[RESOLVED] auto-allow google-analytics only on certain site

Discussions about the Application Boundaries Enforcer (ABE) module
wupna
Junior Member
Posts: 20
Joined: Tue Nov 01, 2011 2:08 pm

[RESOLVED] auto-allow google-analytics only on certain site

Post by wupna »

Hi there,

I'd like to allow google-analytics.com only when I am on kleinanzeigen.ebay.de (German eBay classifieds) but not on ebay.de or elsewhere. It's because kleinanzeigen.ebay.de is not working if google-analytics is disabled (e.g. pictures are not clickable). At the moment I have to temporarily allow it when I want to fully use said site and disable it again afterwards. Is this possible and what would I have to do? I am sorry but I really don't have any clue how to write rules or something. I would be very thankful if somebody could help out with that. Thank you.

Regards
Last edited by Tom T. on Sun Jan 22, 2012 3:04 am, edited 1 time in total.
Reason: mark as resolved
Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: auto-allow google-analytics.com only while on certain si

Post by Tom T. »

wupna wrote:Hi there,

I'd like to allow google-analytics.com only when I am on kleinanzeigen.ebay.de (German eBay classifieds) but not on ebay.de or elsewhere. It's because kleinanzeigen.ebay.de is not working if google-analytics is disabled (e.g. pictures are not clickable). At the moment I have to temporarily allow it when I want to fully use said site and disable it again afterwards. Is this possible and what would I have to do? I am sorry but I really don't have any clue how to write rules or something. I would be very thankful if somebody could help out with that. Thank you.

Regards
There is actually already a topic about kleinanzeigen.ebay.de, http://forums.informaction.com/viewtopic.php?f=7&t=8013

Please see Forum Rules #1 regarding searching, to avoid many people asking the same question.

It also advises to search the NoScript FAQ, which answers your question already:

Creating Site-Specific Permissions via ABE

I say this in a positive manner, not in an unfriendly one. The goal is to make it easier for all users to find their answers as quickly as possible.

Thank you for understanding. Should you have any further questions about how to make this work, please do not hesitate to post them.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
wupna
Junior Member
Posts: 20
Joined: Tue Nov 01, 2011 2:08 pm

Re: auto-allow google-analytics.com only while on certain si

Post by wupna »

Hi Tom,

I'm sorry. By now I should have known better how to use the site search. In fact I only did a short search for "google-analytics" in the ABE subforum. I created this USER ruleset now in ABE:

Code: Select all

# google-analytics.com rule
Site google-analytics.com *.google-analytics.com
Accept from kleinanzeigen.ebay.de
Deny
Additionally I generally allowed google-analytics.com. Is this correct? Can I trust that although it's allowed now for every site from within the NoScript GUI it actually will only be allowed on kleinanzeigen.ebay.de? I'm not too tech-savvy and it's a bad feeling to allow it everywhere and only trust this little ABE rule. How about addon conflicts or something which in turn might cause the opposite of what I was trying to do (e.g. for some cookie addons it seems true that contrary to the higher security you hoped for if you enable several of them due to conflicts none of the cookies get deleted anymore)?
Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: auto-allow google-analytics.com only while on certain si

Post by Tom T. »

wupna wrote:Hi Tom,

I'm sorry. By now I should have known better how to use the site search.
No problem! :)
wupna wrote:

Code: Select all

# google-analytics.com rule
Site google-analytics.com *.google-analytics.com
Accept from kleinanzeigen.ebay.de
Deny
Additionally I generally allowed google-analytics.com. Is this correct?
Yes.

If it doesn't work at all pages on the site, you may need to change the Accept to

Code: Select all

Accept from kleinanzeigen.ebay.de *.kleinanzeigen.ebay.de
or just use the shorthand,

Code: Select all

Accept from .kleinanzeigen.ebay.de 
The leading dot serves both purposes.
wupna wrote: Can I trust that although it's allowed now for every site from within the NoScript GUI it actually will only be allowed on kleinanzeigen.ebay.de? I'm not too tech-savvy and it's a bad feeling to allow it everywhere and only trust this little ABE rule.
You previously trusted NoScript to block it everywhere, right? ;)
The ABE feature is well-tested, and you have instructed it to "Deny (everywhere else on the planet)".
wupna wrote:How about addon conflicts or something which in turn might cause the opposite of what I was trying to do
Add-on conflicts generally break pages when they happen, or even crash browsers. I've never heard of one sabotaging NoScript's protection.

