Allow .ajax.googleapis.com on multiple sites

[adder]

Suppose I want to allow scripts from .ajax.googleapis.com on multiple sites (eg. site1.com and site2.com). The rules I came up with are

Code: Select all

Site .site1.com
Accept from .site1.com .ajax.googleapis.com
Deny

Site .site2.com
Accept from .site2.com .ajax.googleapis.com
Deny

I thought about shrinking it to

Code: Select all

Site .site1.com .site2.com
Accept from .site1.com .site2.com .ajax.googleapis.com
Deny

but won't this also allow requests from site2.com when on site1.com and vice-versa ?

If so, it would be useful if ABE could be improved to allow a short-hand form like follows:

Code: Select all

Site [.site1.com [.site2.com
Accept from .ajax.googleapis.com
Deny

where the leading [ symbol before a site URI would mean eg. "on .site1.com accept from .site1.com and .ajax.googleapis.com" and "on .site2.com accept from .site2.com and .ajax.googleapis.com" BUT Deny site2.com on site1.com and Deny site1.com on site2.com.

A shorthand form like this would come in very useful for allowing scripts from popular sites like .ajax.googleapis.com on multiple sites, without allowing requests between the various sites themselves. It's tedious and clutters up the rule list, to have to write a completely new rule just to allow scripts from a sites like .ajax.googleapis.com.

[Guest]

After posting I read the following thread which seems to say that I got it the wrong way round (in the same way WilliamBell did). ie. the rule to allow scripts from .ajax.googleapis.com when browsing on site1.com and site2.com is:

Code: Select all

Site .ajax.googleapis.com
Accept from .site1.com .site2.com .ajax.googleapis.com
Deny

And, you have to include .ajax.googleapis.com in the "Accept from" part, so that any resource pulled from .ajax.googleapis.com can itself request another resource from .ajax.googleapis.com. Is this correct ?

[adder]

If my revised rule/way of thinking is now correct, may I suggest adding a new example in the FAQ/PDF, like:

Code: Select all

# Allow access to .ajax.googleapis.com from .site1.com or .site2.com or
# .ajax.googleapis.com, but Deny access to .ajax.googleapis.com from any other URL.
Site .ajax.googleapis.com
Accept from .site1.com .site2.com .ajax.googleapis.com
Deny

[Thrawn]

That rule does indeed look correct, and kudos for figuring it out .

Whether to include it in the examples is up to Giorgio.

[adder]

The confusion from the facebook example comes from the fact that the URI's are the same for both the Site and Accept from parameters. Having different URI's for each parameter and a comment similar to the one in my example makes it a lot clearer to someone who is trying to understandhow it works.

[Thrawn]

I know.

My personal preference for making this clearer is to use a different word, like 'Request', as a replacement for 'Site'. To most people - and most of the time in NoScript - 'site' means 'the url in the address bar', but in ABE, almost always it is one of the third-party requests.

Script-blocking is oriented around the top-level 'site' (the address bar). But ABE is oriented around the third-party sites, because it is designed to prevent fraudulent requests from being sent to them (ie CSRF). Both use the term 'site', but the mindset is reversed, and that's often not apparent to novices, who assume that 'site' in ABE still means 'top-level site'.

Using a different term in ABE would (IMHO) help to reduce this confusion.