Page 1 of 1
load only from current domain
Posted: Thu Dec 09, 2010 12:30 am
by guest
need help with abe. i only want to load from the current domain and stop other domain
Code: Select all
Site thissite.com
Accept ALL from thissite.com
Deny ALL
that what i tried but it didnt work
Re: load only from current domain
Posted: Sat Dec 11, 2010 10:05 am
by Giorgio Maone
What "didn't work" mean?
The code you used should work (allowing request from the site itself only).
Notice that you can shorthand it as
Code: Select all
Site thissite.com
Accept from SELF
Deny
and if you want to include subdomains,
Code: Select all
Site .thissite.com
Accept from SELF++
Deny
Re: load only from current domain
Posted: Sat Dec 11, 2010 8:21 pm
by guest
Code: Select all
Site .thissite.com
Accept from SELF++
Deny
the code above didn't work. I did change to the real domain!
the website loads images from other domain. I want to only load files from thissite.com.
Even after i put the code in USER the site still load the images.
Re: load only from current domain
Posted: Sat Dec 11, 2010 11:08 pm
by Giorgio Maone
Is ABE enabled?
Can I see a screenshot of your NoScript Options|Advanced|ABE panel and know the real site (you can PM me the address, if you prefer so).
Re: load only from current domain
Posted: Sun Dec 12, 2010 5:00 pm
by Giorgio Maone
Got your private message.
It look like you want to use ABE "the reverse way", i.e. as an as blocker (blocking outbound requests, FROM thissite.com TO other sites) rather than as a CSRF protector (blocking inbound requests TO thissite.com).
The way to achieve this is
Code: Select all
# block any load originating from .thissite.com,
# except when the destination is .thissite.com itself
# both the rules need to be put in the same ruleset, in this exact order
Site .thissite.com
Accept
Site *
Deny from .thissite.com
Re: load only from current domain
Posted: Sun Dec 12, 2010 7:42 pm
by guest
That site have too many ad and i don't want to use adblocker for each domain.
People should use this method, when the site use <a img=".." /> from a lot of different domain.
I read wiki about CSRF, didn't quite get it.
So CSRF can steal my information if i'm log in to myspace or bank?
Code: Select all
<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory">
that wiki example, it is always image?
Those code are post by malicious web admin or user?
What exactly can they do if i got hit by the CSRF?
Code: Select all
Site .myspace.com
Accept ALL from SELF++
Deny ALL
that code can protect myspace account?