InformAction Forums

ssj100 wrote:Just another query. Can I just confirm:

This code means live.com and twitter.com are exempted from the rule (presumably the "comma" separates it out):

Code: Select all

Site ^http://
Accept from .live.com, .twitter.com
Deny from ^https://

ssj100 wrote: This code means nothing is exempt from the rule (I notice I have to put the "full stop" to ensure the code works):

Code: Select all

Site ^http://
Accept from .
Deny from ^https://

Site http:
Deny from https:

Site http:
Deny INC from https:

ssj100 wrote:What's the difference between using ABE and using this option here to block mixed content?:

ssj100 wrote: By the way, it's not just Hotmail that has a problem when you add that code. Yahoo Mail also has the same problem - you need to exempt ".yahoo.com" to be able to log in.

ssj100 wrote:I don't get any errors in the Error Console. I've sent you a PM of what I do see.

Giorgio Maone wrote:

ssj100 wrote:I don't get any errors in the Error Console. I've sent you a PM of what I do see.

Does the problem persist if you add .yahoo.com and .live.com to your "Forced HTTPS" list?
If it does, or the site stops working, then it's time to change your email provider, or at least not to use it for sensitive information (e.g. password reminders, financial statements and so on).
GMail works fine from this standpoint.

This Connection is Untrusted

You have asked Firefox to connect
securely to bl149w.blu149.mail.live.com, but we can't confirm that your connection is secure.

ssj100 wrote: Well, I get the following message in Firefox if I add those to the "Forced HTTPS" list (this is for Hotmail):

This Connection is Untrusted

You have asked Firefox to connect
securely to bl149w.blu149.mail.live.com, but we can't confirm that your connection is secure.

Giorgio Maone wrote:

ssj100 wrote:Well if you use Hotmail, you'll need to add "live.com" into the exceptions list of your code, otherwise you can't login!

This mean the site is buggy beyond any hope (because it forces unencrypted HTTP on some exchanges, for inexplicable reasons), and you should stop using it by principle.

al_9x wrote: Is there are reason you are recommending "Deny from https:" rather than "Deny INC from https:"?

al_9x wrote: "Deny from https:" will block links and redirects replacing the root document and JS popups. I am not sure that's desired.

al_9x wrote: Incidentally, I noticed that with scripting off, window.open('http://...') is not blocked by "Deny from https:" That's a bug?

al_9x wrote: Another related issue, "Deny INC from https:" correctly blocks user initiated iframe navigations to http: but does not show alerts. Do you think perhaps an exception should be made here?

# WARNING: THIS RULE IS PROTOTYPAL AND DOESN'T WORK IN NOSCRIPT 2.0.x YET
Site http:
Deny? SUBDOC from https:
Deny INC from https:

# WARNING: THIS RULE IS PROTOTYPAL AND DOESN'T WORK IN NOSCRIPT 2.0.x YET
Site malicious.com
Deny!

al_9x wrote:Another related issue, "Deny INC from https:" correctly blocks user initiated iframe navigations to http: but does not show alerts. Do you think perhaps an exception should be made here? Whereas it makes sense to hide INC block alerts for autoloading resources, but for a document replacement, you probably do want to see an alert, especially when the navigation is user initiated (don't know if it's possible to detect that)

ssj100 wrote:Can someone please give an example of this issue? I'm struggling to understand it. What exactly is "INC"? And what exactly is the "alert" we would want to see? Thanks!

Giorgio Maone wrote:What al9_x was pointing out is that currently ABE's yellow notification bar is issued only for top-level document loads, because they're the ones which have more impact on user and therefore a notification is desirable.

ssj100 wrote:Can someone give me an example of this on a web-site? Thanks.