Page 1 of 1
"partially" allow a site for a site?
Posted: Sat Aug 30, 2014 10:20 pm
by TooCrooked
many sites i see like to load scripts from "jquery.com" or whatever. but especially jquery.com.
i don't want to allow jquery.com globally. is it possible to let "@yahoo.com" load "jquery.com" globally, but "malicioussite.com" not be able to access "jquery.com"??
Re: "partially" allow a site for a site?
Posted: Sat Aug 30, 2014 10:40 pm
by barbaz
allow jquery in the NS menu, then use ABE to emulate per-site permissions
restrict all non-top-level loads of jquery not requested by yahoo:
Code: Select all
Site .jquery.com
Accept from .yahoo.com
Deny INCLUSION
block only scripts/active content from jquery globally, except when requested from yahoo:
Code: Select all
Site .jquery.com
Accept from .yahoo.com
Deny INCLUSION(SCRIPT, OBJ, FONT, XHR)
Sandbox
note that even with the above rules you'll still be able to load content from jquery if you type the URL in the address bar, but the pages won't be very functional with the first rule because access from jquery to jquery (aka all 1st-party inclusions) will be blocked, and with the second you won't be able to allow scripts from jquery on jquery itself