help me to understood ABE

[forecehh]

hi
i added below rule-sets in user rule set in ABE,to auto allow ajax.googleapis.com and google.com
on google.com and deny from any other site
but still i must use temporarily allow menu to allow them
so i am not sure ABE doing this job or i am wrong?

http://www.goal.com/en-us/news/1110/maj ... ID=HP_TN_6

Code: Select all

Site .ajax.googleapis.com
Accept from .goal.com .ajax.googleapis.com
Deny
Site .google.com
Accept from .goal.com .google.com
Deny

some suggestion
when i export white list i see my untrusted site is under [UNTRUSTED] section
its not better and easy add something to allow origin to destination
example

Code: Select all

[UNTRUSTED]
http://ajax.googleapis.com/

[ALLOWPERSITEUNTRUSTED]
goal.com|ajax.googleapis.com

So ajax.googleapis.com blocked everywhere
but allowed on goal.com

also some site refresh automatically itself,is there any options in noscript to block this automatically refresh on all site?
if there is no options can you please add that?

thanks

[kainee]

Hi everyone,

I'd just like to support this request since I have a similar problem. After reading the forum sticky on site specific permissions and the ABE section in the FAQ and testing a bit I THINK I understand but I'm not sure I really do - and I don't want to punch a hole in noscript security by misunderstanding how ABE and the whitelist interact.

So am I correct in assuming that ABE rules apply to whitelisted(or temporarily allowed) sites ONLY? Meaning that using ABE rules I can specify more precisely on which sites a given domain in the whitelist can really be used and for which it will be denied DESPITE being in the whitelist?

I believe that is more or less a rephrasing of the above question in more general terms, but I may be missing something ...

Thank you for all the wonderful work you do and thank you for this great tool!
Best wishes,
kainee

p.s.: I do understand that section 8.10 of the faq is supposed to answer this question but I'm still confused - maybe because I'm not a native English speaker. Maybe because I'm over anxious to get it right 'cos I'm also preparing to hold a NoScript workshop. Or maybe I'm just dumb (but even if that's the case, it wouldn't be my fault but just the way I am, so maybe someone could still enlighten me )

[Ilya]

So am I correct in assuming that ABE rules apply to whitelisted(or temporarily allowed) sites ONLY? Meaning that using ABE rules I can specify more precisely on which sites a given domain in the whitelist can really be used and for which it will be denied DESPITE being in the whitelist?

The short answer is "no".
An extract from that very section 8.10 of the NoScript FAQ:

Notice that since ABE's rule work independently from NoScript's permissions [...]

[Thrawn]

ABE is not about script-blocking at all. There is no interaction between them. ABE does not automatically whitelist anything, and it will apply to all sites, whitelisted or not.

The original purpose of ABE was to protect sensitive sites against fraudulent requests from other sites. The classic example is something like this:

Code: Select all

Site .bank.com
Accept from SELF
Deny

So other sites you visit can't send requests to your bank telling it to transfer money to themselves.

If you want to use ABE for site-specific blocking, you certainly can, but you have to use it separately to regular whitelisting.
Usually, this means that you need to allow the site in the regular whitelist (otherwise it will be blocked everywhere), and then use an ABE rule to manage it. The googleapis rule at the start of this thread looks about right.

Code: Select all

Site <the site I want to allow only at some places>
Accept from <list of sites where it should be allowed>
Deny

If this looks backward, that's because it was designed to protect 'Site' from cross-site requests.

Effectively, the rule at the start of this thread tells ABE that ajax.googleapis.com and google.com are sensitive, and that only themselves and goal.com should be allowed to access them.

[kainee]

Thanks for your replies - especially yours, Thrawn, was very clear and comprehensible and finally provided me with the information and understanding I was hoping for

[Thrawn]

Thanks for your replies - especially yours, Thrawn, was very clear and comprehensible and finally provided me with the information and understanding I was hoping for

Thanks . That's what the support team is here to do.

[forecehh]

thank you very much now i get that how that work
but what about my suggestion ?it possible add it?

[Thrawn]

thank you very much now i get that how that work
but what about my suggestion ?it possible add it?