EDIT: Many evil hackers have tried to sabotage NoScript's protection. Also, a few white-hat hackers, who report any success privately to Giorgo -- another reason for its strength. It's hard to see an add-on somehow bypassing NoScript.
wupna wrote:(e.g. for some cookie addons it seems true that contrary to the higher security you hoped for if you enable several of them due to conflicts none of the cookies get deleted anymore)?
Not very familiar with cookie add-ons. I've tried only one, but found that Firefox's built-in cookie management was quite adequate.

However, one does see warnings, for example, not to install two anti-virus products or two firewalls, as they can indeed interfere with each other's function.

If you want to be absolutely sure, get the JSView add-on for Firefox.

Go to any other site that normally runs google-analytics.com. Yes, you have allowed it in the NS menu.
Now open JSView by right-clicking the icon. Click "JSView Page Info".
Look for the google-analytics entry. Note that the size shows as ??? -- meaning that JSView cannot read the script.

Double-click the GA entry. Normally, this would let you see the actual script code contained. (It doesn't matter whether you can read Javascript, for our purposes.) You should see a blank page, proving that GA is not actually running at the site. It's trying, but mighty ABE has blocked it. :)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
wupna
Junior Member
Posts: 20
Joined: Tue Nov 01, 2011 2:08 pm

Re: auto-allow google-analytics.com only while on certain si

Post by wupna »

Wow, Tom, thank you very very much for the detailled response. I think you helped me overcome my doubts. I set up ABE to allow google-analytics.com only on kleinanzeigen.ebay.de and it's working now. A few other websites I checked with JSview and as you predicted google-analytics is not in action there. Additionally I am running RequestPolicy and Ghostery as well. So if those work correctly in the future, too, everything should be fine and double-safe :lol: The only downside is that for comfort reasons I have to allow requests from ebay.de to google-analytics.com in RequestPolicy and not only from its subdomain kleinanzeigen.ebay.de (in this case I choose to permanently allow over temporarily). I haven't found out yet how to do that.

Thanks again and have a nice day.

Edit: I forgot to mention that I have to whitelist kleinanzeigen.ebay.de in Ghostery, too, of course. Ok, that's another downside because there are now all services allowed for that domain as you cannot specifically in- or exlude only a few (the ones not necessary might be blocked by RequestPolicy now though as they're still blocked there). Anyway I might go this way for the time being and try to contact the developers of Ghostery and RequestPolicy.
Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: auto-allow google-analytics.com only while on certain si

Post by Tom T. »

wupna wrote:The only downside is that for comfort reasons I have to allow requests from ebay.de to google-analytics.com in RequestPolicy and not only from its subdomain kleinanzeigen.ebay.de (in this case I choose to permanently allow over temporarily). I haven't found out yet how to do that.
Right-click the RP icon to open its menu.
Click Preferences > Whitelist
Click "Origins-to-destinations"
In Origins box at the bottowm, type kleinanzeigen.ebay.de
In Destinations box, type google-analytics.com > OK.
It now shows as you wish.

You can change RP's display of domain level much as you can in NoScript. The only difference is that in NS, you can make the menu show *both* the base 2nd-level domain, like ebay.de, *and* full (sub)domains, like kleinanzeigen.ebay.de, *and* full addresses, like http: //kleinanzeigen.ebay.de. (I usually choose the first and third, but it's each user's choice.)
With RP, you have to choose only one of the above. So you could choose the second or third, should you wish.
RP > Preferences > General

I hope Justin Samuel isn't mad at me for infringing on his support turf. ;)
wupna wrote:Thanks again and have a nice day.
You're very welcome, and you too. :)
wupna wrote:Edit: I forgot to mention that I have to whitelist kleinanzeigen.ebay.de in Ghostery, too, of course. Ok, that's another downside because there are now all services allowed for that domain as you cannot specifically in- or exlude only a few (the ones not necessary might be blocked by RequestPolicy now though as they're still blocked there).
If *any* add-on, such as NS or RP, blocks a given script, object, or request, then it cannot get through, regardless of whether other add-ons allow it.
Imagine that you didn't have these other add-ons. The things are blocked by NS and RP. Adding the add-on doesn't cancel the blocking by NS/RP.

