Facebook, whitelist and FB 3rd party app question

[crashsystems]

If I recall correctly, 3rd party apps in Facebook are allowed to use Javascript, and Facebook does nothing to verify who wrote that code. What I would like to do is use the NoScript whitelist to allow Javascript written by Facebook to run, while not allowing Javascript from 3rd party developers.

If I add an exception to facebook.com, would this accomplish my goal, or is there more to it than that? Also, do I need to add an exception to fbcdn.com for this to work?

[Giorgio Maone]

If I add an exception to facebook.com, would this accomplish my goal, or is there more to it than that? Also, do I need to add an exception to fbcdn.com for this to work?

If you allow facebook.com and fbcdn.net, you will let Facebook run its script but not the 3rd party (which I understand is your goal).

[crashsystems]

I thought that allowing those two things might do it, but I was not sure, as I'm not very familiar with how Facebook goes about grabbing the code for 3rd party apps to display to the user.

Anyways, thanks for the quick reply.

[crashsystems]

With recent announcements(http://www.readwriteweb.com/archives/fa ... zation.php) from Facebook, it looks like a lot more sites are going to be running Facebook Javascript on their pages. With that in mind, is it possible to allow scripts from facebook.com and fbcdn.com, but only when they are loading in a facebook.com page?

[Giorgio Maone]

Allow both in NoScript, then add the following ABE to the NoScript Options|Advanced|ABE USER rule:

Code: Select all

Site .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny

[GµårÐïåñ]

Giorgio, would DENY in the end be redundant? Just thinking embedded code that is pulling from another source MIGHT creep through otherwise, no? Just thinking out loud.

[Giorgio Maone]

Giorgio, would DENY in the end be redundant?

Sorry, my fault. The closing deny MUST be there, and I forgot to type it.
Fixed in the original post, thanks.

[crashsystems]

I'm getting the following error:

Code: Select all

line 3:1 no viable alternative at character 'l'

Here is paste of the entire contents:

Code: Select all

# User-defined rules. Feel free to experiment here.

Site .fbcdn.net

Allow from .facebook.com .fbcdn.net

Deny

Also, would this work to also block facebook.com scripts on non-facebook sites, or is this an example of the type of rule I'd need to do separately for facebook.com?

[Giorgio Maone]

Sorry, my fault again (I badly need some extra sleep): it should be "Accept", not "Allow".
Most if not all Facebook script are served from fbcdn.net for performance.
You can put "facebook.com" in the same "Site" clause if you want, but you won't be able to link to Facebook from other sites.
This will eventually be improved (see http://forums.informaction.com/viewtopi ... 66&e=16966 )

[GµårÐïåñ]

Its ok boss, you work too hard and as awesome as you are, you are still human, so I am glad I could bring attention to it and even I didn't comment on the Allow because frankly, I was embarrassed that maybe the syntax had changed in my absence and I didn't want to come across rude and ignorant, so I kept that to myself but the DENY hit me right away. We are all here for this very reason, so we can lend a hand, so get some rest, PLEASE!