real overlap being µMatrix's ability to block scripts
Thx, how so?NoScript uses its script permissions to determine much more about a site than just whether or not to allow scripts - including XHR permission, strictness of XSS filtering, and embeddings permissions, among other things.
Define embeddings please. I set up both add-ons to block 3rd party scripts, frames.Did you set µMatrix to block ALL of the same types of embeddings etc as you had NoScript set up to block, and that both tools can block?
Last edited by barbaz on Sat Nov 07, 2015 5:23 am, edited 1 time in total.
Reason: fix typo in quote tags
Reason: fix typo in quote tags
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
Oh. I've never tried out any flavour of ublock, I don't see the point given how I have set myself up with my personal fork of Adblock Plus. I can't help out with ublock specifics, sorry. (Anyone on forum staff use ublock?)pbc wrote:UBlock Origin. It worked. But not with FB and the link given.
Please post the exact custom filters you're using and which filter subscriptions you have, in case it's a filters issue and not a ublock issue.
Can you clarify this question please?pbc wrote:Thx, how so?NoScript uses its script permissions to determine much more about a site than just whether or not to allow scripts - including XHR permission, strictness of XSS filtering, and embeddings permissions, among other things.
Are you asking about NoScript internals? If so, why ask - it's open source...
By Embeddings I mean the stuff listed under NoScript Options > Embeddings. So yeah that's maybe not enough.pbc wrote:Define embeddings please. I set up both add-ons to block 3rd party scripts, frames.
*Always* check the changelogs BEFORE updating that important software!
-
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
Then this will be moved to Web Tech as it's not really about NoScript.pbc wrote:Yes, that was the purpose of the inquiry... uBO (uBlock Origin) not blocking scripts.
*Always* check the changelogs BEFORE updating that important software!
-
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
That is incorrect: when blocking 3rd-party scripts everywhere, scripts from Facebook are not loaded when visiting Wired.pbc wrote:With uBO, blocking all frames, 3rd party scripts, and inline scripts allows the FB domain connection, as well as the script.
What exactly led you to your conclusion? Also, why would you not open an issue on the GitHub project if you think there is something wrong with uBlock Origin? I am quite sceptical about what you are trying to achieve here.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
@gorhill: Thank you for chiming in regarding ublock specifics.
We don't yet know if they're using subscriptions that are whitelisting the items they want to block. For example, there are a lot of Facebook domain whitelists in the Easy project's lists...
We don't yet know if they're using subscriptions that are whitelisting the items they want to block. For example, there are a lot of Facebook domain whitelists in the Easy project's lists...
*Always* check the changelogs BEFORE updating that important software!
-
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
Thisgorhill wrote:That is incorrect: when blocking 3rd-party scripts everywhere, scripts from Facebook are not loaded when visiting Wired.pbc wrote:With uBO, blocking all frames, 3rd party scripts, and inline scripts allows the FB domain connection, as well as the script.
What exactly led you to your conclusion?
vs this
Both add-ons are set to default (filters, etc). I just allow the 1st domain.
I have no obligation to register with Git-Hub. This is an old account used once or twice. Just looking for some answers. Is it an issue when allowing 1st party scripts only, that graph.facebook.com can run a script regardless?Also, why would you not open an issue on the GitHub project if you think there is something wrong with uBlock Origin? I am quite sceptical about what you are trying to achieve here.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
Please test the same version of Firefox in both cases. Otherwise it's not very meaningful as there could be an issue with ublock for Fx dev edition (either ublock bug or Fx bug) that is not present in release. Comparing apples to oranges, so to speak.
*Always* check the changelogs BEFORE updating that important software!
-
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
I have double checked it. It occurs with FF 41 and today with 42 32bit.barbaz wrote:Please test the same version of Firefox in both cases. Otherwise it's not very meaningful as there could be an issue with ublock for Fx dev edition (either ublock bug or Fx bug) that is not present in release. Comparing apples to oranges, so to speak.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
FF 42
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
Alright, I can't find the recipe for me to post an answer without tripping the spam filter. Issue opened here and my answer in it.pbc wrote:This
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
You can private message a moderator and we can try to post it for you. The spam filter can be very finicky about certain things.gorhill wrote:Alright, I can't find the recipe for me to post an answer without tripping the spam filter.
*Always* check the changelogs BEFORE updating that important software!
-
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
Sounds like you just answered your own question (emphasis mine).barbaz wrote:I've never tried out any flavour of ublock, I don't see the point given how I have set myself up with my personal fork of Adblock Plus. I can't help out with ublock specifics, sorry.
No, but you know what, from reading the wikis on uBlock Origin and uMatrix, I'm definitely curious. They sound like a good mix of RP - which was a great tool to have, unfortunately its future seems unclear - and ABP, which has been taken in unfortunate directions (eg styling everything out instead of blocking it) but introduced a great interface for managing specific page elements, plus valuable community-provided filter lists. And the u* tools have a strong emphasis on efficiency.(Anyone on forum staff use ublock?)
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Re: XHR/JS...Objects.. NoScript and uBo. Help me understand
Where are you getting that info?Thrawn wrote:ABP, which [...] (eg styling everything out instead of blocking it)
*Always* check the changelogs BEFORE updating that important software!
-