[Resolved] Regarding cloudfront.net

Ask for help about NoScript, no registration needed to post
wujj123456

[Resolved] Regarding cloudfront.net

Post by wujj123456 »

Hi,

I recently came across cloudfront.net on kotaku.com. I've found it to be an Amazon service, which should be categorized under the broad cloudfront.net. Might be better to treat it same as appspot.com. Thanks.
Mozilla/5.0 (Ubuntu; X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Regarding cloudfront.net

Post by Tom T. »

wujj123456 wrote:I've found it to be an Amazon service, which should be categorized under the broad cloudfront.net. Might be better to treat it same as appspot.com. Thanks.
Not sure what you mean by "treat is same as appspot", or "categorized under the broad cloudfront.net". Its scripting should show in the NoScript menu, just as its competitor Akamai's does. You may also consider RequestPolicy add-on to detect cross-site requests even if they don't include the executable content that NS focuses on blocking.

This article provides a reasonably clear and fair (I think) description of what Amazon is trying to do. Akamai has been doing this for years, and kept up a good reputation. If cloudfront does evil, we'd surely like to know. I haven't encountered it much yet, at least, not as being necessary to a page.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
Guest

Re: Regarding cloudfront.net

Post by Guest »

Tom T. wrote:
wujj123456 wrote:I've found it to be an Amazon service, which should be categorized under the broad cloudfront.net. Might be better to treat it same as appspot.com. Thanks.
Not sure what you mean by "treat is same as appspot", or "categorized under the broad cloudfront.net". Its scripting should show in the NoScript menu, just as its competitor Akamai's does. You may also consider RequestPolicy add-on to detect cross-site requests even if they don't include the executable content that NS focuses on blocking.

This article provides a reasonably clear and fair (I think) description of what Amazon is trying to do. Akamai has been doing this for years, and kept up a good reputation. If cloudfront does evil, we'd surely like to know. I haven't encountered it much yet, at least, not as being necessary to a page.
Sorry for not being clear enough. Let me try explaining my point again. Maybe blogspot is a better example.

aaa.blogspot.com and bbb.blogspot.com are both hosted on Google, but usually managed by two different people/groups. It's possible that aaa.blogspot.com is legitimate, but bbb.blogspot.com tries to do something nasty or is compromised. For now, NoScript can either put blogspot.com into whitelist, which is dangerous, or I have to temporarily enable it for each blogspot.com website.

For this kind of services, the unique identifier is not the domain name itself, but a subdomain name. Subdomain hosting and CDN services fall into this category. However, I understand that with CDN, things might be more complicated than blogspot.com, since a website might use many cdn subdomains, and subdomains might change for different objects. (I don't know much about internals of CDNs, but that's what I observe from source codes. ) I visit some websites regularly and trust them, but enabling blogspot.com or CDN domains make me feel less secure. For these well-known services that use subdomain as identifiers, I think it's safer to put a subdomain into whitelist, than allowing the domain name.

From Amazon's FAQ (http://aws.amazon.com/cloudfront/):
"In Amazon CloudFront, your objects are organized into distributions. A distribution specifies the location of the original version of your objects. A distribution has a unique CloudFront.net domain name (e.g. abc123.cloudfront.net) that you can use to reference your objects through the network of edge locations."

PS: Yesterday when I was browsing a website, I saw "Allow xxx.appspot.com" in settings. That's why I used appspot.com as an example, and I thought NoScript categorized certain websites by subdomain names. Maybe I remembered wrong because I didn't find that entry in my whitelist today... I guess my post is either a feature request, or I omitted some existing functionality in NoScript that can achieve what I want.
Mozilla/5.0 (Ubuntu; X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Regarding cloudfront.net

Post by Tom T. »

Guest wrote:For these well-known services that use subdomain as identifiers, I think it's safer to put a subdomain into whitelist, than allowing the domain name.
Yes.
Guest wrote:aaa.blogspot.com and bbb.blogspot.com are both hosted on Google, but usually managed by two different people/groups. It's possible that aaa.blogspot.com is legitimate, but bbb.blogspot.com tries to do something nasty or is compromised. For now, NoScript can either put blogspot.com into whitelist, which is dangerous, or I have to temporarily enable it for each blogspot.com website.
Not so. Please keep reading.
Guest wrote:From Amazon's FAQ (http://aws.amazon.com/cloudfront/):
"In Amazon CloudFront, your objects are organized into distributions. A distribution specifies the location of the original version of your objects. A distribution has a unique CloudFront.net domain name (e.g. abc123.cloudfront.net) that you can use to reference your objects through the network of edge locations."
The Akamai FAQ addresses this same issue, of fine-tuning subdomain permissions on third-party CDNs.
Guest wrote:PS: Yesterday when I was browsing a website, I saw "Allow xxx.appspot.com" in settings. That's why I used appspot.com as an example, and I thought NoScript categorized certain websites by subdomain names.
That's the user's choice, and is easily configurable. Please keep reading...
Guest wrote: Maybe I remembered wrong because I didn't find that entry in my whitelist today... I guess my post is either a feature request, or I omitted some existing functionality in NoScript that can achieve what I want.
The latter. The functionality is already there.

In NoScript > Options > Appearance, you may have "Base 2nd level Domains" checked. Check "Full Domains" and/or "Full Addresses" > OK. (It's up to you whether you want Base 2nd-Level to show also.) Now, aaa.blogspot.com and bbb.blogspot.com show as two separate entries in NS Menu. You can whitelist aaa.blogspot.com, while leaving bbb.blogspot.com in the default-deny zone. (You could even mark it as Untrusted. Doesn't change the fact that it will be blocked anyway, but that takes it out of the main menu, so that you're not annoyed by seeing it frequently. Also, may shorten the menu of scripts.)

I do this myself. I use Yahoo mail. The default whitelist includes yahoo.com and yimg.com, so that new or novice users can use most Yahoo services right out of the box. But i'm mostly there for the mail. So i changed those to mail.yahoo.com and mail.yimg.com. Then, I can use the mail service fully, but will not have scripts running from finance.yahoo.com, news.yahoo.com, etc. It's not that I don't trust them; it's that they're annoying.

The feature you would like is already there. Should you have any more questions about implementing it, please let us know. Otherwise, if you understand this and have it working for you, please let us know that, so that we can mark the issue as Resolved. Thank you.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
wujj123456

Re: Regarding cloudfront.net

Post by wujj123456 »

Hi Tom,

Thank you very much. That's exactly what I want, just wondering how I missed that obvious option when flipping through settings. :shock: Please mark the thread as solved. Thanks.
Mozilla/5.0 (Ubuntu; X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: [Resolved] Regarding cloudfront.net

Post by Tom T. »

You're very welcome.

And sometimes the obvious is the hardest to see -- it happens to us all. :D
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.24
Post Reply