Always allow a particular embedding?

[access2godzilla]

I have NS to block Flash on all sites (regardless of trusted/untrusted). However, I want to allow http://www.jamendo.com/js/libs/jquery.j ... player.swf always. Is there any way to do this?

[Giorgio Maone]

Yes you can.
Just add to your noscript.allowedMimeRegExp about:config preference the following pattern:

Code: Select all

application/x-shockwave-flash@http://www\.jamendo\.com/js/libs/jquery\.jplayer/Jplayer.swf

[barbaz]

This pattern isn't working for me. In my case I want to always allow the Flash streaming player at

Code: Select all

http://www.deeplinkmusic.com/modules/mod_radioplayerjoomla-pro/muses.swf

(there are flashvars listed in the actual URL), but despite my noscript.allowedMimeRegExp being set to

Code: Select all

application/pdf application/x-shockwave-flash@http://www\.deeplinkmusic\.com/modules/mod_radioplayerjoomla-pro/muses\.swf#!flashvars#.+

it's still blocked by NS. Removing the trailing .+ and/or the reference to flashvars doesn't help. The page in question is script-forbidden. What am I doing wrong? Does this preference require a browser restart to take effect?

[Giorgio Maone]

Could you please show me a page where this is actually embedded for me to test it? Thanks!

[barbaz]

http://www.deeplinkmusic.com/deeplinkradio
It should be the Flash object on the left, under Listen Live Now.

[therube]

As a start, & to simplify things, removing the trailing / looked to work:

> application/x-shockwave-flash@http?://www\.deeplinkmusic\.com
vs
> application/x-shockwave-flash@http?://www\.deeplinkmusic\.com/

[barbaz]

As a start, & to simply things, removing the trailing / looked to work:

> application/x-shockwave-flash@http?://www\.deeplinkmusic\.com
vs
> application/x-shockwave-flash@http?://www\.deeplinkmusic\.com/

Thanks therube, that does work. But wouldn't that allow every Flash object coming from deeplinkmusic on any site, thus requiring an ABE rule to achieve the desired effect?

[therube]

As a start, & to simply things

So I didn't try to go further then that.
So, if I get time... Or if you...

[Giorgio Maone]

Thanks therube, that does work. But wouldn't that allow every Flash object coming from deeplinkmusic on any site, thus requiring an ABE rule to achieve the desired effect?

Sorry, my fault, I overlooked that it was a full URL.
Actually this preference works on "sites", i.e. protocol + domain (+ port) (with no trailing slash, which would constitute "path").
And yes, if you want the "desired effect" you may achieve it by intersecting this permission with a restrictive ABE rule (but you wouldn't get placeholders, in that case).

[barbaz]

OK, I've done some further testing. Interesting.
It seems this feature is limited to regexps matching scheme://host.dom.ain on the same site as the top-level site. This is bad because it means you can't whitelist specific objects, nor can you allow an object coming from a CDN. Also, the issue here is unrelated to the inability to allow FONTs through allowedMimeRegExp. Without further ideas, at this point I would be inclined to wait for Giorgio to sort this out.

Edit: @Giorgio: Sorry, just missed your reply. One last question: Why doesn't this feature work on objects coming from CDNs?

[Giorgio Maone]

Edit: @Giorgio: Sorry, just missed your reply. One last question: Why doesn't this feature work on objects coming from CDNs?

Example page?

[barbaz]

Thanks for clearing the "site" question up.
Any Youtube video page will do (the Flash object is coming from s.ytimg.com).

Edit: Even copying/pasting the suggested pattern from http://noscript.net/features#contentblocking didn't work

[Giorgio Maone]

Thanks for clearing the "site" question up.
Any Youtube video page will do (the Flash object is coming from s.ytimg.com).

Edit: Even copying/pasting the suggested pattern from http://noscript.net/features#contentblocking didn't work

Mmmm,

Code: Select all

application/x-shockwave-flash@https?://[^/]+\.(?:youtube|ytimg)\.com

actually works just fine for me (of course you need to allow youtube.com because the Flash object is generated by JavaScript).
Step-by-step instructions to reproduce?
Did you try on a clean profile with just NoScript installed, with either default configuration or "Apply these restrictions to whitelisted sites" embedding option?

[Edit]
even just

Code: Select all

application/x-shockwave-flash@https?://s\.ytimg\.com

works for me ?:/

[barbaz]

After some testing, it looks like marking ytimg.com as Untrusted was enough to prevent

Code: Select all

application/x-shockwave-flash@https?://s\.ytimg\.com

from working. Is this intended behavior?

[Giorgio Maone]

After some testing, it looks like marking ytimg.com as Untrusted was enough to prevent

Code: Select all

application/x-shockwave-flash@https?://s\.ytimg\.com

from working. Is this intended behavior?

Absolutely, it is.
NoScript Options|Embeddings|Block every object coming from a site marked as untrusted.