Please check "Do not automatically parse URLs" when posting example domains starting with "www.", otherwise the board linkifies them. Thanks.
(I've fixed your prior post.)
tarjk wrote:So if a request is sent to www.google.com from www.site1.com, it will be allowed, correct? Requests from all hosts to www.google.com will be denied except if the requesting host is www.site1.com.
Correct.
tarjk wrote:barbaz wrote:
Code: Select all
Site www.google.com
Accept from www.site1.com
Deny INCLUSION
would make non-top-level loads from Google allowed *only* if the page attempting the loads is on www.site1.com.
So in this example, a request to www.google.com from www.site1.com will be denied if www.site1.com is the domain/host that appears in the addressbar?
No, request to www.google.com will be denied if the request isn't what you see in the address bar, except that request to www.google.com will *always* be allowed if the request is from a page on www.site1.com
tarjk wrote:But if I am at XYZ.com and a request to www.google.com is sent from www.site1.com, the request would be allowed?
Yes.
tarjk wrote:If I am at XYZ.com, why would a request from www.site1.com be sent?
Lots of reasons.. probably the simplest is if www.site1.com is in an iframe on XYZ.com?
tarjk wrote:I guess I'm not understanding what is meant by "not top level load." If I'm at XYZ.com, I see XYZ in the address bar. So what would cause a request to go to Google from www.site1.com if I am on an XYZ webpage? Can you example this out? INCLUSION is saying to let the request go through when www.site1.com is the originator of the request but it is also not the domain/host that appears in the addressbar?
Sorry, I'm oversimplifying by saying "in the address bar" (I'm not always good at explaining things).
INCLUSION means "something included by a page" - that includes external JS files, external CSS files, images, (i)frames, and embedded Flash. However redirections and links are not INCLUSIONs, nor is anything you type in the address bar or a browser background load.
Is that clearer?
If you're on XYZ webpage, XYZ could embed www.site1.com/some/page.htm in an iframe, and that www.site1.com page could request www.google.com/jsapi (real google URL). There the google URL is an INCLUSION of www.site1.com.
(I actually have no idea what happens if you click a link inside an IFRAME that points to a site that ABE will only/always Deny INCLUSION. If you want me to test it out and get back to you let me know.)