Site ^https?://www\.deeplinkradio\.com/modules/mod_radioplayerjoomla-pro/muses\.swf#!flashvars#
Accept from .deeplinkradio.com
Deny
Site .deeplinkradio.com
Accept INCLUSION(OBJSUB)
Sandbox INCLUSION(OBJ, XHR)
But if I go to http://deeplinkradio.com (mirror of http://www.deeplinkradio.com), the Flash object from http://deeplinkradio.com is allowed where I would expect it to be sandboxed
I'm not sure if this is a bug. Does ABE use DNS lookup to determine hosts, even if a site is specified by regexp? (My DNS says that the two hosts are the same.)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:25.0) Gecko/20100101 Firefox/25.0 SeaMonkey/2.22.1
ABE Rules Reference wrote:
Sandbox – sends the requests as it is, but disables JavaScript and other active content (e.g.
plugin embeddings) in the landing page
"Landing page", which I used instead of just "document" (which could apply also to SVG or XHR-loaded XML documents, for instance) means a document loaded in a HTML/XUL renderer such as a window (more specifically, in a Gecko DocShell).
Thanks for explaining exactly what Sandbox does. (I'm assuming that iframes could be affected?)
However, changing that to Deny doesn't work either. Now this example isn't a serious problem because I do want to allow that object, but the concern is that it's happening without any action on my part to change the ABE rule.
Is there a better ruleset for restricting Flash objects from, say, site.com to one object only if it's being requested by site.com?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:25.0) Gecko/20100101 Firefox/25.0 SeaMonkey/2.22.1
Another bug: on the latest Firefox 17 ESR (17.0.11 at the time of writing), the Accept INCLUSION(OBJSUB) line is being ignored, thus causing the last line of that ruleset (with the change to Deny) to block object subrequests to deeplinkradio and bork the online player. Upgrading Fx past 17 on this machine is not really an option as 18.0.2 is pretty insecure these days...
(No big deal since I mostly use latest SeaMonkey anyway, but still would be nice if this worked.)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0
Fixed in latest development build 2.6.8.6rc2, thanks.
@barbaz distinct issues but same root cause: the increased asynchronicity of Gecko's networking caused some assumptions on code flows not to be generally valid anymore and therefore made ABE behave erratically under certain circumstances.
The issue originally reported here is fixed, thank you.
barbaz wrote:the Accept INCLUSION(OBJSUB) line is being ignored, thus causing the last line of that ruleset (with the change to Deny) to block object subrequests to deeplinkradio and bork the online player.
But now I'm getting this behavior on SeaMonkey 2.22.1...
Is this a ruleset issue or NoScript issue?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:25.0) Gecko/20100101 Firefox/25.0 SeaMonkey/2.22.1
Site .deeplinkradio.com/modules/mod_radioplayerjoomla-pro/muses.swf*
Accept from .deeplinkradio.com
Deny
Site .deeplinkradio.com
Accept INCLUSION(OBJSUB)
Deny INCLUSION(OBJ, XHR)
make the player work fine for me on any Firefox >= 17, both on deeplinkradio.com and www.deeplinkradio.com.
The problem was the reference to flashvars at the end of the Site line. If I just end it with .swf all works as expected.
Why though?
Because the flashvars are not really part of the URL, and are just used by NoScript's plugin blocking machinery as a more specific key to selectively block/allow instances of the same content which possibly load different sub-content (movie players, typically, with different movies).