If you mean the suggestion to block automatic refreshes, that is already available under Options - Advanced - Untrusted. Firefox has a built-in setting for this too.

[forecehh]

thank you very much now i get that how that work
but what about my suggestion ?it possible add it?

If you mean the suggestion to block automatic refreshes, that is already available under Options - Advanced - Untrusted. Firefox has a built-in setting for this too.

thankyou
but what option in no script?
i looking you add such feature if its not available in noscript.
RefreshBlocker 0.8
https://addons.mozilla.org/en-US/firefo ... r/?src=api

i know that on some older version noscript can not block auto refresh(RefreshBlocker can block) but with new version im not sure.
examplepage:
http://www.physiology.wisc.edu/ravi/test/test9.html

[Thrawn]

but what option in no script?
i looking you add such feature if its not available in noscript.

NoScript can block refreshes using the META tag (which doesn't need JavaScript) on untrusted sites. Options menu, Advanced tab, Untrusted sub-tab, "Forbid META redirections inside <NOSCRIPT> elements".

Firefox can block some kinds of refreshes. In the Preferences dialog, choose Advanced tab, General sub-tab, "Warn me when websites try to redirect or reload the page".

Anything more than this is not part of NoScript (why would you need it for security?), so you need a different addon (like RefreshBlocker, as you mentioned).

[forecehh]

because since I See NoScript Forbid Everything i wanted that to
but i you dont add this no problem

[forecehh]

ok
i have one rule like this in system rulsets

Code: Select all

Site .2o7.net .ix.e .e.cl .i.ua .u.pl .a.com .a.net .ad.hu .am.ru
Deny ALL from ALL

then i have some rule in userrulesets

Code: Select all

Site .tumblr.com .stumble-upon.com .stumbleupon.com .twitter.com .reddit.com .digg.com .yandex.st .yandex.ru .disqus.com .aol.com .ebay.com .yahoo.com .msn.com  .godaddy.com .feedburner.com
Accept from .tumblr.com .stumble-upon.com .stumbleupon.com .twitter.com .reddit.com .digg.com .yandex.st .yandex.ru .disqus.com .aol.com .ebay.com .yahoo.com .msn.com  .godaddy.com .feedburner.com
Deny

Code: Select all

Site .google-analytics.com
Accept from .google-analytics.com
Deny

and all of user rulset is in white listed script
but i dont know where i wrong
example i visit

Code: Select all

http://www.putlocker.com

script not allowd
every request blocked until i temp-allow script putlocker.com
then in Request policy log window i see this

Code: Select all

http://www.putlocker.com/cdn-cgi/pe/bag2?r[]=http%3A%2F%2Fwww.google-analytics.com%2Fga.js
http://www.putlocker.com/cdn-cgi/pe/bag2?r[]=http%3A%2F%2Fplatform.twitter.com%2Fwidgets.js

so what is it?

[Thrawn]

I'm not sure I'm following you. What problems are you actually seeing?

The fact that all scripts are blocked on a page until you allow the top-level site is a normal part of script-blocking, not related to ABE.

Are there ABE-related messages in the Browser Console (Ctrl+Shift+J)?

[forecehh]

look i change and use this

Code: Select all

Site .twitter.com
Accept from .somesite.com
Deny
Site .google-analytics.com
Accept from .somesite.com
Deny

and with FAQ I read must add to allowed script

so google-analytics.com and twitter.com must accept from .somesite.com .right?
so when i go to .putlocker.com both blocked.
but if i temp allow .putlocker.com
i see both make request.is this normal?
also if i use below rule,even if make temp allow .putlocker.com that keep blocking that

Code: Select all

Site ALL
Accept from SELF++

Deny
also look this screenshot

Code: Select all

http://photoload.ru/data/8d/eb/fe/8debfe89ff4e816e85d96e401d37073d.png

[Thrawn]

If the requests aren't being sent when scripts from putlocker.com are blocked, then probably it's a piece of JavaScript that is sending them.

It's normal (although unfortunate) for sites to be broken when their scripts are blocked.