Help with ABE rule

[netsecure]

I'm trying to create a rule that allows a specific site to ONLY load content from the same domain using something like:

Code: Select all

Site *.google.com
Accept from SELF
Deny

However, how can I make an exception for another site that google.com tries to load?

For example, if google.com tries to load something from googleapis.com, how can I allow google.com to ONLY make an exception for this domain?

Thanks!

[Tom T.]

Code: Select all

Site .google.com .googleapis.com
Acccept from .google.com
Deny

[netsecure]

Code: Select all

Site .google.com .googleapis.com
Acccept from .google.com
Deny

Thanks! So, if I need to add another exception for google.com, I just need to add another site after .googleapis.com, like:

Code: Select all

Site .google.com .googleapis.com .anothersite.com
Acccept from .google.com
Deny

Is this correct?

Thanks again!

[Tom T.]

Thanks! So, if I need to add another exception for google.com, I just need to add another site after .googleapis.com, like:

Code: Select all

Site .google.com .googleapis.com .anothersite.com
Acccept from .google.com
Deny

Is this correct?

Yes.

You may add as many sources or sites as you like on any Site or Accept line, separated by a single blank space, so long as your intended rule does indeed apply to all of them.

Thanks again!

You're very welcome.

[netsecure]

This is strange. I added the rule to ABE under the USER Ruleset, and yet it still loads/executes javascript from external sources.

Just to simplify things, and to see if ABE is even working, I tried EACH of these simple rules (one at a time) on a site that loads some external scripts:

Code: Select all

Site .test.com
Accept from .test.com
Deny

Code: Select all

Site .test.com
Accept from .test.com
Deny INCLUSION

Code: Select all

Site .test.com
Accept from SELF
Deny

Code: Select all

Site .test.com
Accept from SELF
Deny INCLUSION

None of these rules seem to work. I'm using FF 9.0.1 and the latest version of NoScript.

Any ideas what I'm doing wrong? Thanks!

[Tom T.]

At the risk of stating the obvious, is "Enable ABE" checked in NS Options > Advanced > ABE?

Can you provide a specific site, and the rule(s) that fail? - or where all of the above rules fail?
I'll probably be online a bit later to try them, but in general, the first one looks good.

Please keep in mind that using method types like INCLUSION will block *only* inclusion sub-requests, and not top-level script loads, as per the ABE Rules .pdf. Edit: n/m, you seem to have that concept, in allowing the top scripts but not the inclusions. (This is what happens when hungry. I'll be sharper after dining, thanks. )

[netsecure]

At the risk of stating the obvious, is "Enable ABE" checked in NS Options > Advanced > ABE?

Can you provide a specific site, and the rule(s) that fail? - or where all of the above rules fail?
I'll probably be online a bit later to try them, but in general, the first one looks good.

Please keep in mind that using method types like INCLUSION will block *only* inclusion sub-requests, and not top-level script loads, as per the ABE Rules .pdf. Edit: n/m, you seem to have that concept, in allowing the top scripts but not the inclusions. (This is what happens when hungry. I'll be sharper after dining, thanks. )

Hi again, Tom...

Yes, I checked and re-checked, and Abe is definitely enabled.

Sure, as an example, here's just one site that tries to load the AddThis bookmark widget:

http://www.articlecity.com/articles/computers_and_internet/article_6263.shtml

In the source code of that page, it shows:

Code: Select all

<script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>

If you hover the mouse over the button that says "Share", a menu appears. Plus, those Google ads are still loading too.

ABE is independent from NoScript and the whitelist, right? So, ABE should work regardless of the other settings in NoScript?

Thank you very much for your help!

[Tom T.]

Investigating, thanks.

Quick edit: It doesn't matter what the source code says. That shows only what the site *wants* to do. -- call here and there. (Edit: Other than scripts embedded in the page itself, vs. called from a third-party source.)

For a real-time view of what's actually loading, without getting into packet-sniffers and other geek toys, get the JSView add-on. It will show what scripts have *actually* loaded -- there should be a "size" instead of ??, and double-clicking the script's name in the JSV display box displays the script's code (as opposed to the site's source code).