@ Tom.de:
anonymous_user wrote:Thanks wupna for the ABE script, works fine here, too.
Glad to hear that. Will look at your thread a little later.
That one hast to allow GA globally (and its listing as allowed on other sites too - even it is not) I find also a little suspect.
Maybe this would be a further enhancement form Giorgo worth? :-)
I don't think you quite fully understand ABE. It is partially independent of NoScript's permissions, but it can act only on that which it is given.
So you must allow GA through NS, or else it will never make it to ebay.de, and your problem persists.
ABE's closing rule, "Deny", is shorthand for what was said to wupna:
you have instructed it to "Deny (everywhere else on the planet)".
So no, GA is still not allowed to run elsewhere.

Imagine that you have a guard at your front gate, and another at the door to your home. The first guard lets a visitor through, but the guard at the door says, "I'm sorry, you're not allowed." So the unwanted visitor must leave. Is that a good analogy?

In any event, NoScript 3.x for the desktop will eliminate all this, by including script-permission capability on a site-by-site basis, thus no longer requiring the use of ABE for this purpose.

But until then, the rule is quite safe in prohibiting GA everywhere else. ABE is still guarding the door. ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
wupna
Junior Member
Posts: 20
Joined: Tue Nov 01, 2011 2:08 pm

Re: auto-allow google-analytics.com only while on certain si

Post by wupna »

Hi Tom, thanks again for your reply. Unfortunitely manually allowing kleinanzeigen.ebay.de (origin) to google-analytics.com (destination) does not work it seems. I mean I can of course put it into the list but the site is not working as desired afterwards. It only works if i allow ebay.de to google-analytics. RP is configured to display domains and not hosts or full URLs. :?:
Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: auto-allow google-analytics.com only while on certain si

Post by Tom T. »

wupna wrote: It only works if i allow ebay.de to google-analytics. RP is configured to display domains and not hosts or full URLs. :?:
That's the problem. Configure RP to show full domain names.
Then follow the above steps on the origins-to-destinations tab.

You will also have to give RP permission from
kleinanzeigen.ebay.de to imgc.clasistatic.com,
and possibly also from
kleinanzeigen.ebay.de to img1.classistatic.com.

If other subdomains of classistatic.com show up in the RP menu, you may have to add them as well.
Once RP is configured to show full domains, you can allow them temporarily, or permanently whitelist them, with clicks on the menu, just as in NS.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
wupna
Junior Member
Posts: 20
Joined: Tue Nov 01, 2011 2:08 pm

Re: auto-allow google-analytics.com only while on certain si

Post by wupna »

Hi Tom, thanks for the hint. I'm still struggling to allow on a full-domain basis because I see a lot of future configuration work coming. Till now the simple domain policy felt to be a good compromise between comfort and security. I will think about allowing full domains in the future but might need some time for that. The other way I see is to contact Justin Samuel about it. Thanks again for all your efforts and have a nice day :)
Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: auto-allow google-analytics.com only while on certain si

Post by Tom T. »

wupna wrote:I'm still struggling to allow on a full-domain basis because I see a lot of future configuration work coming.
Agree. After changing RP to full addresses, I experienced difficulty with Yahoo Mail, which had been configured with 3rd-level permissions in NS, but 2nd-level (base domain name) in RP.
Suddenly, I had to add a lot of things to RP to use the mail.
wupna wrote: Till now the simple domain policy felt to be a good compromise between comfort and security.
GMTA. (great minds think alike ;) ) I came to that same conclusion, and reverted RP to base domains.

I think you're OK with RP allowing ebay.de to the required destinations.
Please note that you can still keep NS more finely tuned, allowing only kleinanzagen.ebay.de rather than just ebay.de.
wupna wrote: The other way I see is to contact Justin Samuel about it.
I'm not sure what he could do about it?

What we're demonstrating, which was already known, is that sites make many requests for *non-executable* content, such as still images, that NoScript does not target. Its purpose is to protect users from *executable* content - scripts, Java, Flash, etc. -- that can be potentially damaging, rather than merely privacy-invasive.

Let RP block requests to advertisers and such, and then the infamous "Web bugs" cannot be placed.

