Powerful extension worthy of a look (very long).

General discussion about web technology.
Post Reply
Aerik
Junior Member
Posts: 40
Joined: Fri Mar 20, 2009 5:24 pm

Powerful extension worthy of a look (very long).

Post by Aerik »

I rate 4 firefox extensions as the most vital tools for security and convenience: NoScript, Adblock Plus, Request Policy, and the much lesser known ExExceptions

About the extension:

This addon does nothing more than give you an editor for the firefox 3.* permissions.sqlite file with import/export capability. When you to go tools > options > content and set what sites you want to allow images on, it places a line in the permissions.sqlite file. Same thing with the cookie preferences, and even the list of websites on which you want to allow installation of addons.

As it turns out, this sqlite file can be used to control 12 other permission types in the exact same way. A single permission just one line in the file, with three space-separated values, naming the domain, the attribute you want to set, and an integer of 0, 1, or 2.

Exexceptions just brings it all together in the same easy-to-grasp window. The file itself is in hex, so in fact exexceptions is an xml (xul?)-based hex editor.

You can also use this extension as a powerful way to control where you can go, what sites are allowed to do, and even change tab behavior a bit. You'll find that the 15 attributes you can control match the names of the html filter types in adblock plus exactly. They are derived from the permissions file.

To install:

Go to Addons.mozilla.org and find "exexceptions." -- the version compatibility tag is out of date, so you'll need to go into about:config and set extensions.checkCompatibility to "false" to get it to install. Or if that doesn't work, install "nightly tester tools," restart firefox, then install "exexceptions."

Basic usage:

For a basic example of what this extension can lightly be used for, here is some advice I just gave to a user who was asking about the pesky redirection from/to cpalead:
Aerik wrote:If you want to be able to click an ad or watch a video that would take you to cpalead.com if a script is blocked, but not visit that site, create a value for cpalead.com and mark the "document" attribute as "deny". click "set" and you're done. You will never be able to actually 'visit' cpalead.com, nor will you be able to use "save link as" for a url matching cpalead.com. You should also do the same for cpalock.com and adscendmedia.com, which are synonymous with cpalead. Also set the attribute "popup" to "deny." Even if the site manages to hit you with a popup, it'll be a blank, inactive, harmless window you can close.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 BetterPrivacy-1.47 Firefox/3.6
Aerik
Junior Member
Posts: 40
Joined: Fri Mar 20, 2009 5:24 pm

Re: Powerful extension worthy of a look (very long).

Post by Aerik »

I told you this would be long. I'm getting xss false positives trying to post this multi-post tutorial.

The 15 attributes exexceptions can control match precisely the same things that adblock plus does with it's html filters, plus 4 more.

cookie -- install -- image -- popup -- script

document -- dtd -- object -- object_subrequest -- ping

refresh -- stylesheet -- subdocument (frame) -- xbl -- xmlhttp(XHR)

All but the attribute "cookie" have the same 4 options:

1) null -- nothing is written to the permissions.sqlite file. The behavior is as default.

2) allow -- objects from that domain will

3) site -- images/whatever from the domain will only be allowed/loaded when actually at that domain.

4) Deny -- objects/images/whatever from the domain will never load.

These settings can interact, however, depending on how they are used on parent domains versus subdomains. For example, if cpalead reads document:deny but www.cpalead.com reads document:allow, then that subdomain's "allow" overrides the parent's "deny. I leave it to you how best to use these properties, but I'd be glad to help when a situation is particualrly frustrating.

The odd attribute is that of "cookies." It's options are null, session, and deny. If set to null, then the cookie settings for that domain operate as instructed by your global browsers settings, which you set in tools > options > privacy. If set to "session," then the cookie is deleted when a session is ended or deleted. If set to "deny" then cookies are denied. The overlapping of parent/sub domain rulesets applies. Cookie-controlling extensions are an unknown factor for me.

A note on the stylesheet and script attributes: setting stylesheet to "deny" only blocks linked stylesheets; it does not block inline CSS. The same goes with javascript. Linked sheets will be blocked, inline javascript will not.

