Page 1 of 1

[Resolved] Regarding cloudfront.net

Posted: Sat Jan 07, 2012 12:34 am
by wujj123456
Hi,

I recently came across cloudfront.net on kotaku.com. I've found it to be an Amazon service, which should be categorized under the broad cloudfront.net. Might be better to treat it same as appspot.com. Thanks.

Re: Regarding cloudfront.net

Posted: Sat Jan 07, 2012 11:33 am
by Tom T.
wujj123456 wrote:I've found it to be an Amazon service, which should be categorized under the broad cloudfront.net. Might be better to treat it same as appspot.com. Thanks.
Not sure what you mean by "treat is same as appspot", or "categorized under the broad cloudfront.net". Its scripting should show in the NoScript menu, just as its competitor Akamai's does. You may also consider RequestPolicy add-on to detect cross-site requests even if they don't include the executable content that NS focuses on blocking.

This article provides a reasonably clear and fair (I think) description of what Amazon is trying to do. Akamai has been doing this for years, and kept up a good reputation. If cloudfront does evil, we'd surely like to know. I haven't encountered it much yet, at least, not as being necessary to a page.

Re: Regarding cloudfront.net

Posted: Sat Jan 07, 2012 4:35 pm
by Guest
Tom T. wrote:
wujj123456 wrote:I've found it to be an Amazon service, which should be categorized under the broad cloudfront.net. Might be better to treat it same as appspot.com. Thanks.
Not sure what you mean by "treat is same as appspot", or "categorized under the broad cloudfront.net". Its scripting should show in the NoScript menu, just as its competitor Akamai's does. You may also consider RequestPolicy add-on to detect cross-site requests even if they don't include the executable content that NS focuses on blocking.

This article provides a reasonably clear and fair (I think) description of what Amazon is trying to do. Akamai has been doing this for years, and kept up a good reputation. If cloudfront does evil, we'd surely like to know. I haven't encountered it much yet, at least, not as being necessary to a page.
Sorry for not being clear enough. Let me try explaining my point again. Maybe blogspot is a better example.

aaa.blogspot.com and bbb.blogspot.com are both hosted on Google, but usually managed by two different people/groups. It's possible that aaa.blogspot.com is legitimate, but bbb.blogspot.com tries to do something nasty or is compromised. For now, NoScript can either put blogspot.com into whitelist, which is dangerous, or I have to temporarily enable it for each blogspot.com website.

For this kind of services, the unique identifier is not the domain name itself, but a subdomain name. Subdomain hosting and CDN services fall into this category. However, I understand that with CDN, things might be more complicated than blogspot.com, since a website might use many cdn subdomains, and subdomains might change for different objects. (I don't know much about internals of CDNs, but that's what I observe from source codes. ) I visit some websites regularly and trust them, but enabling blogspot.com or CDN domains make me feel less secure. For these well-known services that use subdomain as identifiers, I think it's safer to put a subdomain into whitelist, than allowing the domain name.

From Amazon's FAQ (http://aws.amazon.com/cloudfront/):
"In Amazon CloudFront, your objects are organized into distributions. A distribution specifies the location of the original version of your objects. A distribution has a unique CloudFront.net domain name (e.g. abc123.cloudfront.net) that you can use to reference your objects through the network of edge locations."

PS: Yesterday when I was browsing a website, I saw "Allow xxx.appspot.com" in settings. That's why I used appspot.com as an example, and I thought NoScript categorized certain websites by subdomain names. Maybe I remembered wrong because I didn't find that entry in my whitelist today... I guess my post is either a feature request, or I omitted some existing functionality in NoScript that can achieve what I want.

Re: Regarding cloudfront.net

Posted: Sun Jan 08, 2012 1:01 am
by Tom T.
Guest wrote:For these well-known services that use subdomain as identifiers, I think it's safer to put a subdomain into whitelist, than allowing the domain name.
Yes.
Guest wrote:aaa.blogspot.com and bbb.blogspot.com are both hosted on Google, but usually managed by two different people/groups. It's possible that aaa.blogspot.com is legitimate, but bbb.blogspot.com tries to do something nasty or is compromised. For now, NoScript can either put blogspot.com into whitelist, which is dangerous, or I have to temporarily enable it for each blogspot.com website.
Not so. Please keep reading.
Guest wrote:From Amazon's FAQ (http://aws.amazon.com/cloudfront/):
"In Amazon CloudFront, your objects are organized into distributions. A distribution specifies the location of the original version of your objects. A distribution has a unique CloudFront.net domain name (e.g. abc123.cloudfront.net) that you can use to reference your objects through the network of edge locations."
The Akamai FAQ addresses this same issue, of fine-tuning subdomain permissions on third-party CDNs.
Guest wrote:PS: Yesterday when I was browsing a website, I saw "Allow xxx.appspot.com" in settings. That's why I used appspot.com as an example, and I thought NoScript categorized certain websites by subdomain names.
That's the user's choice, and is easily configurable. Please keep reading...
Guest wrote: Maybe I remembered wrong because I didn't find that entry in my whitelist today... I guess my post is either a feature request, or I omitted some existing functionality in NoScript that can achieve what I want.
The latter. The functionality is already there.

In NoScript > Options > Appearance, you may have "Base 2nd level Domains" checked. Check "Full Domains" and/or "Full Addresses" > OK. (It's up to you whether you want Base 2nd-Level to show also.) Now, aaa.blogspot.com and bbb.blogspot.com show as two separate entries in NS Menu. You can whitelist aaa.blogspot.com, while leaving bbb.blogspot.com in the default-deny zone. (You could even mark it as Untrusted. Doesn't change the fact that it will be blocked anyway, but that takes it out of the main menu, so that you're not annoyed by seeing it frequently. Also, may shorten the menu of scripts.)

I do this myself. I use Yahoo mail. The default whitelist includes yahoo.com and yimg.com, so that new or novice users can use most Yahoo services right out of the box. But i'm mostly there for the mail. So i changed those to mail.yahoo.com and mail.yimg.com. Then, I can use the mail service fully, but will not have scripts running from finance.yahoo.com, news.yahoo.com, etc. It's not that I don't trust them; it's that they're annoying.

The feature you would like is already there. Should you have any more questions about implementing it, please let us know. Otherwise, if you understand this and have it working for you, please let us know that, so that we can mark the issue as Resolved. Thank you.

Re: Regarding cloudfront.net

Posted: Sun Jan 08, 2012 5:52 pm
by wujj123456
Hi Tom,

Thank you very much. That's exactly what I want, just wondering how I missed that obvious option when flipping through settings. :shock: Please mark the thread as solved. Thanks.

Re: [Resolved] Regarding cloudfront.net

Posted: Mon Jan 09, 2012 3:58 am
by Tom T.
You're very welcome.

And sometimes the obvious is the hardest to see -- it happens to us all. :D