[RESOLVED VIA ABE] Suggestion for the 'Embeddings' tab

General discussion about the NoScript extension for Firefox
Post Reply
ssjkakaroto
Posts: 19
Joined: Thu Mar 29, 2012 11:51 pm

[RESOLVED VIA ABE] Suggestion for the 'Embeddings' tab

Post by ssjkakaroto »

Hi there, I always use the "Apply these restrictions to whitelisted sites too" but I often have to keep enabling Java on my whitelisted sites. I want this option to be enabled mainly because of Flash.
My suggestion is to decouple the additional restrictions of untrusted and whitelisted sites. This way there would be two tabs, Embeddings (untrusted) and Embeddings (whitelisted), with the relevant options in each one.

Best regards.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Suggestion for the 'Embeddings' tab

Post by Tom T. »

ssjkakaroto wrote:Hi there, I always use the "Apply these restrictions to whitelisted sites too" but I often have to keep enabling Java on my whitelisted sites. I want this option to be enabled mainly because of Flash.
Did you mean "Java", or "Javascript"?
Due to an unfortunate historical naming (long since regretted), there has been confusion between these two to the present day.
ssjkakaroto wrote:My suggestion is to decouple the additional restrictions of untrusted and whitelisted sites. This way there would be two tabs, Embeddings (untrusted) and Embeddings (whitelisted), with the relevant options in each one.
It will get even better in NoScript 3.x for the desktop, on which Giorgio is working furiously to release. There will be GUI permissions for *each site*, IIUC (design not finalized yet).

In the meantime, please read the sticky post, Site-Specific-Permission Questions? PLEASE READ THIS FIRST!, and the FAQ linked from it. They will help you accomplish your goals.
If after reading it, you still need assistance in formulating the rules, by all means post back with the specifics.

Best regards,
- Tom.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/11.0
ssjkakaroto
Posts: 19
Joined: Thu Mar 29, 2012 11:51 pm

Re: Suggestion for the 'Embeddings' tab

Post by ssjkakaroto »

Thanks for the response Tom. I did mean Java, not javascript.
I'm reading the FAQ, but I'm having trouble formulating a rule that would allow java objects but deny flash objects from site.com.
If I use a rule that has something like:

Deny INC(OBJ,OBJSUB)

both objects will be blocked right?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Suggestion for the 'Embeddings' tab

Post by Tom T. »

ssjkakaroto wrote:..... a rule that would allow java objects but deny flash objects from site.com.
IIUC, you want to deny Flash even at whitelisted sites, but allow Java at *only certain* w/l sites, not all, correct?

To block Flash by default at whitelisted sites, on the NS Options > Embeddings tab, check "Forbid Flash" and "Apply these restrictions to whitelisted sites too.". You will have to uncheck "Forbid Java" so that ABE gets to see the Java objects.

One way to allow Java, if it's only one site, which offers only one Java applet (real-world example):

Code: Select all

Site java-vm@*.*
Accept from https://www.hushmail.com
Deny
The site has only one Java applet (the local encryption engine), so it's safe to wildcard it, while also wildcarding the blocking of all java-vm everywhere else.

At other sites, or for multiple sites, it's probably better to make individual rules:

Code: Select all

Site java-vm@http://site1.com/java/somecoolfunction/*
Accept from .site1.com
Deny
Site java-vm@http://site2.com/java/somethingelse/*
Accept from .site2.com
Deny
Site java-vm@*.*
Deny #(blocking all other java-vm, as in the first example)
If there is no chance of the object names colliding (overlapping), these could be combined:

Code: Select all

Site java-vm@http://site1.com/java/somecoolfunction/* java-vm@http://site2.com/java/somethingelse/* java-vm@http://site3.com/java/watchthis/*
Accept from .site1.com .site2.com .site3.com
Deny
Site java-vm@*.*
Deny 
We have site-specific permissions for specific Java applets, and a general Deny rule for all other java-vm.

If your example is more complex, and following that pattern doesn't work for you, then go ahead and post the actual situations and name of objects to be allowed. If they're privacy-sensitive, you can PM to me, and put generic names in the post. I would just want to make sure that I'm seeing the actual site, getting the right permissions and restrictions, and testing that it works -- in strict confidence, of course.
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
ssjkakaroto
Posts: 19
Joined: Thu Mar 29, 2012 11:51 pm

Re: Suggestion for the 'Embeddings' tab

Post by ssjkakaroto »

Thanks a lot Tom, the rules you posted were more than enough for what I was trying to accomplish!
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Suggestion for the 'Embeddings' tab

Post by Tom T. »

ssjkakaroto wrote:Thanks a lot Tom, the rules you posted were more than enough for what I was trying to accomplish!
Excellent! And you're quite welcome. :)
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: [RESOLVED VIA ABE] Suggestion for the 'Embeddings' tab

Post by Giorgio Maone »

I apologize for updating this topic so late, but unfortunately the information provided here was incorrect, probably based on confusion between embedded content blocking and ABE, which are separate and very different mechanisms.
More specifically, ABE knows almost nothing about content types, beside hints provided by the loader, and therefore nothing reliable and usable, because ABE blocking happens before the request is initiated, since its intended scope is preventing CSRF: in facts, once the request is sent and the content-type is ultimately known, CSRF already happened.
The syntax shown above has never been implemented, documented or even planned, sorry.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
Post Reply