InformAction Forums

I've had some ABE rules for the big sites like Facebook, to keep all kinds embedded stuff away from other websites. Here are my current rules for FB:
The INCLUSION used to have SCRIPT, OBJECT, SUBDOC with it, meaning the rule was almost identical with the example in the ABE documentation PDF. At some point - possible when Firefox 51 came - embedded content from Facebook domains started to appear non-Facebook pages. After some experimentation, it started to look like only inclusion type that had any effect was OTHER, so I turned the Deny rule into a basic INCLUSION.

That alone isn't too bad (though of course having the earlier, more fine-grained control would be nice), but turns out the Deny INCLUSION rule affects top-level loads too. Trying to follow a link into facebook.com just doesn't work, and browser console shows that clicking the link triggered the Deny INCLUSION rule. The moz-nullprincipal: at least lets copy-pasting the address to address bar work.

Now, these changes seem like a regression, but maybe something has just changed in a non-erroneous way and I should change some setting or write the rules differently, so I'm asking if there's maybe some other approach to writing rules for denying the FB embeddings and keeping links to FB functional? (And Twitter and Google+ and... but the principles should be same.)

I should probably also note that I'm using NoScript in "lazy mode", that is I have the "Cascade top document's permissions to 3rd party scripts" checked, to make it easier enabling scripting for a site if I need to, making the ABE rule more necessary.

What version of NoScript?

aberrometer wrote:Here are my current rules for FB:

Code: Select all

Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com moz-nullprincipal:
Deny INCLUSION

The INCLUSION used to have SCRIPT, OBJECT, SUBDOC with it, meaning the rule was almost identical with the example in the ABE documentation PDF.

To be clear, was this what you had before? - Or was it this, which isn't a valid ABE rule? -

aberrometer wrote:At some point - possible when Firefox 51 came - embedded content from Facebook domains started to appear non-Facebook pages. After some experimentation, it started to look like only inclusion type that had any effect was OTHER, so I turned the Deny rule into a basic INCLUSION.

Do you have a example URL where this occurs?

Oh! I was trying to reproduce the issue on a clear profile, and just found out this was a mess caused by myself, meddling with about:config. I had forced e10s on as I was bit impatient - I had expected that by Firefox 51 multiprocess support would be enabled by default, but it wasn't (I'm using Debian testing). Having it forced on is what changes the behavior. Things seem to be working just as intended when I let the browser run in the single-process mode again.

I'm now on Firefox 51.0.1 (64-bit), NoScript version is 2.9.5.3. And yeah, that one type was OBJ instead of OBJECT, I guess I somehow mentally expanded the text when typing the post. I also just checked on another machine that runs Arch Linux (Firefox there has multi-process mode on by default), and the rule works fine. The most minimal test case was a otherwise blank page with only a link pointing to facebook.com. So, apparently this is some Debian-specific thing - sorry about using your time!

@aberrometer Remember to log in before posting so that you can use your chosen username and don't need to repeatedly solve the CAPTCHA each time. (I fixed that post for you.)

aberrometer wrote:So, apparently this is some Debian-specific thing - sorry about using your time!

Thank you for reporting your findings.

This old thread seems to have become a spam magnet now. Locking.