Giorgio Maone wrote:...
On the other hand, ABE is not meant as a generic blocker, especially for scripts: its scope is CSRF prevention.
Specifically, trying to block 3rd party scripts with ABE does works (the scripts are blocked), but you may end with the page not finishing loading because it misses the "script loaded" notification.
I'm trying to work-around this limitation, but as I said for ABE's aim (CSRF prevention) it's not technically a bug, even though it's annoying if you try to stretch ABE usage outside its scope.
Giorgio, thanks for the solution. But based on your reply, in my *very* humble opinion, it would be better to keep the
site-specific permissions policy and the CSRF-blocking separate. As you've said, "Do one thing, and do it well.' NS is constantly doing more thngs, which is great, but let each of its functions do their one thing well and only. It does seem that it will get very messy -- for users, for support, for yourself -- if ABE is used for selective scripting permission. Please bring the
security-critical ABE to completion, and *then* we will look forward to the
convenience enhancement of site-specific permissions. IMHO. YMMV.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard