ABE rule help

[easttn]

Hello all.

Im trying to make an ABE rule to allow a script on a certain site, only on that site. For instance Im trying to let ajax.googleapis.com run only while at forums.radioreference.com. Ive tried the following from http://noscript.net/faq#qa5_4 but it doesnt work:
Site ajax.googleapis.com
Accept INCLUSION from SELF++
Accept INCLUSION from forums.radioreference.com
Deny

I removed ajax.googleapis.com from the default whitelist in noscript options and have radioreference.com whitelisted. What am I doing wrong?

[barbaz]

Whitelist ajax.googleapis.com and try this rule:

Code: Select all

Site .ajax.googleapis.com
Accept INCLUSION from forums.radioreference.com
Sandbox

The rule you had would allow ajax.googleapis.com on all googleapis.com as well, and completely block it elsewhere (as opposed to just blocking its scripts).

[easttn]

Thanks for the reply.
I whitelisted ajax.googleapis.com (also RR.com is whitelisted) and inserted the ABE rule and it allows on radioreference.com and other sites, something I dont want.
I removed ajax.googleapis.com from the whitelist and left the ABE rule and its blocked everywhere.

It is only needed in the RR forum to paste smileys or something (cant remember) and not needed for a regular post. That is the only place I want to allow ajax.googleapis.com at this point, but may want to allow it somewhere else in the future.

Maybe some other type of rule would work.
Also I just noticed my browsers user agent is being posted here. Im using FF 23.0.1, not what you see there.

[barbaz]

If you mean "it shows up as allowed on the NS menu", that could be normal and expected and it's not necessarily a problem. You need to look at the Browser Console (or does Fx 23 use the old Error Console system?) to check if the rule is working.
Otherwise, I have no idea what's going on

[easttn]

You mean to say if the rule is working properly then it will still show up as Forbid Ajax.googleapis.com in an untrusted page in the NS menu?
I figured it would say Forbid Ajax.googleapis.com on RR.com (script running) and Allow Ajax.googleapis.com (script blocked) on other sites.

I found Error Console under Tools/WebDeveloper, is that where I need to look?

[barbaz]

You mean to say if the rule is working properly then it will still show up as Forbid Ajax.googleapis.com in an untrusted page in the NS menu?

Yes, that could happen.

I found Error Console under Tools/WebDeveloper, is that where I need to look?

Either there or Browser Console (should be in the same menu). Look for messages that start with [ABE].

[easttn]

Not seeing anything by ABE. I know ABE was blocking my K9 webprotection web interface before (done fixed that) and it would show on the top of the screen in a yellow box that ABE blocked it. Would it show the same thing if ABE blocked ajax scripts from an untrusted page?

[easttn]

Ok I see some ABE info in the error console after I made the yellow ABE box come up at the top of the screen telling me ABE Deny with an invalid rule I made up sitting here playing with it.

I get nothing with your rule and ajax.googleapis.com and radioreference.com whitelisted and its not blocking the ajax.googleapis.com scripts from other sites but allowing them on all.
Site .ajax.googleapis.com
Accept INCLUSION from forums.radioreference.com
Sandbox

[barbaz]

Would it show the same thing if ABE blocked ajax scripts from an untrusted page?

"Untrusted" as in script-forbidden? Then NS would block the ajax scripts from downloading, independently of ABE. So you wouldn't get any messages because script-blocking acts before ABE. If ABE gets to act on a request, and if the ABE action is not "Accept", that's when you get the [ABE] messages in your Error Console.

I get nothing with your rule and ajax.googleapis.com and radioreference.com whitelisted and its not blocking the ajax.googleapis.com scripts from other sites but allowing them on all.
Site .ajax.googleapis.com
Accept INCLUSION from forums.radioreference.com
Sandbox

You should get nothing on forums.radioreference.com. If you're on a script-allowed page that directly calls ajax.googleapis.com scripts and you still don't get any messages, try installing a development build of NS. I haven't had good experience with the .site.com syntax on "stable release" builds.

