Facebook won't load even after following FAQ instructions

[ReporterX]

Firefox 32
Noscript 2.6.8.41

I don't want to whitelist akamaihd.net since it is a tracking server too, so I added this code after reading the FAQ 5.4.

I put those codes under ABE > USER:

Code: Select all

Site .akamaihd.net
Accept INCLUSION from SELF++
Accept INCLUSION from .facebook.com
Deny
Site .akamai.net
Accept INCLUSION from SELF++
Accept INCLUSION from .facebook.com
Deny

I open http://www.facebook.com but the content does not know.
I even tried only include the first 4 lines. It still fails.
What's wrong?

[barbaz]

Are those akamai sites in your whitelist? If they aren't, then ABE has no useful blocking to do there.

Also, for this use case, you might be better off with this variant:

Code: Select all

# Allow Akamai sub-loads only on Akamai and Facebook
Site .akamaihd.net .akamai.net
Accept INCLUSION from .akamaihd.net .akamai.net .facebook.com
Deny

This is different from what you had in that it allows cross-site requests betweem akamai and akamaihd, and it avoids the potential quirkiness of SELF++ which is needed for CSRF protection but could cause issues with per-site permissions.

[Giorgio Maone]

In case it was not prominent enough in barbaz's post, whatever you're blocking in ABE, e.g. akamai.net, must be whitelisted for the ABE exceptions to work.

[ReporterX]

I see. Thanks a lot and for the modification of the codes.

What is SELF++?
What is the difference between SELF and SELF+ and SELF++?

SELF = http://www.example.com (so it won't match https://)
SELF+ = www.example.com
SELF++ = example.com

Correct?


I actually whitelisted them once, but I thought this allowed them to be running everywhere so I revoked finally.
It would be better to state it clearly in the FAQ too. Perhaps something like this:

You can use ABE to this effect, but akamai.net must be whitelisted for the ABE exceptions to work.. Add the following rule to your NoScript Options|Advanced|ABE USER ruleset:

[barbaz]

What is the difference between SELF and SELF+ and SELF++?

SELF = http://www.example.com (so it won't match https://)
SELF+ = www.example.com
SELF++ = example.com

Correct?

Pretty much, yes.
You've got SELF+ and SELF++ down, but bear in mind that all 3 can get quirky, especially when redirects are involved.

As for SELF, basically,
SELF = http://www.example.com:8080 (port must match too - if no specified port, match only the standard port, which is 80 for http and 443 for https)

[ReporterX]

Thanks for the reply.

Doing more testing and I found one issue.
This is a direct link posted by someone which I guess Facebook uses akamaihd to host files too.
But the link couldn't load. The ABE rule blocks it.

https://fbcdn-sphotos-b-a.akamaihd.net/hphotos-ak-xpf1/v/t1.0-9/10616626_746412565405133_8478840010455463574_n.jpg?oh=31abac8b101c9d8cf76f70d5c0917919&oe=5493D414&__gda__=1418982782_62b397846d7fc00e44e2f53c6051a3a5

Any clue?

[therube]

Error Console point anything out?

[barbaz]

Any clue?

Yup
Change the rule to

Code: Select all

# Allow Akamai sub-loads only on Akamai and Facebook
Site .akamaihd.net .akamai.net
Accept from .akamaihd.net .akamai.net .facebook.com
Deny INC

[ReporterX]

Any clue?

Yup
Change the rule to

Code: Select all

# Allow Akamai sub-loads only on Akamai and Facebook
Site .akamaihd.net .akamai.net
Accept from .akamaihd.net .akamai.net .facebook.com
Deny INC

Yup it is working again. Thanks.

Just curious. Why does it change from Deny to Deny INCLUSION?
Shouldn't we deny everything else?
I would like their scripts/contents to be loaded only when I visit the link directly, or requests from facebook.com only.
Wouldn't this be better?

Code: Select all

Site .akamai.net .akamaihd.net
Accept from .akamai.net .akamaihd.net
Accept INCLUSION from .facebook.com
Deny

And what are ALL, SUB too by the way?

Accept ALL - allow any requests from any method (so basically the same as Accept)
Accept SUB - only allow requests loaded in frame or iframe
Accept INCLUSION - only allow requests if not directly loaded from the main domain (i.e. example.com). It sounds to me it allows requests loaded in frame or iframe too.

Am I right?

[ReporterX]

Change accept into sandbox. Does it work? Will it be better?

I don't really trust those sites (I'm forced to whitelist it otherwise the content of Facebook won't load.
I prefer setting some restrictions instead of giving a blanket accept.

Site .akamai.net .akamaihd.net
Sandbox from .akamai.net .akamaihd.net
Sandbox INCLUSION from .facebook.com
Deny

[barbaz]

Why does it change from Deny to Deny INCLUSION?
Shouldn't we deny everything else?

In fact, it was denying "everything else" that caused the earlier breakage.

I would like their scripts/contents to be loaded only when I visit the link directly, or requests from facebook.com only.
Wouldn't this be better?

That's what the last ruleset I posted was supposed to do... did I miss something?

