InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

How to block cross site scripts from whitelisted domains?

https://forums.informaction.com/viewtopic.php?t=20132

Page 1 of 1

How to block cross site scripts from whitelisted domains?

Posted: Tue Sep 30, 2014 8:46 am
by MisterE
Hello,

First off my apologies for posting what I am sure is a question that has been asked and addressed many times before.
In my defense, I did read the FAQ but, I'm not terribly technically proficient and that's where I got hung up with the FAQ. I think the section that pertains to what I want to do is this one: http://noscript.net/abe/
I also did search the forum but my terms are so broad it returned a ton of irrelevant results.
So, please accept my apology in advance for posting what is likely an already answered, n00b question. Just point me in the right direction to the relevant thread please.

Unfortunately, I need to allow scripts from sites such as FB, Skype, Tumblr, Twitter, etc... so their sites are functional when I use them for my Skype teaching business. I have whitelisted the sites in the NS options of course but I do not want these sites running scripts on any other sites I visit. For example, almost every news site contains the FB social plugin and that runs script which tells FB every time I visit a site with that code. I want to set up NS to block scripts from FB when I am reading latimes.com or whatever site that does not have the facebook.com domain in the URL.

Thanks in advance for any help!
--E 8-)

Re: How to block cross site scripts from whitelisted domains

Posted: Tue Sep 30, 2014 9:21 am
by Giorgio Maone
The relevant FAQ is this.
Please let us know if you need further clarifications about it.

Re: How to block cross site scripts from whitelisted domains

Posted: Tue Sep 30, 2014 9:46 am
by MisterE
Thanks for your quick reply Girogio. I figured ABE was where I could do this. I'm trying to get my head around the syntax now... http://noscript.net/abe/abe_rules.pdf
Is there an example of a basic rule to contain scripts from foo.com to foo.com sites only? No exceptions that allow scripts from foo.com to run on other sites, it's blocked outside of foo.com.

I don't know why this is so difficult for me, I've never really understood regex or related syntax for some reason.

Thanks again,
--E 8-)

Edit: I think I see what I need in the example page of the PDF doc linked above?

Code: Select all

# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

Re: How to block cross site scripts from whitelisted domains

Posted: Tue Sep 30, 2014 10:03 am
by Giorgio Maone
In the aforementioned FAQ 8.10 there's a

Code: Select all

# facebook.com containment rule
# This rule allows Facebook scripts objects and frames to be included only
# from Facebook pages and apps
Site .facebook.com .fbcdn.net .facebook.net ^https://fbstatic-[a-z]+\.akamaihd\.net
Accept from .facebook.com .fbcdn.net .facebook.net .mafiawars.com .eamobile.com
Deny INCLUSION

Re: How to block cross site scripts from whitelisted domains

Posted: Tue Sep 30, 2014 10:51 am
by MisterE
Thanks so much for the reply. Awesome free support for an awesome free tool, I could not imagine the web without NoScript.

Next payday I'll send a donation your way.

Thanks again!
--E 8-)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited