granular accept/deny w/ABE fails (denies always)

[rlaggren]

NS 2.6.9.15
browser Pale Moon 25.1.0 (Firefox fork)

webpage w/problem: http://chicagoweathercenter.com/forecast

I have allowed the main site and found it requires "gravatar.com"; I have allowed "gravatar.com" and the site works.

I then added a user rule to ABE and the site failed. Removing the "Deny" from the user rule allowed the site to work again, so the ABE user rule is the problem. Below is the related msg from the console when the site failed:

[20:18:31.651] [ABE] <.gravatar.com> Deny on {GET https://secure.gravatar.com/js/gprofile ... =2015Febaa <<< http://s.gravatar.com/js/gprofiles.js?ver=2015Febaa, http://chicagoweathercenter.com/forecast - 2}
USER rule:
Site .gravatar.com
Accept from .chicagoweathercenter.com
Deny

The ABE rule in the User tab (comments to disable original recipe and to remind myself of syntax):

Site .gravatar.com
#Accept INCLUSION from SELF++
#Accept INCLUSION from .chicagoweathercenter.com
Accept from .chicagoweathercenter.com
# append additional sites in lines above, separated by space
Deny

I am guessing that one "gravatar.com" script is calling another script on the "gravatar.com" site and since that site is allowed only for calls from the original site ("chicago...) ABE denies it.

Q1: From the above msg, which is the script called from the main site and which is the second script which gets denied? (Assuming my guess is correct. Sorry for the dumb Q but this is the first time I've tried to read a console log.)

Q2: What would be the most general way to fix this? Meaning the way least likely to get broken down the road while maintaining as much security as possible. I'm guessing I could just add another "Accept" rule for the "gravatar.com" site itself but maybe there's a better way?


Thanks

Rufus

[barbaz]

Let's hold off answering your questions.
Gravatar is supposed to have a surrogate script so you should never need to Allow it as a 3rd party script to make a site work. Give me a moment I will look into this shortly.

[barbaz]

Surrogate needs to be changed to

Code: Select all

Gravatar={my_hash:'', profile_cb:function(){}, init:function(){}, __noSuchMethod__:function(){}}

[barbaz]

Sorry rlaggren, I didn't explain that lot to you.

So all you need to do to make the site work is go to about:config and set noscript.surrogate.gravatar.replacement to the above code.

Leave gravatar Forbidden.
No need for ABE at all here.

Anyway, now to your questions:

Q1: From the above msg, which is the script called from the main site and which is the second script which gets denied?

https://noscript.net/abe/users.html should help you understand the console message.

Q2: What would be the most general way to fix this? Meaning the way least likely to get broken down the road while maintaining as much security as possible. I'm guessing I could just add another "Accept" rule for the "gravatar.com" site itself but maybe there's a better way?

Report the issue here, wait for Giorgio to see the thread and fix the builtin surrogate; then when that's done all you do is update NoScript and that's it, issue gone.

Yet I feel like I'm not really entirely sure what you're asking here and so that's maybe not a very good answer.. how general do you mean by the word "general", and by "this" do you mean only this exact issue? Because not all sites are candidates for builtin surrogates or even really for custom surrogates...

[barbaz]

The surrogate update is in latest development build now
(Thanks Giorgio)