Page 1 of 2
Additional domain restrictions for whitelist
Posted: Fri Dec 25, 2009 3:10 pm
by qux
Hi
Can anybody say please, is there any way to make whitelist rules working only on certain domains?
For example, many sites are using googleapis scripts, directly from ajax.googleapis.com. Can i allow them (not temporary) only on somesite.com, keeping default state on all the rest of www?
I didn't found such info in faq and forum search, please point if i'm wrong. Thanks and sorry for my English ;)
Re: Additional domain restrictions for whitelist
Posted: Sat Dec 26, 2009 10:35 pm
by Tom T.
This feature is anticipated in the next-generation NoScript, 2.x, and is discussed extensively in the long-running thread,
Site-Specific Permissions. There is not yet an estimated release date, but we're all very eager to see it.
And I had no trouble understanding your post. Your English was fine.
Re: Additional domain restrictions for whitelist
Posted: Sun Dec 27, 2009 9:17 pm
by qux
Thank you! Will wait for v.2, then ;)
Re: [CLOSED] Additional domain restrictions for whitelist
Posted: Mon Dec 28, 2009 4:19 pm
by Giorgio Maone
Re: [CLOSED] Additional domain restrictions for whitelist
Posted: Mon Dec 28, 2009 5:02 pm
by qux
Giorgio Maone
Really, thanks, seems like working. Only bad thing is lacking any visual indication of ABE's rules work (notification ticks for scripts and ABE are on). So it is hard (impossible?) to understand are scripts really blocked or not, if they aren't display something on page.
Re: [CLOSED] Additional domain restrictions for whitelist
Posted: Mon Dec 28, 2009 5:46 pm
by Giorgio Maone
qux wrote:So it is hard (impossible?) to understand are scripts really blocked or not, if they aren't display something on page.
You can check
Tools|Error Console for [ABE] lines.
Re: [CLOSED] Additional domain restrictions for whitelist
Posted: Mon Dec 28, 2009 6:38 pm
by qux
Giorgio Maone
Hm, nothing similar there. Any option?
Noscript 1.9.9.27, other info in my UA string below.
Re: [CLOSED] Additional domain restrictions for whitelist
Posted: Mon Dec 28, 2009 6:58 pm
by Giorgio Maone
qux wrote:Giorgio Maone
Hm, nothing similar there. Any option?
No option. If you added that rule, when you open
http://www.foe.com you should get one or more "message" lines like this:
Code: Select all
[ABE] <google-analytics.com *.google-analytics.com> Deny on {GET http://www.google-analytics.com/urchin.js <<< http://www.foe.com/, http://www.foe.com/}
USER rule:
Site google-analytics.com *.google-analytics.com
Accept from friend.com *.friend.com friend2.com *.friend2.com
Deny
Re: [CLOSED] Additional domain restrictions for whitelist
Posted: Mon Dec 28, 2009 7:17 pm
by qux
Giorgio Maone
This messages don't present in my case. Rule:
Code: Select all
Site ajax.googleapis.com *.ajax.googleapis.com
Accept from ogo.in.ua *.ogo.in.ua
Deny
Added to USER ruleset, then to both, for testing - same result. No ABE messages in console, both on allowed site and blocked one. Have only some html parser warnings there.
Rules are working all this time, i checked this.
Re: [CLOSED] Additional domain restrictions for whitelist
Posted: Mon Dec 28, 2009 7:46 pm
by Giorgio Maone
Please try to edit (or create) the
javascript.options.showInConsole boolean
about:config preference and set it to true, then restart your browser.
Re: [CLOSED] Additional domain restrictions for whitelist
Posted: Mon Dec 28, 2009 8:07 pm
by qux
Giorgio Maone
Done (it was default, false), but no result. Maybe FF in my distro was built with some uncommon options? Here is info from about:buildconfig
Code: Select all
Build platform
target
x86_64-unknown-linux-gnu
Build tools
Compiler Version Compiler flags
gcc gcc version 4.4.2 20091027 (Red Hat 4.4.2-7) (GCC) -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -W -Wno-long-long -pedantic -O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fno-strict-aliasing -pthread -pipe -DNDEBUG -DTRIMMED -Os -freorder-blocks -fno-reorder-functions
c++ gcc version 4.4.2 20091027 (Red Hat 4.4.2-7) (GCC) -fno-rtti -fno-exceptions -Wall -Wpointer-arith -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wcast-align -Wno-invalid-offsetof -Wno-long-long -pedantic -O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fno-strict-aliasing -fshort-wchar -pthread -pipe -DNDEBUG -DTRIMMED -Os -freorder-blocks -fno-reorder-functions
Configure arguments
--enable-application=xulrunner --prefix=/usr --libdir=/usr/lib64 --with-system-nspr --with-system-nss --with-system-jpeg --with-system-zlib --with-system-bz2 --enable-system-hunspell --enable-system-sqlite --enable-system-cairo --with-pthreads --disable-strip --disable-tests --disable-mochitest --disable-installer --disable-debug --enable-optimize --enable-default-toolkit=cairo-gtk2 --enable-pango --enable-svg --enable-canvas --disable-javaxpcom --disable-crashreporter --enable-safe-browsing --enable-extensions=default,python/xpcom --enable-libnotify
[/size]Or some other options in about:config? I'll try to reproduce this on clean profile tomorrow.
