Allow Scripts to be Included from Limited Sites

jazzmania · Post by **jazzmania** » Fri Jun 25, 2010 7:37 pm

If I allow a script to run from a certain site, all pages loaded are allowed to run that script. Can I limit the script to only run if included from certain sites?

For example, I want to allow yahooapis to run in safeandsecure.com but not evilhacker.com.

Post by **Giorgio Maone** » Fri Jun 25, 2010 8:24 pm

If evilhacker.com is not in your whitelist, yahooapis won't load at all, even if it is itself whitelisted.
That said, you can gain more control on resource loads through ABE.

jazzmania · Post by **jazzmania** » Fri Jun 25, 2010 11:22 pm

To test this I opened "http://scriptsrc.net". Then I opened "http://mangahelpers.com" in a new window.
scriptsrc.net is not in my whitelist. When I temporarily allow googleapis.com in managahelpers.com, scriptsrc.net reloads and googleapis is allowed in both pages.

Post by **Giorgio Maone** » Fri Jun 25, 2010 11:45 pm

jazzmania wrote: When I temporarily allow googleapis.com in managahelpers.com, scriptsrc.net reloads and googleapis is allowed in both pages.

googleapis is allowed everywhere, but this doesn't mean the scripts are loaded on scriptsrc.net. They're not, as a matter of fact, because no script can run on a non-whitelisted page (even if the 3rd party source is itself whitelisted).
BTW, you made me remember skipping reload for permission changes when the involved site is a 3rd party script and the top level site is forbidden and unchanged is a desirable optimization.

Guest · Post by **Guest** » Sat Jun 26, 2010 7:53 am

So even if there is no script content on scriptsrc.net the scrript from googleapis is not allowed to run on scriptsrc.net until I allow scripts for scriptsrc.net?

Post by **Giorgio Maone** » Sat Jun 26, 2010 8:57 am

Guest wrote:So even if there is no script content on scriptsrc.net the scrript from googleapis is not allowed to run on scriptsrc.net until I allow scripts for scriptsrc.net?

Correct.
In fact, to convey this message, on scriptsrc.net NoScript says "Scripts currently forbidden" and shows the "All forbidden" icon even though googleapis.com (as a source) is whitelisted.

Guest · Post by **Guest** » Sun Jun 27, 2010 2:16 am

But what if I want to allow scripts from scriptsrc.net but not googleapis on scriptsrc.net? By enabling googleapis for another site, I've enabled it for scriptsrc.net.

Post by **Giorgio Maone** » Sun Jun 27, 2010 6:11 am

Guest wrote:But what if I want to allow scripts from scriptsrc.net but not googleapis on scriptsrc.net? By enabling googleapis for another site, I've enabled it for scriptsrc.net.

While I don't understand why you would want to do that, from a strict security perspective, as I told you you can achieve this by using ABE.

InformAction Forums

Allow Scripts to be Included from Limited Sites

Allow Scripts to be Included from Limited Sites

Re: Allow Scripts to be Included from Limited Sites

Re: Allow Scripts to be Included from Limited Sites

Re: Allow Scripts to be Included from Limited Sites

Re: Allow Scripts to be Included from Limited Sites

Re: Allow Scripts to be Included from Limited Sites

Re: Allow Scripts to be Included from Limited Sites

Re: Allow Scripts to be Included from Limited Sites