[RESOLVED] Cannot allow page only for one domain per ABE

[GNUrocks]

Hi all, I found in the FAQ that you can use ABE to allow certain whitelisted pages only for specific domains. I tried it but couldn't get it to work. Here is what the FAQ says:

5.4
Q: I'm worried by the fact some sites require the akamai.net domain to be whitelisted. I'd prefer not to allow it everywhere, but only on some parent sites I trust. How can I do it?
A: You can use ABE to this effect, by adding the following rule to your NoScript Options|Advanced|ABE USER ruleset:

Code: Select all

Site .akamai.net
Accept INCLUSION from SELF++
Accept INCLUSION from .trusted-site1.com .trusted-site2.com trusted-site3.com
Deny

Notice the leading dot "." before domains, which is syntactic sugar for site.com *.site.com, i.e. a domain and its subdomains.
It should also be noted that, independently from this rule, external scripts are never loaded from pages which don't belong to a whitelisted site, hence no malicious website you didn't explicitly whitelisted could execute scripts from akamai.net anyway.

So let's say I want to allow .google.com only for youtube.com. I whitelist google.com per NoScript and then add to ABE user:

Code: Select all

Site .google.com
Accept INCLUSION from SELF++
Accept INCLUSION from .youtube.com
Deny

Then I click the refresh button (do I need to do that every time?).
But it doesn't work, not even after restarting the browser. Still, when I visit google.de for example, google.com is still allowed by NoSript.

Help will be greatly appreciated, thanks!

[barbaz]

But it doesn't work, not even after restarting the browser. Still, when I visit google.de for example, google.com is still allowed by NoSript.

How are you determining that google.com is allowed?

If it's by what the NoScript menu says, see viewtopic.php?f=23&t=22063

[GNUrocks]

But it doesn't work, not even after restarting the browser. Still, when I visit google.de for example, google.com is still allowed by NoSript.

How are you determining that google.com is allowed?

If it's by what the NoScript menu says, see viewtopic.php?f=23&t=22063

Yeah, I just checked the NoScript menu. Didn't come to my mind that this may not mean what I think it means. However, I just also checked with youtube, if you don't allow google.com you can't expand replies (when a comment has more than 2 replies per default only 2 are shown. But you can click on "show more replies" and that won't work if you block google.com). I could neither get it to work that when I block google.com and allow it per ABE it still works, nor could I make it stop working when I allowed google.com but denied it per ABE. Any ideas? And thanks for your help. I did read the thread you linked, but still couldn't get it to work.

[barbaz]

That ABE rule you have will get quirky in some situations. Try this instead -

Code: Select all

Site .google.com
Accept INCLUSION from .google.com .youtube.com
Deny

If still doesn't work, try reloading the page. If that doesn't help either, try clearing your browser cache and reloading the page.

[GNUrocks]

That ABE rule you have will get quirky in some situations. Try this instead -

Code: Select all

Site .google.com
Accept INCLUSION from .google.com .youtube.com
Deny

If still doesn't work, try reloading the page. If that doesn't help either, try clearing your browser cache and reloading the page.

Thanks for your reply barbaz. I changed the ABE script accordingly. I need to allow google.com per NoScript, because if not, then it always gets blocked and ABE can't do anything about it, correct? Even with anonymous browsing it doesn't work, so it's not because of the cache either. Here is my ABE rule:

Code: Select all

Site .google.com
Accept INCLUSION from .google.com
Deny

I use youtube.com to see if it works by clicking on a comment that has more replies than 2 on the "show more replies" link, which only works if google.com is allowed. However, that always works. No matter whether I restart the browser, click on refresh on the ABE interface, use ctrl+f5 to reload the page, use anonymous browsing...

Also, that script I used before is from the official NoScript FAQ. Why is it in there if it may get quirky? What is it for then?

Another thing, if ABE allows/ trusts a script which it should deny, that would be a bug right? Because of security issues. So the cache delete tip was just for the case that the allowed script didn't work, even though it should, right? Then it doesn't matter anyway, since I'm trying it the other way around. I want to allow a script that was forbidden before.