Wouldn't this be better?

Code: Select all

Site .akamai.net .akamaihd.net
Accept from .akamai.net .akamaihd.net
Accept INCLUSION from .facebook.com
Deny

Well, you're blocking links to akamai with that ruleset, which you said you didn't want to do.

And what are ALL, SUB too by the way?

ALL = everything
SUB = (i)frames

Accept ALL - allow any requests from any method (so basically the same as Accept)
Accept SUB - only allow requests loaded in frame or iframe
Accept INCLUSION - only allow requests if not directly loaded from the main domain (i.e. example.com). It sounds to me it allows requests loaded in frame or iframe too.

Am I right?

You understand ALL and SUB. INCLUSION refers to anything that's not a top-level load (meaning, INCLUSION matches everything other than what you see in the address bar).

Change accept into sandbox. Does it work? Will it be better?

No, because that won't have any effect on requests for things that can't *include* active content.
Basically that only affects frames/iframes.

I don't really trust those sites (I'm forced to whitelist it otherwise the content of Facebook won't load.
I prefer setting some restrictions instead of giving a blanket accept.

Site .akamai.net .akamaihd.net
Sandbox from .akamai.net .akamaihd.net
Sandbox INCLUSION from .facebook.com
Deny

The "Deny" where it is, necessarily means that you're placing restriction.
Could you please explain more what you want?

[ReporterX]

Wouldn't this be better?

Code: Select all

Site .akamai.net .akamaihd.net
Accept from .akamai.net .akamaihd.net
Accept INCLUSION from .facebook.com
Deny

Well, you're blocking links to akamai with that ruleset, which you said you didn't want to do.

Using the above rule, I found out if I access the link directly by typing/pasting in the address bar. It will load.
But if I click their direct link in the third party site, it will be blocked.

And what are ALL, SUB too by the way?

ALL = everything
SUB = (i)frames

Accept ALL - allow any requests from any method (so basically the same as Accept)
Accept SUB - only allow requests loaded in frame or iframe
Accept INCLUSION - only allow requests if not directly loaded from the main domain (i.e. example.com). It sounds to me it allows requests loaded in frame or iframe too.

Am I right?

You understand ALL and SUB. INCLUSION refers to anything that's not a top-level load (meaning, INCLUSION matches everything other than what you see in the address bar).

Thanks a lot.
As to INCLUSION, let's say you load http://www.example.com/somepage.html
Everything inside the page is permitted to be loaded.
But since you can't load (access) the page first, so you can't see anything.
Am I right?

Change accept into sandbox. Does it work? Will it be better?

No, because that won't have any effect on requests for things that can't *include* active content.
Basically that only affects frames/iframes.

Oh! What I thought was different.

I tested ABE with sandbox.
I ran the king.com Candy Crush from Facebook.
I had this rule:

Code: Select all

Site .akamai.net .akamaihd.net
Sandbox INCLUSION from .facebook.com
Deny INCLUSION

But the Facebook avatars couldn't be loaded.
I added "Accept INCLUSION from .king.com". Avatars loaded.
But when I changed it into "Sandbox INCLUSION from .king.com", avatars didn't load.

I thought Sandbox was to scrutinize and strip off the scripts, objects, plugins (like Javascript, Java, Flash, (i)frame etc.), and it was what active contents mean.
king.com probably needs to run a script and call the avatar. That's why it doesn't load if I use "Sandbox" instead of "Accept".
Everything is just wild guess. I know little about programming, so I could be wrong.

I don't really trust those sites (I'm forced to whitelist it otherwise the content of Facebook won't load.
I prefer setting some restrictions instead of giving a blanket accept.

Site .akamai.net .akamaihd.net
Sandbox from .akamai.net .akamaihd.net
Sandbox INCLUSION from .facebook.com
Deny

The "Deny" where it is, necessarily means that you're placing restriction.
Could you please explain more what you want?

I don't really want to permit those tracking sites to run at all, if possible.
But some sites refuse to display (some or all) contents if you don't allow them.
They probably use scripts to check if those are blocked. If so, the contents won't be loaded.
So I just want to give as few permissions as possible to display the contents, and anything unnecessary should be blocked.

If my understanding is correct, "Accept from onesite.com" allows them to run anything from that site.
Sandbox looks like I could get back some controls and disable scripts, plugins, active contents that I don't want to run, even from that site.
But you seem to tell me that sandbox basically are only useful in frames and iframes.
Well, but then what are the differences between "Sandbox" and "Deny SUB"?
Sorry for all those questions.
I spent quite a long time searching and reading, but I still couldn't understand them on my own.

[barbaz]

Using the above rule, I found out if I access the link directly by typing/pasting in the address bar. It will load.
But if I click their direct link in the third party site, it will be blocked.

[...]

As to INCLUSION, let's say you load http://www.example.com/somepage.html
Everything inside the page is permitted to be loaded.
But since you can't load (access) the page first, so you can't see anything.
Am I right?

