Allowing Plugins per-site.

[Carlos_BAG]

I use NoScript with "Apply these restrictions to whitelisted sites too" but i wish to allow plugins permanently on some sites, like YouTube per example.. going in about:config and adding in "noscript.allowedMimeRegExp" line the syntax "application/x-shockwave-flash@https?://[^/]+\.(?:youtube|ytimg)\.com" allows flash on all sites that i've whitelisted and use YouTube videos, i only want to allow it on YouTube itself... how should i approach this? am i being too paranoid by using NoScript with "Apply these restrictions to whitelisted sites too"?

[GµårÐïåñ]

I believe you recently might have posted about this as there is an almost identical post asking for the exact same thing and Giorgio already responded. If you are the same person, please don't multiple post and stick with just one topic. In case you are not, my apologies but you could have posted in the same topic with a search would have found for you.

As far as using blocking on whitelist too being paranoid, to each their own but I deal in security all day long and I don't apply on whitelist sites since NS and I haven't had any issue. So probably not applying to whitelist would be fine but again to each their own. You need to tweak the expression to allow just on Youtube, but I will leave Giorgio deal with that part.

But a quick look, your RegEx portion is just fine, I just believe your inclusion of the MIME type at the beginning is breaking it, which is ironic as this is exactly what Giorgio has posted on the features page of NoScript as an example. I suggest you remove that and just use the RegEx portion and see if it works. Try "@https?://[^/]+\.(?:youtube|ytimg)\.com" or just "https?://[^/]+\.(?:youtube|ytimg)\.com" because they both worked for me, so if there is anything relevant to add, Giorgio will comment, but perhaps things have changed over time that affect how that is handled, not sure.

[Tom T.]

In my tinfoil-hat opinion , "Apply to whitelisted sites" provides greater security, and has been this writer's policy for years.

This more-restrictive entry should allow YT videos at YT only, and not elsewhere:

Code: Select all

application/x-shockwave-flash@http://www\.youtube\.com application/x-shockwave-flash@http://s.\.ytimg\.com

If for some reason you prefer for YT to deliver videos over HTTPS, then you would substitute

Code: Select all

https?://

for

Code: Select all

http://

GµårÐïåñ is correct that you should not repeat the "Name" field (noscript.mimetype.etc.) in the "value", but I didn't get that from your post. I understood that you correctly went to that entry in about:config, and added your syntax only to the "Value" (Modify) field.

[GµårÐïåñ]

@Tom, my dear friend, you are correct, he didn't repeat the name of the variable, I meant the MIME as in "application/x-shockwave-flash" in the front. Although in the example that Giorgio has posted on the site, that should be the format, it seems for him its allowing EVERYONE and so I told him to remove that and use just the RegEx part after the @ and it should work. I think it might be something changed in how NS handles the exceptions or it could be a bug, not sure. I have already poked Giorgio to take a look but he is dealing with personal stuff and will get to it when he can.

[Tom T.]

I tested this at a site that lists "10 most viral YouTube vids of 2012", mashable dot com.
Chose one, and it wouldn't play.
Went through about 15 iterations of "TA all this page", plus TA all in RequestPolicy, then went through another dozen iterations of TA Flash objects from vimeo and mogaloof.

After all of that, eventually it would play. but apparently only because vimeo and/or moogaloof had imported the video, attached their own site name and object ID # to it, *and I TA'd those two sites*.

So it still appears that Flash video per se isn't allowed. if you can recommend a test site that directly embeds YT vids, and not some third party that relays them via its own objects (to which, of course, OP would deny permission), I'd be happy to test.

[GµårÐïåñ]

Can't say off the top of my head but I did a search and this page has an embedded youtube video (http://www.bing.com/videos/search?q=lun ... 6&first=41) but I think the user is concerned with just youtube page, unless I misunderstood him.

[Giorgio Maone]

the syntax "application/x-shockwave-flash@https?://[^/]+\.(?:youtube|ytimg)\.com" allows flash on all sites that i've whitelisted and use YouTube videos

Nope, it allows only Flash content from Youtube to be executed (even if embedded in a different site), but not other content.
This is safe enough, if you trust Youtube.

[Carlos_BAG]

I believe you recently might have posted about this as there is an almost identical post asking for the exact same thing and Giorgio already responded. If you are the same person, please don't multiple post and stick with just one topic. In case you are not, my apologies but you could have posted in the same topic with a search would have found for you..

No, i'm not. i took a look at the FAQ but merely glanced the first page of the Support Forum, i'm sorry if this was discussed before.

But a quick look, your RegEx portion is just fine, I just believe your inclusion of the MIME type at the beginning is breaking it, which is ironic as this is exactly what Giorgio has posted on the features page of NoScript as an example. I suggest you remove that and just use the RegEx portion and see if it works. Try "@https?://[^/]+\.(?:youtube|ytimg)\.com" or just "https?://[^/]+\.(?:youtube|ytimg)\.com" because they both worked for me, so if there is anything relevant to add, Giorgio will comment, but perhaps things have changed over time that affect how that is handled, not sure

Didn't work here, yes.. i am using the example from Giorgio.

