Additional domain restrictions for whitelist

[qux]

Hi

Can anybody say please, is there any way to make whitelist rules working only on certain domains?
For example, many sites are using googleapis scripts, directly from ajax.googleapis.com. Can i allow them (not temporary) only on somesite.com, keeping default state on all the rest of www?

I didn't found such info in faq and forum search, please point if i'm wrong. Thanks and sorry for my English ;)

[Tom T.]

This feature is anticipated in the next-generation NoScript, 2.x, and is discussed extensively in the long-running thread, Site-Specific Permissions. There is not yet an estimated release date, but we're all very eager to see it.

And I had no trouble understanding your post. Your English was fine.

[qux]

Thank you! Will wait for v.2, then ;)

[Giorgio Maone]

You can already do it by using ABE.

[qux]

Giorgio Maone
Really, thanks, seems like working. Only bad thing is lacking any visual indication of ABE's rules work (notification ticks for scripts and ABE are on). So it is hard (impossible?) to understand are scripts really blocked or not, if they aren't display something on page.

[Giorgio Maone]

So it is hard (impossible?) to understand are scripts really blocked or not, if they aren't display something on page.

You can check Tools|Error Console for [ABE] lines.

[qux]

Giorgio Maone
Hm, nothing similar there. Any option?
Noscript 1.9.9.27, other info in my UA string below.

[Giorgio Maone]

Giorgio Maone
Hm, nothing similar there. Any option?

No option. If you added that rule, when you open http://www.foe.com you should get one or more "message" lines like this:

Code: Select all

[ABE] <google-analytics.com *.google-analytics.com> Deny on {GET http://www.google-analytics.com/urchin.js <<< http://www.foe.com/, http://www.foe.com/}
USER rule:
Site google-analytics.com *.google-analytics.com
Accept from friend.com *.friend.com friend2.com *.friend2.com
Deny

[qux]

Giorgio Maone
This messages don't present in my case. Rule:

Code: Select all

Site ajax.googleapis.com *.ajax.googleapis.com
Accept from ogo.in.ua *.ogo.in.ua
Deny

Added to USER ruleset, then to both, for testing - same result. No ABE messages in console, both on allowed site and blocked one. Have only some html parser warnings there.
Rules are working all this time, i checked this.

[Giorgio Maone]

Please try to edit (or create) the javascript.options.showInConsole boolean about:config preference and set it to true, then restart your browser.

[qux]

Giorgio Maone
Done (it was default, false), but no result. Maybe FF in my distro was built with some uncommon options? Here is info from about:buildconfig

Code: Select all

Build platform
target
x86_64-unknown-linux-gnu

Build tools
Compiler 	Version 	Compiler flags
gcc 	gcc version 4.4.2 20091027 (Red Hat 4.4.2-7) (GCC) 	-Wall -W -Wno-unused -Wpointer-arith -Wcast-align -W -Wno-long-long -pedantic -O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fno-strict-aliasing -pthread -pipe -DNDEBUG -DTRIMMED -Os -freorder-blocks -fno-reorder-functions
c++ 	gcc version 4.4.2 20091027 (Red Hat 4.4.2-7) (GCC) 	-fno-rtti -fno-exceptions -Wall -Wpointer-arith -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wcast-align -Wno-invalid-offsetof -Wno-long-long -pedantic -O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fno-strict-aliasing -fshort-wchar -pthread -pipe -DNDEBUG -DTRIMMED -Os -freorder-blocks -fno-reorder-functions

Configure arguments
--enable-application=xulrunner --prefix=/usr --libdir=/usr/lib64 --with-system-nspr --with-system-nss --with-system-jpeg --with-system-zlib --with-system-bz2 --enable-system-hunspell --enable-system-sqlite --enable-system-cairo --with-pthreads --disable-strip --disable-tests --disable-mochitest --disable-installer --disable-debug --enable-optimize --enable-default-toolkit=cairo-gtk2 --enable-pango --enable-svg --enable-canvas --disable-javaxpcom --disable-crashreporter --enable-safe-browsing --enable-extensions=default,python/xpcom --enable-libnotify 

[/size]Or some other options in about:config? I'll try to reproduce this on clean profile tomorrow.

[Tom T.]

@ Giorgio: Thanks for adding that FAQ. I'm sorry that I missed its publication. It will come in very handy in answering questions like this in the future, and will be a nice bridge to site-specific permissions.

Question: Can it work for objects as well as scripts? Here is what I tried: (USER)

Site java-vm@*.* *java-vm@*.*
Accept from hushmail.com *.hushmail.com
Deny

As you can see, I would like to allow Java applets at Hushmail and nowhere else. I allowed Java in NS > Embeddings as per the above.

It doesn't work. Java applets were still loading from other sites tested (using Java's own test page as the best tester).
ABE would not allow <APPLET> or comma to be entered, even though the objects show as <APPLET>, java-vm@http.//www.somesite.com

Is this syntax wrong, or is this not possible to do?

As you know, GµårÐïåñ' was intending to write an ABE User Guide with your assistance, of which I was awaiting the privilege of copy-editing at his request, but unfortunately, he has been otherwise occupied.

Side note for all uses of Sandboxie and similar: The rule entry didn't survive the emptying of the sandbox. I realized that my currently-allowed file paths through the sandbox (bookmarks, NS prefs, etc.) aren't enough. Either edit directly in (profile) > ABE > rules > User.abe, or open a sandboxie file path to there in its configuration file.

[Alan Baxter]

Giorgio Maone
This messages don't present in my case. Rule:

Code: Select all

Site ajax.googleapis.com *.ajax.googleapis.com
Accept from ogo.in.ua *.ogo.in.ua
Deny

Added to USER ruleset, then to both, for testing - same result. No ABE messages in console, both on allowed site and blocked one. Have only some html parser warnings there.
Rules are working all this time, i checked this.

I see the messages Giorgio predicts.

Did you whitelist ajax.googleapis.com? You need to do that. In addition to the NoScript 1.9.9.29 default settings, I whitelisted ajax.googleapis.com and ogo.in.ua and added qux's USER rule to ABE.
On http://ogo.in.ua/forums/, I don't get the ABE "Deny" message because ABE allows it, but if I remove

Code: Select all

Accept from ogo.in.ua *.ogo.in.ua

then I get the following messages in the Error Console:

Code: Select all

[ABE] <ajax.googleapis.com *.ajax.googleapis.com> Deny on {GET http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js <<< http://ogo.in.ua/forums/, http://ogo.in.ua/forums/}
USER rule:
Site ajax.googleapis.com *.ajax.googleapis.com
Deny

[ABE] <ajax.googleapis.com *.ajax.googleapis.com> Deny on {GET http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js <<< http://ogo.in.ua/forums/, http://ogo.in.ua/forums/}
USER rule:
Site ajax.googleapis.com *.ajax.googleapis.com
Deny

[qux]

Did you whitelist ajax.googleapis.com? You need to do that.

Yes, i read this in faq, and already said ABE rules work correctly - only without indication.

But i found what's the point. To see ABE's "deny" message you must allow main (viewed) site with Noscript, not only googleapis.com in my case, and i didn't understand this at once :) Javascript.options.showInConsole option can be default, "false". Now it seems enough for me, thanks ;)

[Alan Baxter]

You're welcome.