You can still access the page from the address bar, since chrome is unaffected when there is an exception in an ABE rule.
If you want to understand INCLUSION better, plug in this rule

Code: Select all

Site .noscript.net
Accept INC
Deny

then try to access noscript.net from the address bar, then click a link pointing somewhere on noscript.net. I think the results will speak for themselves.

Oh! What I thought was different.

I tested ABE with sandbox.
I ran the king.com Candy Crush from Facebook.
[...]

Sorry, can't help you there. I don't have access to Facebook (thouroughly plugged it myself because of all their tracking), and figuring this one out would probably require me going to the site.

I don't really want to permit those tracking sites to run at all, if possible.
But some sites refuse to display (some or all) contents if you don't allow them.
They probably use scripts to check if those are blocked. If so, the contents won't be loaded.
So I just want to give as few permissions as possible to display the contents, and anything unnecessary should be blocked.

Akamai is a CDN, so it's not surprising that disallowing it breaks the site that uses it. It's not that the site's scripts are checking whether the Akamai scripts have loaded.
Unfortunately, what you want is surrogate scripts, but you say you're not a programmer...

If my understanding is correct, "Accept from onesite.com" allows them to run anything from that site.
Sandbox looks like I could get back some controls and disable scripts, plugins, active contents that I don't want to run, even from that site.
But you seem to tell me that sandbox basically are only useful in frames and iframes.
Well, but then what are the differences between "Sandbox" and "Deny SUB"?
Sorry for all those questions.
I spent quite a long time searching and reading, but I still couldn't understand them on my own.

Sandbox blocks all active content in the iframe. Deny SUB blocks the whole iframe outright.
If you want to emulate NoScript's script blocking using ABE, see viewtopic.php?f=7&t=19305

[ReporterX]

Using the above rule, I found out if I access the link directly by typing/pasting in the address bar. It will load.
But if I click their direct link in the third party site, it will be blocked.

[...]

As to INCLUSION, let's say you load http://www.example.com/somepage.html
Everything inside the page is permitted to be loaded.
But since you can't load (access) the page first, so you can't see anything.
Am I right?

You can still access the page from the address bar, since chrome is unaffected when there is an exception in an ABE rule.
If you want to understand INCLUSION better, plug in this rule

Code: Select all

Site .noscript.net
Accept INC
Deny

then try to access noscript.net from the address bar, then click a link pointing somewhere on noscript.net. I think the results will speak for themselves.

It blocks me outright, no matter whether I type the link in the address bar, or click a link pointing somewhere on noscript.net.
So I guess "top load" means "the very first thing I load, and in this case it is the homepage of noscript.net, and the access is blocked.

[ABE] <.noscript.net> Deny on {GET http://www.noscript.net/ <<< chrome://browser/content/browser.xul - 6}
USER2 rule:
Site .noscript.net
Accept INCLUSION
Deny

I don't have access to Facebook (thouroughly plugged it myself because of all their tracking), and figuring this one out would probably require me going to the site.

Wise choice. Facebook is a serious privacy invader. I'm not really using it personally but keep an account there.
For example when an average joe who uses Noscript asks me to help. I can open Facebook to troubleshoot it.

If my understanding is correct, "Accept from onesite.com" allows them to run anything from that site.
Sandbox looks like I could get back some controls and disable scripts, plugins, active contents that I don't want to run, even from that site.
But you seem to tell me that sandbox basically are only useful in frames and iframes.
Well, but then what are the differences between "Sandbox" and "Deny SUB"?
Sorry for all those questions.
I spent quite a long time searching and reading, but I still couldn't understand them on my own.

Sandbox blocks all active content in the iframe. Deny SUB blocks the whole iframe outright.
If you want to emulate NoScript's script blocking using ABE, see viewtopic.php?f=7&t=19305

FONT is missing in the ABE PDF documentation. Glad to know it is available too.

So if I want to block all 8 content types (in the "Enbeddings menu", i.e. Java, Flash, Silverlight, other plugins, <AUDIO> & <VIDEO>, <(i)frame>, font) via ABE, do I need to type this?

Code: Select all

Site .site.com
Deny SUB INCLUSION(SCRIPT, OBJ, FONT, XHR)
Sandbox

But nothing specifically targets Audios and Videos which is available in the Noscript option.
Any content types for them?
Thanks a lot.

[barbaz]

It blocks me outright, no matter whether I type the link in the address bar, or click a link pointing somewhere on noscript.net.

Huh, so it does.
I thought that any Accept statement implied "Accept ALL from chrome:" by design.
@Giorgio (or anyone else who knows): Is it a bug that it doesn't work that way in this case, or am I misunderstanding something?

So if I want to block all 8 content types (in the "Enbeddings menu", i.e. Java, Flash, Silverlight, other plugins, <AUDIO> & <VIDEO>, <(i)frame>, font) via ABE,

Apparently, that would be

Code: Select all

Site .site.com
Deny INCLUSION(SCRIPT, OBJ, FONT, XHR, MEDIA, SUBDOC)
Sandbox

And yes, MEDIA matches audio/video.
(OK, so I just took a wild guess based mostly on Adblock Plus's undocumented syntaxes. But it seems to act as expected, at least for AUDIO.)