InformAction Forums

Tom T. wrote:

Thrawn wrote:In plain English: every site is allowed to send requests only to itself and other subdomains of the same parent domain.....

Regardless of whether this is done with ABE or with RequestPolicy, it still doesn't address the increasing use of secondary servers for more-or-less static content, as in my previous post.
fbcdn.net is not a sub-domain of Facebook.com.

Indeed. I believe Yahoo actually recommends this to improve multithreading when browsers limit simultaneous connections per site.

Anyone want to make an addon that looks up domain ownership for visited sites and automatically writes ABE rules when sites have the same owner?

Thrawn wrote:Anyone want to make an addon that looks up domain ownership for visited sites and automatically writes ABE rules when sites have the same owner?

Sounds terribly complex; ownership may not be accurate or up-to-date; and this would tempt someone to make a legit site that calls third-party script from his evil site -- both being under his ownership.

The part of NoScript Quick Start Guide that discusses secondary content servers is hoped to help users know to look for "cdn", "static", or "img", and some resemblance to the original site.
If you have a moment, perhaps check it out?

Tom T. wrote:

Thrawn wrote:Anyone want to make an addon that looks up domain ownership for visited sites and automatically writes ABE rules when sites have the same owner?

Sounds terribly complex; ownership may not be accurate or up-to-date; and this would tempt someone to make a legit site that calls third-party script from his evil site -- both being under his ownership.

Umm...I'd only be talking about ABE rules that would allow requests from the owner's legit site to his evil site, so I'm not sure what advantage he gains by this method, rather than just serving malicious scripts from his legit site. The evil site will still have scripts blocked by default. If he can persuade the user to unblock it, he could probably do that anyway, regardless of ABE.

But I agree about the complexity. I was mostly joking when I suggested it .

Tom T. wrote: The part of NoScript Quick Start Guide that discusses secondary content servers is hoped to help users know to look for "cdn", "static", or "img", and some resemblance to the original site.
If you have a moment, perhaps check it out?

Believe it or not, I hadn't read the guide before ...but I was already familiar with everything it was saying. It's well-written, though; I might point some friends/family to it.

Thrawn wrote:Umm...I'd only be talking about ABE rules that would allow requests from the owner's legit site to his evil site, so I'm not sure what advantage he gains by this method, rather than just serving malicious scripts from his legit site. The evil site will still have scripts blocked by default. If he can persuade the user to unblock it, he could probably do that anyway, regardless of ABE.

Under your "ownership rule", users visiting goodsite will see evilsite in the nenu (not under that name, of course ), discover that the ownership is the same, and rely on that in making the trust decision.

But I agree about the complexity. I was mostly joking when I suggested it .

You could have saved me a lot of keystrokes...

Thrawn wrote:

Tom T. wrote:The part of NoScript Quick Start Guide that discusses secondary content servers is hoped to help users know to look for "cdn", "static", or "img", and some resemblance to the original site.
If you have a moment, perhaps check it out?

Believe it or not, I hadn't read the guide before ...but I was already familiar with everything it was saying. It's well-written, though; I might point some friends/family to it.

TUVM.

The goal is to get NS to the non-tech majority, rather than have them think it's "too tech" for them. Glad you think it might accomplish that in your case, and of course I'd be eager to hear how the reception was from your (presumably) lesser-tech friends/family.