Page 1 of 1
Problem with allowing site-specific script access with CDNs
Posted: Mon Aug 12, 2013 10:22 pm
by Sophira
I'm using NoScript's implementation of ABE in order to allow certain CDNs only from their relevant sites. To do this, I have rules such as these:
Code: Select all
Site o.aolcdn.com
Accept from www.shoutcast.com
Accept from s.aolcdn.com
Deny INCLUSION(SCRIPT)
Site s.aolcdn.com
Accept from www.shoutcast.com
Accept from o.aolcdn.com
Deny INCLUSION(SCRIPT)
As I understand it, this should allow me to use the scripts hosted on o.aolcdn.com and s.aolcdn.com on
www.shoutcast.com and allow scripts from either to include scripts from the other, and deny any other sites from including scripts hosted on the CDN (but allow other things like images). All three sites (I generally allow sites by base 2nd level domains) are allowed in NoScript. However, these rules aren't working as expected; when I go to
http://www.shoutcast.com/ in my browser, I get messages like this in my log and the scripts don't run:
Code: Select all
[ABE] <s.aolcdn.com> Deny INCLUSION(SCRIPT) on {GET https://s.aolcdn.com/os/aol/jquery-1.7.1.min.js <<< http://o.aolcdn.com/os/aol/jquery-1.7.1.min.js, http://www.shoutcast.com/ - 2}
USER rule:
Site s.aolcdn.com
Accept from www.shoutcast.com
Accept from o.aolcdn.com
Deny INCLUSION(SCRIPT)
I'm not altogether sure why I'm having problems, and I'm guessing there's something I'm not understanding. Can anybody help me work out what's wrong? Thanks.
Re: Problem with allowing site-specific script access with C
Posted: Tue Aug 13, 2013 1:55 am
by Thrawn
Hmm...not sure offhand, but try a shorter form of your rules and see whether that makes a difference:
Code: Select all
Site s.aolcdn.com o.aolcdn.com
Accept from s.aolcdn.com o.aolcdn.com www.shoutcast.com
Deny INC(SCRIPT)
Or if you're not too concerned about the CDN talking to itself:
Code: Select all
Site s.aolcdn.com o.aolcdn.com
Accept from SELF++ www.shoutcast.com
Deny INC(SCRIPT)
Re: Problem with allowing site-specific script access with C
Posted: Tue Aug 13, 2013 11:41 am
by Sophira
The first example works fine, thanks! After some experimentation, I found that this also works:
Code: Select all
Site o.aolcdn.com
Accept from www.shoutcast.com s.aolcdn.com
Deny INCLUSION(SCRIPT)
Site s.aolcdn.com
Accept from www.shoutcast.com o.aolcdn.com
Deny INCLUSION(SCRIPT)
I'm confused as to why that works and my first attempt didn't, though. It looks like there's some sort of bug with the parsing of Accept lines. I'm using NoScript 2.6.6.1, so I'll update and let you guys know if it still happens on the latest version.
(I also found some other annoying bugs that would have caused me to lose all of my ABE rules just now if I hadn't had a copy of them elsewhere, but I'm guessing those are for another thread.)
Re: Problem with allowing site-specific script access with C
Posted: Tue Aug 13, 2013 11:48 am
by Sophira
Yep, the buggy behaviour still occurs in 2.6.7, as does the other buggy behaviour I mentioned that nearly lost me my ABE rules. How should I go about reporting these?
Re: Problem with allowing site-specific script access with C
Posted: Tue Aug 13, 2013 9:56 pm
by Thrawn
There are some complications around Accept lines when third-party sites send requests to other sites. The request origin in your ABE error message was '
http://o.aolcdn.com/os/aol/jquery-1.7.1.min.js,
http://www.shoutcast.com/' ie ABE recognised both o.aolcdn.com and
www.shoutcast.com as being responsible for the request. Putting both sites into the same Accept line tends to work.
I'm not sure that this is actually a bug; it may be an undocumented feature. Giorgio would be able to answer better (by the way, this
is the bug tracker).
Re: Problem with allowing site-specific script access with C
Posted: Tue Aug 13, 2013 9:58 pm
by Thrawn
Re nearly losing your ABE rules: if you're talking about them being cleared when you press Ctrl+Z, that's a known issue.
Re: Problem with allowing site-specific script access with C
Posted: Tue Aug 13, 2013 10:28 pm
by Sophira
That, and the fact that pressing Cancel doesn't actually cancel your changes. When I pressed Ctrl+Z, my first instinct was not to press Ctrl+Y (which would have restored it) but to click Cancel. Unfortunately the changes still get saved when you do that.