Page 1 of 1
Allowing Plugins per-site.
Posted: Fri Jan 18, 2013 2:32 am
by Carlos_BAG
I use NoScript with "Apply these restrictions to whitelisted sites too" but i wish to allow plugins permanently on some sites, like YouTube per example.. going in about:config and adding in "noscript.allowedMimeRegExp" line the syntax "application/x-shockwave-flash@https?://[^/]+\.(?:youtube|ytimg)\.com" allows flash on all sites that i've whitelisted and use YouTube videos, i only want to allow it on YouTube itself... how should i approach this? am i being too paranoid by using NoScript with "Apply these restrictions to whitelisted sites too"?
Re: Allowing Plugins per-site.
Posted: Fri Jan 18, 2013 4:27 am
by GµårÐïåñ
I believe you recently might have posted about this as there is an almost identical post asking for the exact same thing and Giorgio already responded. If you are the same person, please don't multiple post and stick with just one topic. In case you are not, my apologies but you could have posted in the same topic with a search would have found for you.
As far as using blocking on whitelist too being paranoid, to each their own but I deal in security all day long and I don't apply on whitelist sites since NS and I haven't had any issue. So probably not applying to whitelist would be fine but again to each their own. You need to tweak the expression to allow just on Youtube, but I will leave Giorgio deal with that part.
But a quick look, your RegEx portion is just fine, I just believe your inclusion of the MIME type at the beginning is breaking it, which is ironic as this is exactly what Giorgio has posted on the features page of NoScript as an example. I suggest you remove that and just use the RegEx portion and see if it works. Try "@https?://[^/]+\.(?:youtube|ytimg)\.com" or just "https?://[^/]+\.(?:youtube|ytimg)\.com" because they both worked for me, so if there is anything relevant to add, Giorgio will comment, but perhaps things have changed over time that affect how that is handled, not sure.
Re: Allowing Plugins per-site.
Posted: Fri Jan 18, 2013 8:10 am
by Tom T.
In my tinfoil-hat opinion
, "Apply to whitelisted sites" provides greater security, and has been this writer's policy for years.
This more-restrictive entry should allow YT videos at YT only, and not elsewhere:
Code: Select all
application/x-shockwave-flash@http://www\.youtube\.com application/x-shockwave-flash@http://s.\.ytimg\.com
If for some reason you prefer for YT to deliver videos over HTTPS, then you would substitute
for
GµårÐïåñ is correct that you should not repeat the "Name" field (noscript.mimetype.etc.) in the "value", but I didn't get that from your post. I understood that you correctly went to that entry in
about:config, and added your syntax only to the "Value" (Modify) field.
Re: Allowing Plugins per-site.
Posted: Fri Jan 18, 2013 8:36 am
by GµårÐïåñ
@Tom, my dear friend, you are correct, he didn't repeat the name of the variable, I meant the MIME as in "application/x-shockwave-flash" in the front. Although in the example that Giorgio has posted on the site, that should be the format, it seems for him its allowing EVERYONE and so I told him to remove that and use just the RegEx part after the @ and it should work. I think it might be something changed in how NS handles the exceptions or it could be a bug, not sure. I have already poked Giorgio to take a look but he is dealing with personal stuff and will get to it when he can.
Re: Allowing Plugins per-site.
Posted: Fri Jan 18, 2013 9:04 am
by Tom T.
I tested this at a site that lists "10 most viral YouTube vids of 2012", mashable dot com.
Chose one, and it wouldn't play.
Went through about 15 iterations of "TA all this page", plus TA all in
RequestPolicy, then went through another dozen iterations of TA Flash objects from vimeo and mogaloof.
After all of that, eventually it would play. but apparently only because vimeo and/or moogaloof had imported the video, attached their own site name and object ID # to it,
*and I TA'd those two sites*.
So it still appears that Flash video per se isn't allowed. if you can recommend a test site that directly embeds YT vids, and not some third party that relays them via its own objects (to which, of course, OP would deny permission), I'd be happy to test.
Re: Allowing Plugins per-site.
Posted: Fri Jan 18, 2013 10:57 am
by GµårÐïåñ
Can't say off the top of my head but I did a search and this page has an embedded youtube video (
http://www.bing.com/videos/search?q=lun ... 6&first=41) but I think the user is concerned with just youtube page, unless I misunderstood him.
Re: Allowing Plugins per-site.
Posted: Fri Jan 18, 2013 2:45 pm
by Giorgio Maone
Carlos_BAG wrote:the syntax "application/x-shockwave-flash@https?://[^/]+\.(?:youtube|ytimg)\.com" allows flash on all sites that i've whitelisted and use YouTube videos
Nope, it allows
only Flash content from Youtube to be executed (even if embedded in a different site), but not other content.
This is safe enough, if you trust Youtube.
Re: Allowing Plugins per-site.
Posted: Fri Jan 18, 2013 7:12 pm
by Carlos_BAG
GµårÐïåñ wrote:I believe you recently might have posted about this as there is an almost identical post asking for the exact same thing and Giorgio already responded. If you are the same person, please don't multiple post and stick with just one topic. In case you are not, my apologies but you could have posted in the same topic with a search would have found for you..
No, i'm not. i took a look at the FAQ but merely glanced the first page of the Support Forum, i'm sorry if this was discussed before.
