Page 1 of 1
help me to understood ABE
Posted: Fri Jul 26, 2013 1:16 pm
by forecehh
hi
i added below rule-sets in user rule set in ABE,to auto allow ajax.googleapis.com and google.com
on google.com and deny from any other site
but still i must use temporarily allow menu to allow them
so i am not sure ABE doing this job or i am wrong?
http://www.goal.com/en-us/news/1110/maj ... ID=HP_TN_6
Code: Select all
Site .ajax.googleapis.com
Accept from .goal.com .ajax.googleapis.com
Deny
Site .google.com
Accept from .goal.com .google.com
Deny
some suggestion
when i export white list i see my untrusted site is under [UNTRUSTED] section
its not better and easy add something to allow origin to destination
example
Code: Select all
[UNTRUSTED]
http://ajax.googleapis.com/
[ALLOWPERSITEUNTRUSTED]
goal.com|ajax.googleapis.com
So ajax.googleapis.com blocked everywhere
but allowed on goal.com
also some site refresh automatically itself,is there any options in noscript to block this automatically refresh on all site?
if there is no options can you please add that?
thanks
Re: help me to understood ABE
Posted: Sun Jul 28, 2013 11:21 am
by kainee
Hi everyone,
I'd just like to support this request since I have a similar problem. After reading the forum sticky on site specific permissions and the ABE section in the FAQ and testing a bit I THINK I understand but I'm not sure I really do - and I don't want to punch a hole in noscript security by misunderstanding how ABE and the whitelist interact.
So am I correct in assuming that ABE rules apply to whitelisted(or temporarily allowed) sites ONLY? Meaning that using ABE rules I can specify more precisely on which sites a given domain in the whitelist can really be used and for which it will be denied DESPITE being in the whitelist?
I believe that is more or less a rephrasing of the above question in more general terms, but I may be missing something ...
Thank you for all the wonderful work you do and thank you for this great tool!
Best wishes,
kainee
p.s.: I do understand that section 8.10 of the faq is supposed to answer this question but I'm still confused - maybe because I'm not a native English speaker. Maybe because I'm over anxious to get it right 'cos I'm also preparing to hold a NoScript workshop. Or maybe I'm just dumb
(but even if that's the case, it wouldn't be my fault but just the way I am, so maybe someone could still enlighten me
)
Re: help me to understood ABE
Posted: Sun Jul 28, 2013 10:47 pm
by Ilya
So am I correct in assuming that ABE rules apply to whitelisted(or temporarily allowed) sites ONLY? Meaning that using ABE rules I can specify more precisely on which sites a given domain in the whitelist can really be used and for which it will be denied DESPITE being in the whitelist?
The short answer is "no".
An extract from that very section 8.10 of the NoScript FAQ:
Notice that since ABE's rule work independently from NoScript's permissions [...]
Re: help me to understood ABE
Posted: Sun Jul 28, 2013 11:03 pm
by Thrawn
ABE is not about script-blocking at all. There is no interaction between them. ABE does not automatically whitelist anything, and it will apply to all sites, whitelisted or not.
The original purpose of ABE was to protect sensitive sites against fraudulent requests from other sites. The classic example is something like this:
Code: Select all
Site .bank.com
Accept from SELF
Deny
So other sites you visit can't send requests to your bank telling it to transfer money to themselves.
If you want to use ABE for site-specific blocking, you certainly can, but you have to use it separately to regular whitelisting.
Usually, this means that you need to allow the site in the regular whitelist (otherwise it will be blocked everywhere), and then use an ABE rule to manage it. The googleapis rule at the start of this thread looks about right.
Code: Select all
Site <the site I want to allow only at some places>
Accept from <list of sites where it should be allowed>
Deny
If this looks backward, that's because it was designed to protect 'Site' from cross-site requests.
Effectively, the rule at the start of this thread tells ABE that ajax.googleapis.com and google.com are sensitive, and that only themselves and goal.com should be allowed to access them.
Re: help me to understood ABE
Posted: Mon Jul 29, 2013 1:42 am
by kainee
Thanks for your replies - especially yours, Thrawn, was very clear and comprehensible and finally provided me with the information and understanding I was hoping for
Re: help me to understood ABE
Posted: Mon Jul 29, 2013 4:41 am
by Thrawn
kainee wrote:Thanks for your replies - especially yours, Thrawn, was very clear and comprehensible and finally provided me with the information and understanding I was hoping for
Thanks
. That's what the support team is here to do.
Re: help me to understood ABE
Posted: Mon Jul 29, 2013 12:40 pm
by forecehh
thank you very much now i get that how that work
but what about my suggestion ?it possible add it?
