INC strangeness
Posted: Wed Feb 22, 2017 8:22 pm
I've had some ABE rules for the big sites like Facebook, to keep all kinds embedded stuff away from other websites. Here are my current rules for FB:
The INCLUSION used to have SCRIPT, OBJECT, SUBDOC with it, meaning the rule was almost identical with the example in the ABE documentation PDF. At some point - possible when Firefox 51 came - embedded content from Facebook domains started to appear non-Facebook pages. After some experimentation, it started to look like only inclusion type that had any effect was OTHER, so I turned the Deny rule into a basic INCLUSION.
That alone isn't too bad (though of course having the earlier, more fine-grained control would be nice), but turns out the Deny INCLUSION rule affects top-level loads too. Trying to follow a link into facebook.com just doesn't work, and browser console shows that clicking the link triggered the Deny INCLUSION rule. The moz-nullprincipal: at least lets copy-pasting the address to address bar work.
Now, these changes seem like a regression, but maybe something has just changed in a non-erroneous way and I should change some setting or write the rules differently, so I'm asking if there's maybe some other approach to writing rules for denying the FB embeddings and keeping links to FB functional? (And Twitter and Google+ and... but the principles should be same.)
I should probably also note that I'm using NoScript in "lazy mode", that is I have the "Cascade top document's permissions to 3rd party scripts" checked, to make it easier enabling scripting for a site if I need to, making the ABE rule more necessary.
Code: Select all
Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com moz-nullprincipal:
Deny INCLUSION
That alone isn't too bad (though of course having the earlier, more fine-grained control would be nice), but turns out the Deny INCLUSION rule affects top-level loads too. Trying to follow a link into facebook.com just doesn't work, and browser console shows that clicking the link triggered the Deny INCLUSION rule. The moz-nullprincipal: at least lets copy-pasting the address to address bar work.
Now, these changes seem like a regression, but maybe something has just changed in a non-erroneous way and I should change some setting or write the rules differently, so I'm asking if there's maybe some other approach to writing rules for denying the FB embeddings and keeping links to FB functional? (And Twitter and Google+ and... but the principles should be same.)
I should probably also note that I'm using NoScript in "lazy mode", that is I have the "Cascade top document's permissions to 3rd party scripts" checked, to make it easier enabling scripting for a site if I need to, making the ABE rule more necessary.