[RESOLVED] Trying to finger out YouTube & s.ytimg.com
[RESOLVED] Trying to finger out YouTube & s.ytimg.com
I'm trying to finger out why I must temp allow s.ytimg.com despite having an ABE rule:
Site s.ytimg.com
Accept from https://www.youtube.com
deny
Also, it would also be nice to define an ABE ruleset for googlevideo.com and restrict it to personally deemed 'safe' sites, e.g., https://www.youtube.com, and subsequently add specific sites as they're discovered.
Site s.ytimg.com
Accept from https://www.youtube.com
deny
Also, it would also be nice to define an ABE ruleset for googlevideo.com and restrict it to personally deemed 'safe' sites, e.g., https://www.youtube.com, and subsequently add specific sites as they're discovered.
Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0
Re: Trying to finger out YouTube & s.ytimg.com
Because ABE is totally separate from script blocking.wxman1 wrote:I'm trying to finger out why I must temp allow s.ytimg.com despite having an ABE rule:
?wxman1 wrote:Also, it would also be nice to define an ABE ruleset for googlevideo.com and restrict it to personally deemed 'safe' sites, e.g., https://www.youtube.com, and subsequently add specific sites as they're discovered.
I don't see why you can't already do that. What specifically would you like help with to make it work?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Trying to finger out YouTube & s.ytimg.com
Given your answer, I'm actually stupider now than when I first showed up.
This video doesn't play:
https://www.youtube.com/watch?v=pJkb2Esf9Fc
After I temp allow www.youtube.com and WITH the aforementioned ABE rule.
That notwithstanding, IF I temp allow s.ytimg.com it plays. Therefore the ABE rule - and by extension ABE itself - is worthless; in either case, either s.ytimg.com being temp allowed - which defeats ABE entirely because the site is now whitelisted and vulnerable ANYWHERE on the interwebs - or untrusted by NoScript thereby allowing ABE ruleset to come into scope in which case that plain don't work.
This video doesn't play:
https://www.youtube.com/watch?v=pJkb2Esf9Fc
After I temp allow www.youtube.com and WITH the aforementioned ABE rule.
That notwithstanding, IF I temp allow s.ytimg.com it plays. Therefore the ABE rule - and by extension ABE itself - is worthless; in either case, either s.ytimg.com being temp allowed - which defeats ABE entirely because the site is now whitelisted and vulnerable ANYWHERE on the interwebs - or untrusted by NoScript thereby allowing ABE ruleset to come into scope in which case that plain don't work.
Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0
Re: Trying to finger out YouTube & s.ytimg.com
Don't worry about it, you're not alone thinking that way.wxman1 wrote:Given your answer, I'm actually stupider now than when I first showed up.
Congratulations, it works as expected for you, that's how it should be and how it's always been.wxman1 wrote:IF I temp allow s.ytimg.com it plays.
No. ABE will still block it from loading if anyone other than https;//www,youtube,com call it.wxman1 wrote:Therefore the ABE rule - and by extension ABE itself - is worthless; in either case, either s.ytimg.com being temp allowed - which defeats ABE entirely because the site is now whitelisted and vulnerable ANYWHERE on the interwebs
ABE is case-sensitive, maybe it's the lowercase d in Deny? (But I'd have thought it would reject the ruleset if it couldn't handle it.)
If you're about to eat a chicken sandwich, would you instinctively decide to use a freight train for that?wxman1 wrote:or untrusted by NoScript thereby allowing ABE ruleset to come into scope in which case that plain don't work.
Or would you prefer to simply eat the chicken sandwich like any other food, while driving the train at the same time?
ABE is not part of the script blocking. The script blocking is not part of ABE. They are not related. ABE doesn't care about script blocking permissions. Script blocking doesn't care about ABE rules.
It's two totally independent things.
Imagine if what you're saying were really a requirement, then CSRF protection would require you to already know and untrust the site doing the CSRF. But by the time you do that, your bank account is already drained and your router is already compromised.
With it being independent, bad sites get blocked by ABE even if you don't know and untrust the bad sites ahead of time. And you can more easily do what you seem to be trying to do here.
So, win-win all the way.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Trying to finger out YouTube & s.ytimg.com
Thanx for the reply. I'm going to have to analyze that a bit.
That notwithstanding, I believe the issue fundamentally stems from speculative / dynamic loading, i.e., the script src is a parameter to a function.
That notwithstanding, I believe the issue fundamentally stems from speculative / dynamic loading, i.e., the script src is a parameter to a function.
script src="//s.ytimg.com/yts/jsbin/scheduler.../scheduler.js" type="text/javascript" name="scheduler/scheduler"></script>
script>var ytimg = {};ytimg.count = 1;ytimg.preload = function(src) {var img = new Image();var count = ++ytimg.count;ytimg[count] = img;img.onload = img.onerror = function() {delete ytimg[count];};img.src = src;};</script>
script src="//s.ytimg.com/yts/jsbin/player-en_US.../base.js" name="player/base"></script>
link rel="stylesheet" href="//s.ytimg.com/yts/cssbin/www-core...[URI_ABC].css" name="www-core">
link rel="stylesheet" href="//s.ytimg.com/yts/cssbin/www-player...[URI_DEF].css" name="www-player">
link rel="stylesheet" href="//s.ytimg.com/yts/cssbin/www-pageframe...[URI_GHI].css" name="www-pageframe">
script>ytimg.preload("https:\/\/r9---[URI_JKL].googlevideo.com\/crossdomain.xml");ytimg.preload("https:\/\/r9---[URI_JKL].googlevideo.com\/generate_204");</script>
Last edited by barbaz on Mon Aug 08, 2016 9:12 pm, edited 2 times in total.