Re: help me to understood ABE
Posted: Sun Sep 22, 2013 9:48 pm
by Thrawn
forecehh wrote:thank you very much now i get that how that work
but what about my suggestion ?it possible add it?
If you mean the suggestion to block automatic refreshes, that is already available under Options - Advanced - Untrusted. Firefox has a built-in setting for this too.
Re: help me to understood ABE
Posted: Tue Sep 24, 2013 5:06 pm
by forecehh
Thrawn wrote:forecehh wrote:thank you very much now i get that how that work
but what about my suggestion ?it possible add it?
If you mean the suggestion to block automatic refreshes, that is already available under Options - Advanced - Untrusted. Firefox has a built-in setting for this too.
thankyou
but what option in no script?
i looking you add such feature if its not available in noscript.
RefreshBlocker 0.8
https://addons.mozilla.org/en-US/firefo ... r/?src=api
i know that on some older version noscript can not block auto refresh(RefreshBlocker can block) but with new version im not sure.
examplepage:
http://www.physiology.wisc.edu/ravi/test/test9.html
Re: help me to understood ABE
Posted: Tue Sep 24, 2013 10:07 pm
by Thrawn
forecehh wrote:
but what option in no script?
i looking you add such feature if its not available in noscript.
NoScript can block refreshes using the META tag (which doesn't need JavaScript) on untrusted sites. Options menu, Advanced tab, Untrusted sub-tab, "Forbid META redirections inside <NOSCRIPT> elements".
Firefox can block some kinds of refreshes. In the Preferences dialog, choose Advanced tab, General sub-tab, "Warn me when websites try to redirect or reload the page".
Anything more than this is not part of NoScript (why would you need it for security?), so you need a different addon (like RefreshBlocker, as you mentioned).
Re: help me to understood ABE
Posted: Wed Sep 25, 2013 10:49 pm
by forecehh
because since I See NoScript Forbid Everything i wanted that to
but i you dont add this no problem
Re: help me to understood ABE
Posted: Thu Jan 23, 2014 2:29 pm
by forecehh
ok
i have one rule like this in system rulsets
Code: Select all
Site .2o7.net .ix.e .e.cl .i.ua .u.pl .a.com .a.net .ad.hu .am.ru
Deny ALL from ALL
then i have some rule in userrulesets
Code: Select all
Site .tumblr.com .stumble-upon.com .stumbleupon.com .twitter.com .reddit.com .digg.com .yandex.st .yandex.ru .disqus.com .aol.com .ebay.com .yahoo.com .msn.com .godaddy.com .feedburner.com
Accept from .tumblr.com .stumble-upon.com .stumbleupon.com .twitter.com .reddit.com .digg.com .yandex.st .yandex.ru .disqus.com .aol.com .ebay.com .yahoo.com .msn.com .godaddy.com .feedburner.com
Deny
Code: Select all
Site .google-analytics.com
Accept from .google-analytics.com
Deny
and all of user rulset is in white listed script
but i dont know where i wrong
example i visit
script not allowd
every request blocked until i temp-allow script putlocker.com
then in Request policy log window i see this
Code: Select all
http://www.putlocker.com/cdn-cgi/pe/bag2?r[]=http%3A%2F%2Fwww.google-analytics.com%2Fga.js
http://www.putlocker.com/cdn-cgi/pe/bag2?r[]=http%3A%2F%2Fplatform.twitter.com%2Fwidgets.js
so what is it?
Re: help me to understood ABE
Posted: Thu Jan 23, 2014 7:56 pm
by Thrawn
I'm not sure I'm following you. What problems are you actually seeing?
The fact that all scripts are blocked on a page until you allow the top-level site is a normal part of script-blocking, not related to ABE.
Are there ABE-related messages in the Browser Console (Ctrl+Shift+J)?
Re: help me to understood ABE
Posted: Fri Jan 24, 2014 3:05 am
by forecehh
look i change and use this
Code: Select all
Site .twitter.com
Accept from .somesite.com
Deny
Site .google-analytics.com
Accept from .somesite.com
Deny
and with FAQ I read must add to allowed script
so google-analytics.com and twitter.com must accept from .somesite.com .right?
so when i go to .putlocker.com both blocked.
but if i temp allow .putlocker.com
i see both make request.is this normal?
also if i use below rule,even if make temp allow .putlocker.com that keep blocking that
Deny
also look this screenshot
Code: Select all
http://photoload.ru/data/8d/eb/fe/8debfe89ff4e816e85d96e401d37073d.png
Re: help me to understood ABE
Posted: Fri Jan 24, 2014 7:59 am
by Thrawn
If the requests aren't being sent when scripts from putlocker.com are blocked, then probably it's a piece of JavaScript that is sending them.
It's normal (although unfortunate) for sites to be broken when their scripts are blocked.