[easttn]

"untrusted" I didnt mean untrusted. I meant in a website that I dont have it whitelisted. Sorry. The sites loading the ajax.googleapis scripts are not in my "untrusted" list but are not in my whitelist either to clarify except for radioreference.com in the whitelist.

Yes I do not get any message in the console or the yellow ABE box that pops up. Nothing with that rule.

A little off topic, I like to have never got a rule to fix ABE from breaking the K9 protection web console and I did try several that worked for other people but did not work for me. It shouldnt be near this hard to make a rule to do what you want.

[Thrawn]

The sites loading the ajax.googleapis scripts are not in my "untrusted" list but are not in my whitelist either to clarify except for radioreference.com in the whitelist.

If you're blocking the actual sites you're visiting, then they won't get a chance to load googleapis.

A little off topic, I like to have never got a rule to fix ABE from breaking the K9 protection web console and I did try several that worked for other people but did not work for me. It shouldnt be near this hard to make a rule to do what you want.

What rule are you currently using, and what messages are you seeing from ABE?

[easttn]

Well I believe I have gotten it figured out (hopefully). First there are some things one needs to know when dealing with ABE. I didnt know any of these and would have made my life alot easier. Maybe someone can put this in the FAQ or something for someone to read, If I am correct.

1) ABE does not really work in conjuction with NoScript. ABE modifies or blocks the http headers that are being sent for the file request. Not sure what Noscript does to block them but Noscript evidently doesnt know what ABE is doing and therefore doesn't display a message or anything to let you know ABE is blocking/allowing a request.
2) ABE can let you know what is going on with a yellow box at the top that pops up, but its not poping up for the rule that I've made for some reason. Ive seen the yellow box at other times but not now. There is a "message" being displayed in Tools-WebDeveloper-ErrorConsole that "[ABE] Deny on" ABE is blocking a http request.
3) The domain you are requesting from the webpage HAS to be whitelisted in NoScript or NoScript doesnt allow for the http headers to be sent. ABE cant modify or delete them if they are not there so your ABE rule is useless.
4) Ive done some reading on HTTP Requests before but never fooled with them any, so I knew a little bit about about them. One needs to read on the basics of HTTP requests to understand what is happening. You can see the HTTP requests FF makes in Tools-WebDevolper-WebConsole without a separate addon or program. Click the Network button to see them. They will not show up there is ABE is blocking them.
5) Then one needs to understand how ABE handles them. Read the pdf word for word here http://noscript.net/abe/abe_rules.pdf. This information will not make any sense if you dont know anything about http requests.

The rule I have working and a short description If I understand everything right:

Site .ajax.googleapis.com (this is the domain you are requesting from within the webpage, the one I want to control)
Accept ALL from .radioreference.com (this is the domain of the webpage you have open or that is making the request. Its says accept all http requests (get,post,etc) from rr.com)
Deny (If Deny is listed then anything that is not listed in accept will be denied?, not sure if its even needed but I used it)

How does that rule look to everyone else?
Are there any drawbacks to what I have done?
I know there are different ways to write it, what are some others?

[Thrawn]

Bear in mind that ABE is in the Advanced section of the options. If you don't understand it, make sure you read the documentation. If you don't understand the documentation, make sure you ask someone who does. Otherwise, use at your own risk.

However, your rule looks fine.
- Yes, Deny is necessary, otherwise ajax.googleapis.com will never be blocked anywhere.
- 'Allow ALL from' could just be 'Allow from'. The ALL keyword is the default.

I believe the yellow notification from ABE applies only when ABE is blocking the top-level request - ie the site in the address bar. It doesn't occur when ABE is blocking a third-party request being made by the page.

And ABE was not designed as a general-purpose script-blocker - although it is powerful enough - but rather as a defence against CSRF and similar attacks. You can use it to set site-specific permissions, just like you can use the back of an axe head as a hammer, but it is not primarily designed for this.