Thanks again.

[barbaz]

I need to allow google.com per NoScript, because if not, then it always gets blocked and ABE can't do anything about it, correct?

Correct.

Still it doesn't work. Here is my ABE rule:

Code: Select all

Site .google.com
Accept INCLUSION from .google.com
Deny

I use youtube.com to see if it works by clicking on a comment that has more replies than 2 on the "show more replies" link, which only works if google.com is allowed. However, that always works. No matter whether I restart the browser, click on refresh on the ABE interface, use ctrl+f5 to reload the page...

Hmm. As a test, try removing the Accept line. Then, when the script you want is blocked, please check the Browser Console (Ctrl-Shift-J) and post here any messages starting with "[ABE]".

If it's not blocked, and you don't have other ABE rules affecting google.com in the same ruleset, then google.com is not required there.

Also, that script I used before is from the official NoScript FAQ. Why is it in there if it may get quirky? What is it for then?

Not sure why it's written that way. But I know that the way it's written, ABE might block more than the user would want blocked. In particular, redirections are likely to be too strictly filtered for the user.

Another thing, if ABE allows/ trusts a script which it should deny, that would be a bug right? Because of security issues.

Right.

So the cache delete tip was just for the case that the allowed script didn't work, even though it should, right? Then it doesn't matter anyway, since I'm trying it the other way around. I want to allow a script that was forbidden before.

ABE is mostly a network filter. Clearing the cache was in case the browser was loading stuff from the cache instead of the network.

[GNUrocks]

Hmm. As a test, try removing the Accept line. Then, when the script you want is blocked, please check the Browser Console (Ctrl-Shift-J) and post here any messages starting with "[ABE]".

If it's not blocked, and you don't have other ABE rules affecting google.com in the same ruleset, then google.com is not required there.

Good idea, should have already tested that... nope, comments still load with the new settings in private mode. So either ABE is not working or google.com is not required. However if I block google.com altogether, the other comments do not load. How does that make sense? The user script of ABE is definitely enabled though.

Also, that script I used before is from the official NoScript FAQ. Why is it in there if it may get quirky? What is it for then?

Not sure why it's written that way. But I know that the way it's written, ABE might block more than the user would want blocked. In particular, redirections are likely to be too strictly filtered for the user.

Good to know.

So the cache delete tip was just for the case that the allowed script didn't work, even though it should, right? Then it doesn't matter anyway, since I'm trying it the other way around. I want to allow a script that was forbidden before.

ABE is mostly a network filter. Clearing the cache was in case the browser was loading stuff from the cache instead of the network.

Ah, that makes sense.

[barbaz]

Do you have ABE disabled?

[GNUrocks]

Do you have ABE disabled?

Fuck me, you don't only have to enable the user ruleset but also ABE itself... So thanks a lot for sticking with me! Really appreciate that you help people you don't even know.

Will ABE do anything else than the user script? Or is it safe to assume that everything will work as it has before, except the user ruleset?

[barbaz]

thanks a lot for sticking with me! Really appreciate that you help people you don't even know.

You're welcome!

Will ABE do anything else than the user script?

Probably yes. The SYSTEM ruleset, if you left it default, will block the Internet from accessing your local network.

[GNUrocks]

thanks a lot for sticking with me! Really appreciate that you help people you don't even know.

You're welcome!

Will ABE do anything else than the user script?

Probably yes. The SYSTEM ruleset, if you left it default, will block the Internet from accessing your local network.

Thanks again, it's been fun

[Thrawn]

this may not mean what I think it means

Heh heh heh.

[GNUrocks]

this may not mean what I think it means

Heh heh heh.

I don't get it <__>

[Thrawn]

Oh, I assumed you were quoting The Princess Bride.

[GNUrocks]

Oh, I assumed you were quoting The Princess Bride.

It dawned on me later that you might have thought that. My own text did remind me of the meme when typing it. Always great if chance makes your day a bit better even if you're alone haha