In my tinfoil-hat opinion , "Apply to whitelisted sites" provides greater security, and has been this writer's policy for years.

This more-restrictive entry should allow YT videos at YT only, and not elsewhere:

Code: Select all

application/x-shockwave-flash@http://www\.youtube\.com application/x-shockwave-flash@http://s.\.ytimg\.com

If for some reason you prefer for YT to deliver videos over HTTPS, then you would substitute

Code: Select all

https?://

for

Code: Select all

http://

wait.. if i wish to use

Code: Select all

 HTTPs

shouldn't it be the other way around? using

Code: Select all

HTTPs-Everywhere

here YouTube is

Code: Select all

HTTPs

, i changed

Code: Select all

http://

to

Code: Select all

https?://

on the syntax you provided and it didn't work..

Code: Select all

application/x-shockwave-flash@https?://www\.youtube\.com application/x-shockwave-flash@https?://s.\.ytimg\.com

the syntax "

Code: Select all

[b]application/x-shockwave-flash@https?://[^/]+\.(?:youtube|ytimg)\.com[/b]

" allows flash on all sites that i've whitelisted and use YouTube videos

Nope, it allows only Flash content from Youtube to be executed (even if embedded in a different site), but not other content.
This is safe enough, if you trust Youtube.

Yes, i'm sorry if its confusing..English is not my first language.. i want YouTube content on other sites to be only allowed when i click the placeholder but i don't want that behavior when i'm on YouTube site itself, i also want it in Battlelog

Code: Select all

http://battlelog.battlefield.com/bf3/

the plugin being

Code: Select all

application/mozilla-plugin-esn-launch-2.1.2

, instead of i needing to go to "Blocked Objects" every time to allow

Code: Select all

application/mozilla-plugin-esn-launch-2.1.2

when i use that site, isn't there a way to do this using the GUI, on "Blocked Objects" there's only temporary allow.

Excuse-me for all the code and /code spam-filter wasn't letting me post.

[Tom T.]

In my tinfoil-hat opinion , "Apply to whitelisted sites" provides greater security, and has been this writer's policy for years.

This more-restrictive entry should allow YT videos at YT only, and not elsewhere:

Code: Select all

application/x-shockwave-flash@http://www\.youtube\.com application/x-shockwave-flash@http://s.\.ytimg\.com

If for some reason you prefer for YT to deliver videos over HTTPS, then you would substitute

Code: Select all

https?://

for

Code: Select all

http://

wait.. if i wish to use

Code: Select all

 HTTPs

shouldn't it be the other way around? using

Code: Select all

HTTPs-Everywhere

here YouTube is

Code: Select all

HTTPs

, i changed

Code: Select all

http://

to

Code: Select all

https?://

on the syntax you provided and it didn't work..

Code: Select all

application/x-shockwave-flash@https?://www\.youtube\.com application/x-shockwave-flash@https?://s.\.ytimg\.com

It works for me. However, that was by manually typing https:/www.youtube.com and searching for a video.
If you are using the HTTPS Everywhere add-on, I admit that I am not familiar with it and how it might affect this.
You might try my manual method and see if the syntax works. If so, then we would have to look at how HTTPS Everywhere is getting in the way. Perhaps try disabling it briefly while you do this.

i want YouTube content on other sites to be only allowed when i click the placeholder but i don't want that behavior when i'm on YouTube site itself, i also want it in Battlelog

Code: Select all

http://battlelog.battlefield.com/bf3/

At first, you said "only at YouTube". If you wish to add other exceptions, then of course you would have to modify your rule to include them.
I don't know that site, but perhaps an additional exception:

Code: Select all

application/x-shockwave-flash@http://battlelog.battlefield.com/bf3/*

or whatever the site uses for Flash objects.

Excuse-me for all the code and /code spam-filter wasn't letting me post.

Code tags are quite appropriate. We have a huge spam problem, and appreciate your patience.

[bonanza]

Hello,
I'm posting my problem here, since its also up to the regExp whitelist for object blocking. I want to allow only some very specific sites and entered therefore the following string there:

Code: Select all

.@https://www.google.com  .@https://auth.blu.livefilestore.com FRAME@https://skydrive.live.com

but still i see that some objects from these sites are blocked:

can you tell what i am doing wrong? thank you !

[Thrawn]

Code: Select all

.@https://www.google.com  .@https://auth.blu.livefilestore.com FRAME@https://skydrive.live.com

I'm pretty sure that the leading dot is not valid syntax. I think you can use an asterisk instead.

[Tom T.]

Code: Select all

.@https://www.google.com  .@https://auth.blu.livefilestore.com FRAME@https://skydrive.live.com

I'm pretty sure that the leading dot is not valid syntax. I think you can use an asterisk instead.

Yes, but probably may also need to add "slash asterisk":

Code: Select all

*@https://www.google.com/*

so that it matches from the right as well as the left.

More specifics, and a very generalized permission-syntax, is at NoScript "Features" Page. Search for "mime".