Reason: fix bbcode
Reason: fix bbcode
Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0
Re: Trying to finger out YouTube & s.ytimg.com
OK back up a moment. How are you determining that your existing ABE rule is in fact not restricting s.ytimg.com?wxman1 wrote:That notwithstanding, I believe the issue fundamentally stems from speculative / dynamic loading, i.e., the script src is a parameter to a function.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Trying to finger out YouTube & s.ytimg.com
EDIT Oops, the post I replied to is gone? I was wondering why the board ate my reply.
@wxman1: if you deliberately deleted it, let me know if/how you would like this post edited or deleted.
More generally, if a site is blocked in ABE, being untrusted doesn't matter.
@wxman1: if you deliberately deleted it, let me know if/how you would like this post edited or deleted.
Yes exactly. It's alluded to in FAQ 8.10 but those examples are simplified and more global than just script permissions. This is what you would do if you wanted only to tweak active content permissions but leave the rest alone:wxman1 wrote:So ABE can refine globally whitelisted sites?
Code: Select all
Site .ytimg.com
Accept from https://www.youtube.com
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox
In terms of using ABE to tune active content permissions, yes.wxman1 wrote: If the site is untrusted, the ABE rule don't matter?
More generally, if a site is blocked in ABE, being untrusted doesn't matter.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Trying to finger out YouTube & s.ytimg.com
I did delete the post; I seen your reply and it seems to make that whole post moot. Sorry 'bout the hiccup.
Apparently you've already confirmed my notion.
I was under the impression is that if the site is whitelisted, ABE rule-sets are not in affect. What you're stating is that the site must be whitelisted for an ABE rule-set to become affective.ABE is not part of the script blocking. The script blocking is not part of ABE. They are not related. ABE doesn't care about script blocking permissions. Script blocking doesn't care about ABE rules.
It's two totally independent things.
Apparently you've already confirmed my notion.
Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0
Re: Trying to finger out YouTube & s.ytimg.com
No problem.wxman1 wrote:I did delete the post; I seen your reply and it seems to make that whole post moot. Sorry 'bout the hiccup.
When using ABE for per-site permissions (and not CSRF protection), a site must be whitelisted for the ABE ruleset to become useful.wxman1 wrote: What you're stating is that the site must be whitelisted for an ABE rule-set to become affective.
I'll just leave this here: viewtopic.php?f=23&t=21401#p79796
*Always* check the changelogs BEFORE updating that important software!
-
Re: Trying to finger out YouTube & s.ytimg.com
Yay, I gots it to work; .googlevideo & s.ytimg.com are now dependent upon a single temp allow of www.youtube.com
So I'm understanding that if a site is untrusted, and a surrogate script exists, the surrogate becomes affective. If I whitelist a site for which a surrogate script exists, and have an ABE ruleset that accepts that site from various resource URI is the surrogate invoked, or the hosted script? I'm hoping the interweb based script executes, and that the surrogate is affective for all URI otherwise denied.
So I'm understanding that if a site is untrusted, and a surrogate script exists, the surrogate becomes affective. If I whitelist a site for which a surrogate script exists, and have an ABE ruleset that accepts that site from various resource URI is the surrogate invoked, or the hosted script? I'm hoping the interweb based script executes, and that the surrogate is affective for all URI otherwise denied.
Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0
Re: Trying to finger out YouTube & s.ytimg.com
Great!wxman1 wrote:Yay, I gots it to work;
It works exactly like you're hoping, the surrogate script will execute regardless of the reason the real script is blocked, and will not execute if the real script is allowed.wxman1 wrote:So I'm understanding that if a site is untrusted, and a surrogate script exists, the surrogate becomes affective. If I whitelist a site for which a surrogate script exists, and have an ABE ruleset that accepts that site from various resource URI is the surrogate invoked, or the hosted script? I'm hoping the interweb based script executes, and that the surrogate is affective for all URI otherwise denied.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Trying to finger out YouTube & s.ytimg.com
Wicked
I just replaced all the 'deny' in my ABE rule-sets - if that was an issue - with 'Deny' and whitelisted all my ABE rule-set sites.
This is of particular interest with respect to google-analytics; I allow web-masters of explicitely trusted web-sites to avail themselves of whatever statistical info they can glean from my traffic. The rest of the inter-webs can stuff themselves and get the surrogate.
I just replaced all the 'deny' in my ABE rule-sets - if that was an issue - with 'Deny' and whitelisted all my ABE rule-set sites.
This is of particular interest with respect to google-analytics; I allow web-masters of explicitely trusted web-sites to avail themselves of whatever statistical info they can glean from my traffic. The rest of the inter-webs can stuff themselves and get the surrogate.
Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0