I have been a Noscript user for a few years now, and I have to admit that I don't really understand how ABE works. Because of this, I have been using other addons in conjunction with Noscript (Request Policy, Flashblock) to have more granular control. I wonder if I learn to make use of ABE if I need these other addons at all. I have read the Faq section on ABE, but I still don't quite understand it. Say that I'm at reddit.com, and for full functionality, I know that I need to allow amazonaws.com and ajax.googleapis.com. With only Noscript running, and not the other addons that I mentioned, I temporarily allow amazonaws.com and ajax.googleapis.com. I don't allow them permanently because I don't want to allow them on other websites other than reddit.com. Reading about ABE, I understand that I can choose to allow these sites only when they originate from reddit.com. So, I try this is a rule in ABE, for example:
Site .ajax.googleapis.com
Accept from .reddit.com
Deny
But I must have something wrong, because it doesn't work. In the Faq, I read that the site must be whitelisted first because Noscript and ABE act independently. So, I whitelist ajax.googleapis.com, but it also seems to be allowed on sites other than reddit.com. Am I misunderstanding how ABE rules work in conjunction with Noscript's whitelist? Will sites that are allowed through ABE rules be reflected in the Noscript drop down menu?
Also, how can I best identify which sites need to be allowed, when visiting a given site, in order to only enable desired functionality? My approach up to this point has been very hit and miss, although I understand that cdn sites and some others typically need to be allowed. Is there a more precise approach to figuring out which sites to allow?
Edit: Sorry, I didn't notice the ABE section of the forum until just now.
Granular control of site permissions using ABE?
Granular control of site permissions using ABE?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: Granular control of site permissions using ABE?
I think that Giorgio's responses in this thread answers my main questions: http://forums.informaction.com/viewtopi ... =23&t=8305
The lack of visual feedback in the Noscript drop down menu is probably making me think that the ABE rules aren't working as I expect, when they are. Off to test...
Edit: I think I got this licked. Just in case someone stumbles into this thread looking for the same information that I came looking for:
- Whitelist the third party site. Make sure to click 'Allow'. For example, if you're visiting reddit.com, whitelist ajax.googleapis.com
- Create a rule:
Site .ajax.googleapis.com
Accept from .reddit.com
Deny
- If you visit another site that that makes requests to the same site, ajax.googleapis.com for example, add it to the rule:
Site .ajax.googleapis.com
Accept from .reddit.com .guardian.co.uk
Deny
- Trying to go at it from the other way around will lead to problems. For example:
# Reddit (optional comment)
Site .ajax.googleapis.com
Accept from .reddit.com
Deny
# Guardian
Site .ajax.googleapis.com
Accept from guardian.co.uk
Deny
- In the above two rules, the second rule will not work because the first rule denies all sites except for reddit.com. Don't create rules by sites visited. Rather, create rules by requested sites.
- When adding site names, use for example, .reddit.com instead of reddit.com so that subdomains are covered by the rule.
Btw, I decided to keep Request Policy around. Noscript and Request Policy seem to compliment each other in some cases, and they don't interfere with one another. Request Policy is easy enough to use: Go to preferences and allow origins to destinations, where origin is the site visited, and destination is the site requested by the visited site. Also, Request Policy can be useful in helping to identify which requested sites to allow for Noscript, as well as the console (ctrl-shift-j). I guess there isn't a straightforward way to figure out which sites to allow, just have to use some trial and error. I think that flashblock wasn't helping with anything, really. I use Click&Clean to remove cookies and flash cookies any way, so Flashblock was probably a waste all around. Too bad there is no good addon that provides a simple button for turning cookies on and off...there is one (Toggle Cookies) but it doesn't seem to want to work outside of the addon bar. I like to keep my addons controls in the menu bar to save some space.
The lack of visual feedback in the Noscript drop down menu is probably making me think that the ABE rules aren't working as I expect, when they are. Off to test...
Edit: I think I got this licked. Just in case someone stumbles into this thread looking for the same information that I came looking for:
- Whitelist the third party site. Make sure to click 'Allow'. For example, if you're visiting reddit.com, whitelist ajax.googleapis.com
- Create a rule:
Site .ajax.googleapis.com
Accept from .reddit.com
Deny
- If you visit another site that that makes requests to the same site, ajax.googleapis.com for example, add it to the rule:
Site .ajax.googleapis.com
Accept from .reddit.com .guardian.co.uk
Deny
- Trying to go at it from the other way around will lead to problems. For example:
# Reddit (optional comment)
Site .ajax.googleapis.com
Accept from .reddit.com
Deny
# Guardian
Site .ajax.googleapis.com
Accept from guardian.co.uk
Deny
- In the above two rules, the second rule will not work because the first rule denies all sites except for reddit.com. Don't create rules by sites visited. Rather, create rules by requested sites.
