Definitely block requests to facebook from 3rd-party sites

[0xa3]

The sample configuration on http://noscript.net/abe/ provides the following configuration to block requests to facebook from third-party sites:

Code: Select all

# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

However, this still allows the inclusion of "Like" Buttons etc. and therefore also leads to critical privace leakage.

Changing the ruleset to

Code: Select all

# This one block all requests to Facebook 
# from third-party sites
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny ALL

blocks these requests as well.

If anyone knows further URLs used by Facebook please post them to this thread.

[Giorgio Maone]

Changing the ruleset to

Code: Select all

# This one block all requests to Facebook 
# from third-party sites
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny ALL

blocks these requests as well.

But it prevents you from following Facebook links in other pages.
Better this one:

Code: Select all

# This one block all the embedded requests to Facebook 
# from third-party sites
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION

[0xa3]

Thanks for your reply. However, I noticed that certain requests aren't blocked when using Deny INCLUSION.

Unfortunately, I don't understand enough about the feature to understand why this is so, but you might want to have a look at the following sample URL:

http://support.microsoft.com/kb/288792

When using Deny ALL, NoScript blocks a GET request to facebook, when using Deny INCLUSION, the same request is not blocked.

I haven't checked how the request to facebook is implemented in detail (from JavaScript?), but the GET request that gets issued certainly could cause privacy leakage, which I would like to prevent.

[Giorgio Maone]

They're apparently using also facebook.net now.
Just add it to the rule and no request will pass.

[0xa3]

Thanks again. Seems it was even working before. I checked with Fiddler to see that there is no request sent to facebook with neither configuration.

However, I didn't get the ABE notification when using Deny INCLUSION so I got a little bit confused. Could this be a bug? Let me know if you need further information on my configuration.

Currently, I'm using Firefox 4 RC1 and NoScript 2.0.9.9. ABE notifications are switched on on the Notifications tab and the ABE configuration looks as follows:

Code: Select all

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net .facebook.net .facebook.de
Accept from .facebook.com .fbcdn.net .facebook.net .facebook.de
Deny INCLUSION
#Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

Site .twitter.com .twimg.com
Accept from .twitter.com .twimg.com
Deny INCLUSION
#Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

Site .googlesyndication.com
Accept from .googlesyndication.com
Deny ALL

[Giorgio Maone]

User-facing notifications happen for blocked document loads only.
All the other blocking activity is logged in Tools|Error Console as "[ABE]" message lines, to cut down the noise.

[dhouwn]

Might be worth updating FAQ 8.10 to include "facebook.net".

[Giorgio Maone]

Might be worth updating FAQ 8.10 to include "facebook.net".

I had actually done it, but forgot to upload the changes.
Thanks for noticing.

[tlu]

Might be worth updating FAQ 8.10 to include "facebook.net".

I had actually done it, but forgot to upload the changes.
Thanks for noticing.

Giorgio, including .mafiawars.com and .eamobile.com in the "Accept from" line is really no mistake? I'm asking as I'm not familiar with these sites. Are they related to Facebook?

[Giorgio Maone]

Giorgio, including .mafiawars.com and .eamobile.com in the "Accept from" line is really no mistake? I'm asking as I'm not familiar with these sites. Are they related to Facebook?

They're needed for some popular Facebook games to work.

[tlu]

Giorgio, including .mafiawars.com and .eamobile.com in the "Accept from" line is really no mistake? I'm asking as I'm not familiar with these sites. Are they related to Facebook?

They're needed for some popular Facebook games to work.

I see. Thanks!

[forfrom1337]

I have a basic question about this:

Do I have to allow facebook.com (or .net) permanently to have the scripts on the Facebook page?? (or are they beeing allowed by the ABE-Rule?)

[Giorgio Maone]

I have a basic question about this:

Do I have to allow facebook.com (or .net) permanently to have the scripts on the Facebook page?? (or are they beeing allowed by the ABE-Rule?)

ABE and NoScript permissions are independent and orthogonal.
Therefore you have to Allow (in NoScript) for scripts to work, and DENY (in ABE) for facebook stuff not being loaded in 3rd party pages.

[Newbee]

Hello my friends,

I have a quick question. There are also sites like

facebook.greenpeace.com

included in some websites. How can we block these sites? Is it correct, that we cannot use a logic like *.facebook*.com in the white list section, right? But in the ABE part the syntax *.facebook*.com would work?

Hope there is a solution for this...


Thanks in advance!