InformAction Forums

Hi:

First, thank you for writing NoScript!!

I am seeing a lot more sites that use googleapi.com on sites I visit and I want to conditionally accept it based on a site I've allowed, usually temporarily. I've seen the the examples and they specifie the site I want to conditionally allow, the site where I am at where they're accepted and blanket deny.

i.e.:
Site googleapis.com *.googleapis.com
Accept from *xyz.com
Deny

I've seen the facebook ABE exception and it is defined as:
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

Could I specify INCLUSION in the Accept so that anything I accept either permanently or temporarily in the Whitelist is automatically included without having to modify my ABE definition?

My Whitelist is very small and I manually accept many sites on a temporary basis.

So...
Site *googleapis.com
Accept INCLUSION
Deny

Would this work? Or should I specify
Accept INCLUSION(SCRIPT)
or
Accept INCLUSION(SCRIPT, OBJ, SUBDOC)
?

What are the various parameters I could use for INCLUSION? Are there any other types of Accept methods? The SYSTEM ruleset uses "Accept from LOCAL".

I anticipate temporarily allowing googleapis.com but does it really matter if I allow on a temporary or permanent basis since ABE specifies it only for specific domains.

Finally, for those who want to use HTTPS, you can add *googleapis.com in the Advanced > HTTPS > Force text box.


Thanks

The Inclusion keyword does not relate to your list of trusted sites. It woul d be interesting to have such a keyword, but probably wouldn't really suit ABE's primary purpose of preventing CSRF and similar attacks. For general cross-site control, I recommend RequestPolicy.

Inclusion actually refers to including resources (scripts, images, etc) in a page, as opposed to a top-level request. So, means sites can't use images hosted on example.com, while means sites can't even link to it.