And if Giorgio can indeed make the GA surrogate work at your site, then all is well in privacy-land as well.
Thanks again for all your efforts and have a nice day :)
Immer ein Vergnügen, mit solchen kooperativen Benutzern zu plaudern. :)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
wupna
Junior Member
Posts: 20
Joined: Tue Nov 01, 2011 2:08 pm

Re: auto-allow google-analytics.com only while on certain si

Post by wupna »

I agree with you and your privacy/security concept.
Tom T. wrote:
wupna wrote: The other way I see is to contact Justin Samuel about it.
I'm not sure what he could do about it?
Actually I'm not sure, too. But he's the developer. Maybe it would be possible to allow user specific rules such as kleinazeigen.ebay.de to google-analytics.com despite domain-only configuration. To Assign a higher importance to those more specific rules over simpler rules that would be (thus requests from e.g. ebay.de would still be forbidden everywhere else except that the user specified rule would apply in a given case). I'm not sure though as I'm not a programmer or something.
Tom T. wrote:Immer ein Vergnügen, mit solchen kooperativen Benutzern zu plaudern. :)
Perfect German :) Das Vergnügen ist ganz auf meiner Seite. Vielen Dank.
Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: auto-allow google-analytics.com only while on certain si

Post by Tom T. »

wupna wrote:
Tom T. wrote:
wupna wrote: The other way I see is to contact Justin Samuel about it.
I'm not sure what he could do about it?
Actually I'm not sure, too. But he's the developer. Maybe it would be possible to allow user specific rules such as kleinazeigen.ebay.de to google-analytics.com despite domain-only configuration. To Assign a higher importance to those more specific rules over simpler rules that would be (thus requests from e.g. ebay.de would still be forbidden everywhere else except that the user specified rule would apply in a given case). I'm not sure though as I'm not a programmer or something.
Aha! :!:

What you would be asking Justin for -- and of course, I don't know if he's able, or willing, to do it -- is to allow separate levels of domain granularity for origins and for destinations.

Perhaps for all: "Configure origins with full addresses, but domains with base domain names."
Then all he has to do is add a second set of radio buttons for the Preferences > General tab, and label one "Origins", and the other "Destinations".

And maybe a checkbox, checked by default, "Use same settings for both". -- or maybe this is not necessary.

Or, as you said, allow custom rules in the Origins-to-Destinations box, in which, as you said, RP would honor user choice first, rather than the defaults.
So I could leave all my Yahoo RP permissions as base domains (works fine), while our custom kleinanzagen.ebay.de > classistatic.com rule would actually work.

It's his turf, which is why I'd rather not make the request -- a team member from one product telling another developer how to do his project.
Which is also why I haven't looked at his code, and don't intend to.
But you could certainly suggest it. It doesn't *seem* as though it would be difficult.
Perhaps no one has ever found a need before. We just did. :)

So of course you may point him to this thread. After all, he is getting many plugs for his fine product here. :D
(It was originally recommended to me by Giorgio himself. Can't get a better endorsement than that, at least IMHO.)

Starting to get a bit O/T here, but if he gives you a reply, I'm sure a lot of people here would be interested. I certainly would.
wupna wrote:
Tom T. wrote:Immer ein Vergnügen, mit solchen kooperativen Benutzern zu plaudern. :)
Perfect German :) Das Vergnügen ist ganz auf meiner Seite. Vielen Dank.
Ich betrüge. ;) Mein Gedächtnis von der Schule ist arm, also erfrische ich sie mit einem on-line-Wörterbuch.

In the US, there are many more opportunities to practice one's Spanish than one's German. (Surprise!)
So the Spanish remains somewhat usable, but the German fades with age. :cry:

Bis später,
Tom
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
wupna
Junior Member
Posts: 20
Joined: Tue Nov 01, 2011 2:08 pm

Re: auto-allow google-analytics.com only while on certain si

Post by wupna »

Ok, thank you Tom. I get your points. I will think into it later and decide if I'll contact Justin or not. There's also many issues and requests which can be publicly viewed at his github-page: https://github.com/RequestPolicy/requestpolicy/issues. Maybe there's already something like that in it. I might go through this first.

@German/Spanish: I lost my French from school, too. That's similar I guess ;)
Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: auto-allow google-analytics.com only while on certain si

Post by Tom T. »

wupna wrote:@German/Spanish: I lost my French from school, too. That's similar I guess ;)
As we say, "Use it or lose it."

I think we're done here, but please feel free to post anything further about RP in, perhaps, Forum Extras > Web Tech. I'm sure many would be interested.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
Post Reply