- When adding site names, use for example, .reddit.com instead of reddit.com so that subdomains are covered by the rule.
Btw, I decided to keep Request Policy around. Noscript and Request Policy seem to compliment each other in some cases, and they don't interfere with one another. Request Policy is easy enough to use: Go to preferences and allow origins to destinations, where origin is the site visited, and destination is the site requested by the visited site. Also, Request Policy can be useful in helping to identify which requested sites to allow for Noscript, as well as the console (ctrl-shift-j). I guess there isn't a straightforward way to figure out which sites to allow, just have to use some trial and error. I think that flashblock wasn't helping with anything, really. I use Click&Clean to remove cookies and flash cookies any way, so Flashblock was probably a waste all around. Too bad there is no good addon that provides a simple button for turning cookies on and off...there is one (Toggle Cookies) but it doesn't seem to want to work outside of the addon bar. I like to keep my addons controls in the menu bar to save some space.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: Granular control of site permissions using ABE?
First-class investigation, sir! Well done.
Yes, ABE is oriented around the destination of the request. If you examine its history, you'll find that it was originally intended to protect against Cross-Site Request Forgery. 'Site example.com' was meant to indicate "a set of rules to describe how other sites are allowed to interact with the sensitive site example.com."
ABE can be a general-purpose content blocker, and it's a very powerful tool for the job. However, the lack of a graphical interface, and especially the lack of obvious feedback about what is blocked (it's on the Messages tab of the Error Console), make it difficult to use for this purpose. Unless you're really keen, then RequestPolicy is probably plenty. It doesn't quite have the fine-grained power of ABE rules (regular expressions, distinguishing GET from POST, anonymizing requests, etc), but it's easy to use and gives protection far beyond what most people have.
However, Flashblock is redundant. Just go to Options-Embeddings and enable 'Apply these restrictions to whitelisted sites too'.
Yes, ABE is oriented around the destination of the request. If you examine its history, you'll find that it was originally intended to protect against Cross-Site Request Forgery. 'Site example.com' was meant to indicate "a set of rules to describe how other sites are allowed to interact with the sensitive site example.com."
ABE can be a general-purpose content blocker, and it's a very powerful tool for the job. However, the lack of a graphical interface, and especially the lack of obvious feedback about what is blocked (it's on the Messages tab of the Error Console), make it difficult to use for this purpose. Unless you're really keen, then RequestPolicy is probably plenty. It doesn't quite have the fine-grained power of ABE rules (regular expressions, distinguishing GET from POST, anonymizing requests, etc), but it's easy to use and gives protection far beyond what most people have.
However, Flashblock is redundant. Just go to Options-Embeddings and enable 'Apply these restrictions to whitelisted sites too'.
Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
Re: Granular control of site permissions using ABE?
Hey Thrawn, thanks for the tip on 'Apply these rescrictions to whitelisted sites too'
Edit: I was thinking of making a feature request to help clean up the dropdown menu, in which sites are enabled and disabled. Some sites link to many advertisers and trackers, and most of those third party sites will never need to be enabled for proper functionality at the visited site. So, I'm wondering if there is any current way to hide those sites, such as doubleclick.net, from the dropdown menu. If not, I would make a request that such sites can be marked as 'nonfunctional' or 'uncommon' or something similar. These types of sites are almost always just clutter in the dropdown menu that users will not enable. I might suggest that marked third party sites be placed in a submenu of the dropdown, so that they are easily accessible, just in case one of them needs to be enabled (rare). Also, less clutter would make it easier for users to figure out which third party sites to enable, as once a third party site is marked to be hidden in the submenu, the most likely choices of third party sites to be enabled will be narrowed down for future visited sites.
Edit: I was thinking of making a feature request to help clean up the dropdown menu, in which sites are enabled and disabled. Some sites link to many advertisers and trackers, and most of those third party sites will never need to be enabled for proper functionality at the visited site. So, I'm wondering if there is any current way to hide those sites, such as doubleclick.net, from the dropdown menu. If not, I would make a request that such sites can be marked as 'nonfunctional' or 'uncommon' or something similar. These types of sites are almost always just clutter in the dropdown menu that users will not enable. I might suggest that marked third party sites be placed in a submenu of the dropdown, so that they are easily accessible, just in case one of them needs to be enabled (rare). Also, less clutter would make it easier for users to figure out which third party sites to enable, as once a third party site is marked to be hidden in the submenu, the most likely choices of third party sites to be enabled will be narrowed down for future visited sites.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: Granular control of site permissions using ABE?
What you are asking for is the 'Untrusted' submenu.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22