Perhaps its purely semantics, but this allows scripts hosted at ssl.google-analytics.com
to be invoked at one, and only one, web-site:
Code: Select all
Accept from .comodo.com
Yes, that rule will be effective for restricting Google Analytics to one site.
For that ABE ruleset to be of affect ssl.google-analytics.com must be allowed - globally - in NS.
Well, yes, otherwise GA will be blocked everywhere. ABE won't block it on comodo.com, but the regular script-blocking will.
(And allowing in NS is *always* global.)
If the SITE - surrogate source - is denied in NS, then surrogate replacement will occur - if a surrogate exists - for any URL invoking ssl.google-analytics.com, and ABE won't fire.
The above ABE will permit google-analytic server access by only .comodo.com, and for all other URLs the default NS surrogate will be in affect, if, and only if, ssl.google-analytics.com is allowed.
Yes. If you don't allow GA, then the surrogate will be in effect everywhere, including Comodo.
Thrawn wrote:...And surrogates, by default, will run in place of the original script when the script is blocked. If the script is allowed, ordinary surrogates don't run...
A matching surrogate will run if ABE has blocked the original script.
This is the salient point: if a source is allowed in NS, then no surrogate replacement occurs.
Not quite true. If something else - eg ABE, Adblock Plus, RequestPolicy, uBlock - blocks the real script, then the surrogate will still run.
For any SITE stipulated by an ABE ruleset having predicate of ACCEPT action for any arbitrary predicate resource, no surrogate replacement occurs, for all others - akin to try / catch code - DENY, i.e., block and surrogate replacement occurs.
Isn't that the expected/desired behavior? Why are you allowing Google Analytics on Comodo if you don't want the real GA to run?
Perhaps there's a way to specify local hosted JS to be invoked in the ABE ruleset for any ACCEPT predicate resource, and allow the default NS surrogate to be in affect otherwise, i.e., per the DENY, even so the SITE must be allowed in NS for the ABE ruleset to even fire?
Well, as documented on Giorgio's blog
, you can define surrogates that run after whitelisted scripts. But are you sure this is what you want?
What is your actual objective?
Are you trying to run the real Google Analytics on comodo.com, but nowhere else? Then just use the ABE rule you mentioned, whitelist ssl.google-analytics.com, and you're done.
Are you trying to replace Google Analytics with a surrogate on comodo.com? Then you don't need ABE, just leave google-analytics.com blocked, as it is by default.
Are you trying to use a different Google Analytics surrogate on comodo.com to the surrogate used everywhere else? You don't need ABE, just leave GA blocked, then write your new surrogate and specify the correct 'sources' value.
If I knew what you actually want to achieve, I would be better able to help.