Problem with allowing site-specific script access with CDNs

[Sophira]

I'm using NoScript's implementation of ABE in order to allow certain CDNs only from their relevant sites. To do this, I have rules such as these:

Code: Select all

Site o.aolcdn.com
Accept from www.shoutcast.com
Accept from s.aolcdn.com
Deny INCLUSION(SCRIPT)

Site s.aolcdn.com
Accept from www.shoutcast.com
Accept from o.aolcdn.com
Deny INCLUSION(SCRIPT)

As I understand it, this should allow me to use the scripts hosted on o.aolcdn.com and s.aolcdn.com on www.shoutcast.com and allow scripts from either to include scripts from the other, and deny any other sites from including scripts hosted on the CDN (but allow other things like images). All three sites (I generally allow sites by base 2nd level domains) are allowed in NoScript. However, these rules aren't working as expected; when I go to http://www.shoutcast.com/ in my browser, I get messages like this in my log and the scripts don't run:

Code: Select all

[ABE] <s.aolcdn.com> Deny INCLUSION(SCRIPT) on {GET https://s.aolcdn.com/os/aol/jquery-1.7.1.min.js <<< http://o.aolcdn.com/os/aol/jquery-1.7.1.min.js, http://www.shoutcast.com/ - 2}
USER rule:
Site s.aolcdn.com
Accept from www.shoutcast.com
Accept from o.aolcdn.com
Deny INCLUSION(SCRIPT)

I'm not altogether sure why I'm having problems, and I'm guessing there's something I'm not understanding. Can anybody help me work out what's wrong? Thanks.

[Thrawn]

Hmm...not sure offhand, but try a shorter form of your rules and see whether that makes a difference:

Code: Select all

Site s.aolcdn.com o.aolcdn.com
Accept from s.aolcdn.com o.aolcdn.com www.shoutcast.com
Deny INC(SCRIPT)

Or if you're not too concerned about the CDN talking to itself:

Code: Select all

Site s.aolcdn.com o.aolcdn.com
Accept from SELF++ www.shoutcast.com
Deny INC(SCRIPT)

[Sophira]

The first example works fine, thanks! After some experimentation, I found that this also works:

Code: Select all

Site o.aolcdn.com
Accept from www.shoutcast.com s.aolcdn.com
Deny INCLUSION(SCRIPT)

Site s.aolcdn.com
Accept from www.shoutcast.com o.aolcdn.com
Deny INCLUSION(SCRIPT)

I'm confused as to why that works and my first attempt didn't, though. It looks like there's some sort of bug with the parsing of Accept lines. I'm using NoScript 2.6.6.1, so I'll update and let you guys know if it still happens on the latest version.

(I also found some other annoying bugs that would have caused me to lose all of my ABE rules just now if I hadn't had a copy of them elsewhere, but I'm guessing those are for another thread.)

[Sophira]

Yep, the buggy behaviour still occurs in 2.6.7, as does the other buggy behaviour I mentioned that nearly lost me my ABE rules. How should I go about reporting these?

[Thrawn]

There are some complications around Accept lines when third-party sites send requests to other sites. The request origin in your ABE error message was 'http://o.aolcdn.com/os/aol/jquery-1.7.1.min.js, http://www.shoutcast.com/' ie ABE recognised both o.aolcdn.com and www.shoutcast.com as being responsible for the request. Putting both sites into the same Accept line tends to work.

I'm not sure that this is actually a bug; it may be an undocumented feature. Giorgio would be able to answer better (by the way, this is the bug tracker).

[Thrawn]

Re nearly losing your ABE rules: if you're talking about them being cleared when you press Ctrl+Z, that's a known issue.

[Sophira]

That, and the fact that pressing Cancel doesn't actually cancel your changes. When I pressed Ctrl+Z, my first instinct was not to press Ctrl+Y (which would have restored it) but to click Cancel. Unfortunately the changes still get saved when you do that.