--------------

!! An interesting thing about exexceptions and the permissions.sqlite file is that Top Level Domains (TLDs) are usable. You can create a ruleset for "com" (minus the quotes) and any domain matching .com (e.g., informaction.com, cpalead.com, microsoft.com, etc) will abide by that ruleset.

It even applies to IP addresses, and here it's even more fascinating. If you create a ruleset for "1" then any IP ending with .1 will abide by that ruleset. 127.0.0.1, 198.162.0.1, whatever.

If you create a ruleset for 0.1, then IP addresses matching *.*.0.1 abide by the set. And so on and so forth, to 4 decimals.

BUT THEN, you can do it from the other direction. Create a ruleset for 127. with that decimal there, than any IP matching 127.*.*.* abides by the ruleset. A ruleset mapped to 127.0. will control addresses matching 127.0.*.* - and so on up to 4 decimals.

The advantages are many (such as localhost blocking), and the complications many more. Remind yourself to K.I.S.S.-- Keep It Simple, Stupid!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 BetterPrivacy-1.47 Firefox/3.6
Aerik
Junior Member
Posts: 40
Joined: Fri Mar 20, 2009 5:24 pm

Re: Powerful extension worthy of a look (very long).

Post by Aerik »

I got a "topic is locked" error earlier when I wanted to make this final post. I must be driving a moderator/admin up the wall. Sorry.

On the DOCUMENT attribute

It is by far the most interesting, in my opinion, and the one you will probably end up using the most, for sites such as cpalead/cpalock, or even firefox extensions that force you to visit their homepage upon updates (as noscript used to do with no opt-out).

It's interesting when you set a domain to "site." Just fascinating, really. If you are on A.com and click on a link to B.com, and you have set B.com to document:site, then that tab will open with a blank page, with the url to B.com sitting in the address bar, the page having never been loaded.

If you are on A.com and click a new tab to another page also on A.com, and you have A.com set to document:site, then the tab will open and load as normal.

In short, the "document:site" rule changes tab behavior so that domains can only open active tabs from sameorigin. It's kind of a sameorigin policy. Kinda.

The only major drawback to Exexceptions:

If you use a program such as Spybot Search&Destroy or SpywareBlaster, then you will run into trouble. These sites add "passive protection" to firefox by adding hundreds of permissions settings to firefox, for images, cookies, installation permissions, and sometimes even popups.

When your permissions.sqlite gets past a certain filesize, exexceptions begins to load slower and slower. It is the classical definition of firefox bloat that users used to complain about. Especially in the case of spybot, if you have the passive protection enabled, exexceptions will take minutes to load, and lock up your browser while you're waiting. It's predictable that it would make you angry.

My advice to you then is not to use the passive protection from programs like spybot and spywareblaster. Instead, create some safety rulesets for top level domains, and then be more specific with domains you visit often, and sites you think are risky, and/or sites you want to adblock forever.

The most frequently used TLDs for citizens of the United States, for example, would be com, net, org, info, us, ca, uk, & au. For each of these TLDs, then, create a ruleset with the following attributes set to "deny" : cookie, install, popup, dtd, ping, refresh, subdocument, xbl, xmlhttp

The lines will look like this:

com x x - x - - x - - x x - x x x

net x x - x - - x - - x x - x x x

127.0.0.1 x x x x x x x x x x x x x x x

Then for domains you want to be more specific for, create additional rulesets.

--

That's it! That's the quick and dirty how-to for exexceptions. Remember to try to keep it small and precise.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 BetterPrivacy-1.47 Firefox/3.6
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Powerful extension worthy of a look (very long).

Post by Alan Baxter »

Aerik wrote:I got a "topic is locked" error earlier when I wanted to make this final post. I must be driving a moderator/admin up the wall. Sorry.
No problem. You posted this topic twice. I locked the duplicate. (But accidentally locked this one first and then unlocked it.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Powerful extension worthy of a look (very long).

Post by Giorgio Maone »

Deleted the duplicate. @Aerik: thanks for sharing this info.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Post Reply