Allow Java on selected sites

[Guest]

Hi. I have Forbid java etc. + "Apply these restrictions to whitelisted sites too". Any time I want to see full functionality on a site I simply do Temporarily allow. But I play chess on pogo.com every day, and to save myself some time I decided to add ABE for it:

Site .pogo.com
Accept

The problem is this doesn't work. I still have to Temporarily allow www.pogo.com under Blocked objects submenu on every browser session. It seems that Forbid java etc. + "Apply these restrictions to whitelisted sites too" takes priority over ABE and it cannot overrule that. As soon as I uncheck that pogo.com works with no further actions needed, together with sites I DON'T want Flash etc. to work on.

[Thrawn]

What you probably want is the noscript.allowedMimeRegExp setting in about:config.

It seems that Forbid java etc. + "Apply these restrictions to whitelisted sites too" takes priority over ABE and it cannot overrule that.

Actually, object blocking and ABE are totally separate features, and they work independently. So yes, object blocking will continue to apply regardless of what you write in ABE.

What you can do, however, is write ABE rules to describe exactly the protection you want, and then disable the other NoScript feature(s) involved. So, if you wrote an ABE rule exactly describing which Flash objects are allowed where, then you could switch off the Forbid Java checkbox.

As soon as I uncheck that pogo.com works with no further actions needed, together with sites I DON'T want Flash etc. to work on.

Indeed. You can investigate the allowedMimeRegExp setting (search the forum for instructions about it), or you can delve into the wonderful world of ABE rules. Probably allowedMimeRegExp is simpler.

[rihad1980]

What you probably want is the noscript.allowedMimeRegExp setting in about:config.

Thanks a lot, this did the trick:

application/x-java-vm@https?://(?:www\.|game\d+\.)?pogo\.com

I didn't need to fiddle with Forbid java + "Apply these restrictions to whitelisted sites too".
The said MIME type disappeared from Blocked objects as could be expected.

A bit unexpectedly, this ABE rule wasn't required either, so I could comment it:

Site .pogo.com
Accept

although pogo.com definitely has some scripty feel to it.

[rihad1980]

What you probably want is the noscript.allowedMimeRegExp setting in about:config.

Thanks a lot, this did the trick:

application/x-java-vm@https?://(?:www\.|game\d+\.)?pogo\.com

I didn't need to fiddle with Forbid java + "Apply these restrictions to whitelisted sites too".
The said MIME type disappeared from Blocked objects as could be expected.

A bit unexpectedly, this ABE rule wasn't required either, so I could comment it:

Site .pogo.com
Accept

although pogo.com definitely has some scripty feel to it.

[Guest]

False alarm, I had "Temporarily allow top-level sites by default (Full Addresses)" checkbox ticked.

[Thrawn]

A bit unexpectedly, this ABE rule wasn't required either

No, that's very much to be expected. ABE doesn't allow anything that something else is blocking. It just imposes restrictions of its own. No ABE rule = no ABE restrictions.

You can't use ABE to override the Blocked Objects menu. What you can do is switch off object-blocking and use ABE to manage objects instead. But the way you've done it is much simpler.

[rihad1980]

ABE doesn't allow anything that something else is blocking.

This is indeed the take-home message here! Thanks!

[rihad1980]

BTW, how and when would Accept in ABE be useful? Or is Accept pretty much useless in the current NoScript implementation?
I'd guess it could be used to build up a restrictive firewall within ABE itself, i.e. except this site and that (which is Accept), forbid everything else (Deny), first match wins. One of those few cases where "except" sounds and means same as "accept"

[Thrawn]

BTW, how and when would Accept in ABE be useful? Or is Accept pretty much useless in the current NoScript implementation?
I'd guess it could be used to build up a restrictive firewall within ABE itself, i.e. except this site and that (which is Accept), forbid everything else (Deny), first match wins. One of those few cases where "except" sounds and means same as "accept"

Pretty much, yes. Take a look at the built-in SYSTEM rule as an example. Requests for local resources are permitted only if they come from local sites, so if, for example, a random website tries to open 192.168.0.1 (which is probably your router) in an IFRAME, then ABE will block it. That's the kind of thing that ABE is primarily designed for: protecting valuable-but-vulnerable sites from fraudulent cross-site requests.