Page 1 of 1
Allow Scripts to be Included from Limited Sites
Posted: Fri Jun 25, 2010 7:37 pm
by jazzmania
If I allow a script to run from a certain site, all pages loaded are allowed to run that script. Can I limit the script to only run if included from certain sites?
For example, I want to allow yahooapis to run in safeandsecure.com but not evilhacker.com.
Re: Allow Scripts to be Included from Limited Sites
Posted: Fri Jun 25, 2010 8:24 pm
by Giorgio Maone
If evilhacker.com is not in your whitelist, yahooapis won't load at all, even if it is itself whitelisted.
That said, you can gain more control on resource loads through
ABE.
Re: Allow Scripts to be Included from Limited Sites
Posted: Fri Jun 25, 2010 11:22 pm
by jazzmania
To test this I opened "
http://scriptsrc.net". Then I opened "
http://mangahelpers.com" in a new window.
scriptsrc.net is not in my whitelist. When I temporarily allow googleapis.com in managahelpers.com, scriptsrc.net reloads and googleapis is allowed in both pages.
Re: Allow Scripts to be Included from Limited Sites
Posted: Fri Jun 25, 2010 11:45 pm
by Giorgio Maone
jazzmania wrote: When I temporarily allow googleapis.com in managahelpers.com, scriptsrc.net reloads and googleapis is allowed in both pages.
googleapis is allowed everywhere, but this doesn't mean the scripts are loaded on scriptsrc.net. They're not, as a matter of fact, because no script can run on a non-whitelisted page (even if the 3rd party source is itself whitelisted).
BTW, you made me remember skipping reload for permission changes when the involved site is a 3rd party script and the top level site is forbidden and unchanged is a desirable optimization.
Re: Allow Scripts to be Included from Limited Sites
Posted: Sat Jun 26, 2010 7:53 am
by Guest
So even if there is no script content on scriptsrc.net the scrript from googleapis is not allowed to run on scriptsrc.net until I allow scripts for scriptsrc.net?
Re: Allow Scripts to be Included from Limited Sites
Posted: Sat Jun 26, 2010 8:57 am
by Giorgio Maone
Guest wrote:So even if there is no script content on scriptsrc.net the scrript from googleapis is not allowed to run on scriptsrc.net until I allow scripts for scriptsrc.net?
Correct.
In fact, to convey this message, on scriptsrc.net NoScript says "Scripts currently forbidden" and shows the "All forbidden" icon even though googleapis.com (as a source) is whitelisted.
Re: Allow Scripts to be Included from Limited Sites
Posted: Sun Jun 27, 2010 2:16 am
by Guest
But what if I want to allow scripts from scriptsrc.net but not googleapis on scriptsrc.net? By enabling googleapis for another site, I've enabled it for scriptsrc.net.
Re: Allow Scripts to be Included from Limited Sites
Posted: Sun Jun 27, 2010 6:11 am
by Giorgio Maone
Guest wrote:But what if I want to allow scripts from scriptsrc.net but not googleapis on scriptsrc.net? By enabling googleapis for another site, I've enabled it for scriptsrc.net.
While I don't understand why you would want to do that, from a strict security perspective, as I told you you can achieve this by using
ABE.