GµårÐïåñ wrote:But a quick look, your RegEx portion is just fine, I just believe your inclusion of the MIME type at the beginning is breaking it, which is ironic as this is exactly what Giorgio has posted on the features page of NoScript as an example. I suggest you remove that and just use the RegEx portion and see if it works. Try "@https?://[^/]+\.(?:youtube|ytimg)\.com" or just "https?://[^/]+\.(?:youtube|ytimg)\.com" because they both worked for me, so if there is anything relevant to add, Giorgio will comment, but perhaps things have changed over time that affect how that is handled, not sure
Didn't work here, yes.. i am using the example from Giorgio.
Tom T. wrote:In my tinfoil-hat opinion
, "Apply to whitelisted sites" provides greater security, and has been this writer's policy for years.
This more-restrictive entry should allow YT videos at YT only, and not elsewhere:
Code: Select all
application/x-shockwave-flash@http://www\.youtube\.com application/x-shockwave-flash@http://s.\.ytimg\.com
If for some reason you prefer for YT to deliver videos over HTTPS, then you would substitute
for
wait.. if i wish to use
shouldn't it be the other way around? using
here YouTube is
, i changed
to
on the syntax you provided and it didn't work..
Code: Select all
application/x-shockwave-flash@https?://www\.youtube\.com application/x-shockwave-flash@https?://s.\.ytimg\.com
Giorgio Maone wrote:Carlos_BAG wrote:the syntax "
Code: Select all
[b]application/x-shockwave-flash@https?://[^/]+\.(?:youtube|ytimg)\.com[/b]
" allows flash on all sites that i've whitelisted and use YouTube videos
Nope, it allows
only Flash content from Youtube to be executed (even if embedded in a different site), but not other content.
This is safe enough, if you trust Youtube.
Yes, i'm sorry if its confusing..English is not my first language.. i want YouTube content on other sites to be only allowed when i click the placeholder but i don't want that behavior when i'm on YouTube site itself, i also want it in Battlelog
Code: Select all
http://battlelog.battlefield.com/bf3/
the plugin being
Code: Select all
application/mozilla-plugin-esn-launch-2.1.2
, instead of i needing to go to "Blocked Objects" every time to allow
Code: Select all
application/mozilla-plugin-esn-launch-2.1.2
when i use that site, isn't there a way to do this using the GUI, on "Blocked Objects" there's only temporary allow.
Excuse-me for all the
code and
/code spam-filter wasn't letting me post.
Re: Allowing Plugins per-site.
Posted: Sat Jan 19, 2013 9:00 am
by Tom T.
Carlos_BAG wrote:Tom T. wrote:In my tinfoil-hat opinion
, "Apply to whitelisted sites" provides greater security, and has been this writer's policy for years.
This more-restrictive entry should allow YT videos at YT only, and not elsewhere:
Code: Select all
application/x-shockwave-flash@http://www\.youtube\.com application/x-shockwave-flash@http://s.\.ytimg\.com
If for some reason you prefer for YT to deliver videos over HTTPS, then you would substitute
for
wait.. if i wish to use
shouldn't it be the other way around? using
here YouTube is
, i changed
to
on the syntax you provided and it didn't work..
Code: Select all
application/x-shockwave-flash@https?://www\.youtube\.com application/x-shockwave-flash@https?://s.\.ytimg\.com
It works for me. However, that was by manually typing https:/www.youtube.com and searching for a video.
If you are using the HTTPS Everywhere add-on, I admit that I am not familiar with it and how it might affect this.
You might try my manual method and see if the syntax works. If so, then we would have to look at how HTTPS Everywhere is getting in the way. Perhaps try disabling it briefly while you do this.
i want YouTube content on other sites to be only allowed when i click the placeholder but i don't want that behavior when i'm on YouTube site itself, i also want it in Battlelog
Code: Select all
http://battlelog.battlefield.com/bf3/
At first, you said "only at YouTube". If you wish to add other exceptions, then of course you would have to modify your rule to include them.
I don't know that site, but perhaps an additional exception:
Code: Select all
application/x-shockwave-flash@http://battlelog.battlefield.com/bf3/*
or whatever the site uses for Flash objects.
Excuse-me for all the code and /code spam-filter wasn't letting me post.
Code tags are quite appropriate. We have a huge spam problem, and appreciate your patience.
Re: Allowing Plugins per-site.
Posted: Tue Feb 05, 2013 9:52 pm
by bonanza
Hello,
I'm posting my problem here, since its also up to the regExp whitelist for object blocking. I want to allow only some very specific sites and entered therefore the following string there:
Code: Select all
.@https://www.google.com .@https://auth.blu.livefilestore.com FRAME@https://skydrive.live.com
but still i see that some objects from these sites are blocked:
can you tell what i am doing wrong? thank you !
Re: Allowing Plugins per-site.
Posted: Wed Feb 06, 2013 6:42 am
by Thrawn
bonanza wrote:
Code: Select all
.@https://www.google.com .@https://auth.blu.livefilestore.com FRAME@https://skydrive.live.com
I'm pretty sure that the leading dot is not valid syntax. I think you can use an asterisk instead.
Re: Allowing Plugins per-site.
Posted: Wed Feb 06, 2013 8:41 am
by Tom T.
Thrawn wrote:bonanza wrote:
Code: Select all
.@https://www.google.com .@https://auth.blu.livefilestore.com FRAME@https://skydrive.live.com
I'm pretty sure that the leading dot is not valid syntax. I think you can use an asterisk instead.
Yes, but probably may also need to add "slash asterisk":
so that it matches from the right as well as the left.
More specifics, and a very generalized permission-syntax, is at
NoScript "Features" Page. Search for "mime".
