Page 1 of 1
Definitely block requests to facebook from 3rd-party sites
Posted: Wed Mar 09, 2011 11:00 am
by 0xa3
The sample configuration on
http://noscript.net/abe/ provides the following configuration to block requests to facebook from third-party sites:
Code: Select all
# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
However, this still allows the inclusion of "Like" Buttons etc. and therefore also leads to critical privace leakage.
Changing the ruleset to
Code: Select all
# This one block all requests to Facebook
# from third-party sites
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny ALL
blocks these requests as well.
If anyone knows further URLs used by Facebook please post them to this thread.
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Wed Mar 09, 2011 1:59 pm
by Giorgio Maone
0xa3 wrote:
Changing the ruleset to
Code: Select all
# This one block all requests to Facebook
# from third-party sites
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny ALL
blocks these requests as well.
But it prevents you from following Facebook links in other pages.
Better this one:
Code: Select all
# This one block all the embedded requests to Facebook
# from third-party sites
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Thu Mar 10, 2011 11:05 am
by 0xa3
Thanks for your reply. However, I noticed that certain requests aren't blocked when using Deny INCLUSION.
Unfortunately, I don't understand enough about the feature to understand why this is so, but you might want to have a look at the following sample URL:
http://support.microsoft.com/kb/288792
When using Deny ALL, NoScript blocks a GET request to facebook, when using Deny INCLUSION, the same request is not blocked.
I haven't checked how the request to facebook is implemented in detail (from JavaScript?), but the GET request that gets issued certainly could cause privacy leakage, which I would like to prevent.
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Thu Mar 10, 2011 11:37 am
by Giorgio Maone
They're apparently using also facebook.net now.
Just add it to the rule and no request will pass.
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Thu Mar 10, 2011 2:28 pm
by 0xa3
Thanks again. Seems it was even working before. I checked with Fiddler to see that there is no request sent to facebook with neither configuration.
However, I didn't get the ABE notification when using Deny INCLUSION so I got a little bit confused. Could this be a bug? Let me know if you need further information on my configuration.
Currently, I'm using Firefox 4 RC1 and NoScript 2.0.9.9. ABE notifications are switched on on the
Notifications tab and the ABE configuration looks as follows:
Code: Select all
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net .facebook.net .facebook.de
Accept from .facebook.com .fbcdn.net .facebook.net .facebook.de
Deny INCLUSION
#Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
Site .twitter.com .twimg.com
Accept from .twitter.com .twimg.com
Deny INCLUSION
#Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
Site .googlesyndication.com
Accept from .googlesyndication.com
Deny ALL
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Thu Mar 10, 2011 2:30 pm
by Giorgio Maone
User-facing notifications happen for blocked document loads only.
All the other blocking activity is logged in Tools|Error Console as "[ABE]" message lines, to cut down the noise.
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Sat Mar 12, 2011 3:44 pm
by dhouwn
Might be worth updating
FAQ 8.10 to include "facebook.net".
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Sat Mar 12, 2011 3:59 pm
by Giorgio Maone
dhouwn wrote:Might be worth updating
FAQ 8.10 to include "facebook.net".
I had actually done it, but forgot to upload the changes.
Thanks for noticing.
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Thu Mar 17, 2011 12:16 pm
by tlu
Giorgio Maone wrote:dhouwn wrote:Might be worth updating
FAQ 8.10 to include "facebook.net".
I had actually done it, but forgot to upload the changes.
Thanks for noticing.
Giorgio, including .mafiawars.com and .eamobile.com in the "Accept from" line is really no mistake? I'm asking as I'm not familiar with these sites. Are they related to Facebook?
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Thu Mar 17, 2011 1:34 pm
by Giorgio Maone
tlu wrote:
Giorgio, including .mafiawars.com and .eamobile.com in the "Accept from" line is really no mistake? I'm asking as I'm not familiar with these sites. Are they related to Facebook?
They're needed for some popular Facebook games to work.
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Thu Mar 17, 2011 2:38 pm
by tlu
Giorgio Maone wrote:tlu wrote:
Giorgio, including .mafiawars.com and .eamobile.com in the "Accept from" line is really no mistake? I'm asking as I'm not familiar with these sites. Are they related to Facebook?
They're needed for some popular Facebook games to work.
I see. Thanks!
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Wed May 11, 2011 9:17 am
by forfrom1337
I have a basic question about this:
Do I have to allow facebook.com (or .net) permanently to have the scripts on the Facebook page?? (or are they beeing allowed by the ABE-Rule?)
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Wed May 11, 2011 1:30 pm
by Giorgio Maone
forfrom1337 wrote:I have a basic question about this:
Do I have to allow facebook.com (or .net) permanently to have the scripts on the Facebook page?? (or are they beeing allowed by the ABE-Rule?)
ABE and NoScript permissions are independent and orthogonal.
Therefore you have to Allow (in NoScript) for scripts to work, and DENY (in ABE) for facebook stuff not being loaded in 3rd party pages.
Re: Definitely block requests to facebook from 3rd-party sit
Posted: Mon Jun 27, 2011 4:29 pm
by Newbee
Hello my friends,
I have a quick question. There are also sites like
facebook.greenpeace.com
included in some websites. How can we block these sites? Is it correct, that we cannot use a logic like *.facebook*.com in the white list section, right? But in the ABE part the syntax *.facebook*.com would work?
Hope there is a solution for this...
Thanks in advance!