Re: [CLOSED] Additional domain restrictions for whitelist
Posted: Tue Dec 29, 2009 2:08 am
by Tom T.
@ Giorgio: Thanks for adding that FAQ. I'm sorry that I missed its publication. It will come in very handy in answering questions like this in the future, and will be a nice bridge to site-specific permissions.
Question: Can it work for objects as well as scripts? Here is what I tried: (USER)
Site java-vm@*.* *java-vm@*.*
Accept from hushmail.com *.hushmail.com
Deny
As you can see, I would like to allow Java applets at Hushmail and nowhere else. I allowed Java in NS > Embeddings as per the above.
It doesn't work. Java applets were still loading from other sites tested (using Java's own test page as the best tester).
ABE would not allow <APPLET> or comma to be entered, even though the objects show as <APPLET>, java-vm@http.//
www.somesite.com
Is this syntax wrong, or is this not possible to do?
As you know, GµårÐïåñ' was intending to write an ABE User Guide with your assistance, of which I was awaiting the privilege of copy-editing at his request, but unfortunately, he has been otherwise occupied.
Side note for all uses of Sandboxie and similar: The rule entry didn't survive the emptying of the sandbox. I realized that my currently-allowed file paths through the sandbox (bookmarks, NS prefs, etc.) aren't enough. Either edit directly in (profile) > ABE > rules > User.abe, or open a sandboxie file path to there in its configuration file.
Re: [CLOSED] Additional domain restrictions for whitelist
Posted: Tue Dec 29, 2009 4:18 am
by Alan Baxter
qux wrote:Giorgio Maone
This messages don't present in my case. Rule:
Code: Select all
Site ajax.googleapis.com *.ajax.googleapis.com
Accept from ogo.in.ua *.ogo.in.ua
Deny
Added to USER ruleset, then to both, for testing - same result. No ABE messages in console, both on allowed site and blocked one. Have only some html parser warnings there.
Rules are working all this time, i checked this.
I see the messages Giorgio predicts.
Did you whitelist ajax.googleapis.com? You need to do that. In addition to the NoScript 1.9.9.29 default settings, I whitelisted ajax.googleapis.com and ogo.in.ua and added qux's USER rule to ABE.
On
http://ogo.in.ua/forums/, I don't get the ABE "Deny" message because ABE allows it, but if I remove
then I get the following messages in the Error Console:
Code: Select all
[ABE] <ajax.googleapis.com *.ajax.googleapis.com> Deny on {GET http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js <<< http://ogo.in.ua/forums/, http://ogo.in.ua/forums/}
USER rule:
Site ajax.googleapis.com *.ajax.googleapis.com
Deny
[ABE] <ajax.googleapis.com *.ajax.googleapis.com> Deny on {GET http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js <<< http://ogo.in.ua/forums/, http://ogo.in.ua/forums/}
USER rule:
Site ajax.googleapis.com *.ajax.googleapis.com
Deny
Re: Additional domain restrictions for whitelist
Posted: Tue Dec 29, 2009 8:59 am
by qux
Alan Baxter wrote:Did you whitelist ajax.googleapis.com? You need to do that.
Yes, i read this in faq, and already said ABE rules work correctly - only without indication.
But i found what's the point. To see ABE's "deny" message you must allow main (viewed) site with Noscript, not only googleapis.com in my case, and i didn't understand this at once :) Javascript.options.showInConsole option can be default, "false". Now it seems enough for me, thanks ;)
Re: Additional domain restrictions for whitelist
Posted: Tue Dec 29, 2009 9:17 am
by Alan Baxter
You're welcome.