For this purpose, it doesn't matter whether one can read Javascript.
If it's blocked, the code display should show a blank page. If JSView cant' read the script, neither can the site.

[Tom T.]

ABE is independent from NoScript and the whitelist, right? So, ABE should work regardless of the other settings in NoScript?

Correct.

I added the following ABE USER rule *after leaving your site* -- is that a possible issue? Cache, and what not? Add ABE rules when you're not at the site in question.

Code: Select all

Site .addthis.com .google.com .google-analytics.com .5min.com .googlesyndication.com
Accept from z9hser.drhpoeyt
Deny

("Accept" line is not required, but I figured you must want to allow these things somewhere, so it's there as a placeholder for your permitted sites.)

Now, back to your site:

JSView shows the following script names, sizes, and, after 2-clicking the script name, code contents in its pop-up window:

Code: Select all

http://pagead2.googlesyndication.com/pagead/show_ads.js

(Four times). Size = ?? 2-click each = blank page in JSV pop-up.

Code: Select all

http://s7.addthis.com/js/152/addthis_widget.js

Size = 23.2 kb. 2-click = blank page.
Hovering the mouse still shows the destination of addthis, but clicking on it produces a lovely message bar at the top of the page, saying that ABE denied the reqeust, and Error Console > blue Info gives this:

Code: Select all

[ABE] <.addthis.com .google.com .google-analytics.com .5min.com .googlesyndication.com> Deny on {GET http://www.addthis.com/bookmark.php <<< http://www.articlecity.com/articles/computers_and_internet/article_6263.shtml - 6}
USER rule:
Site .addthis.com .google.com .google-analytics.com .5min.com .googlesyndication.com
Accept from z9hser.drhpoeyt
Deny

Code: Select all

http://pshared.5min.com/scripts/PlayerSeed.js 

Size = ?? 2-click = blank page.

Code: Select all

http://www.google.com/friendconnect/script/friendconnect.js

Size = ?? 2-click = blank page

Code: Select all

http://www.google-analytics.com/ga.js

?? = blank page.

No ads visible, either.

Isn't "nothing" sometimes a beautiful sight?

And you are my final "customer" of this session, so on that note, I bid adieu for a good while.
If you have other issues, I'm sure someone else will help if available, or I expect to be back on in the next 12-24 hrs, LIfe permitting.

Cheers,
Tom

[netsecure]

Hi Tom...

Actually, I don't want to allow any of those scripts from executing on that page (or any page).

I'm just trying to block ALL 3rd party scripts, while ONLY allowing scripts from the same domain (and perhaps a few exceptions like googleapis.com).

I've tried every combination, and nothing seems to work.

I read the ABE documentation at: http://noscript.net/abe/

At the bottom of the page it uses this example:

Code: Select all

# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

It still doesn't work.

Thank you very much for your help and effort! I really appreciate it.

[Tom T.]

Actually, I don't want to allow any of those scripts from executing on that page (or any page).

If any such are in your whitelist, including the Default Whitelist, remove them. The remainder will be blocked by NoScript's default-deny policy.

You can mark them as Untrusted, should you like. Doesn't change the fact that they'll be blocked anyway, but then they don't constantly show in the menu.
Less annoying, and keeps the menu shorter.

I'm just trying to block ALL 3rd party scripts, while ONLY allowing scripts from the same domain (and perhaps a few exceptions like googleapis.com).

I've tried every combination, and nothing seems to work.

I read the ABE documentation at: http://noscript.net/abe/

At the bottom of the page it uses this example:

Code: Select all

# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

It still doesn't work.

Per Rule 1.3 in the .pdf, could you please try using SELF++ instead of SELF?
SELF is too strict in matching, including even the port number, whereas SELF++, as the rule says, matches all base 2nd-level domains. (site.com, *.site.com, site.com/something, etc.)

If that doesn't work, please again provide an actual example - the site, the unwanted scripts that seem to be running (did you try the JSView add-on?), and the rule(s) you've tried.

Thank you very much for your help and effort! I really appreciate it.

My pleasure. We'll get this solved.

[netsecure]

Ok, I removed everything from my whitelist (including the default list).

I've also allowed ALL "Global Scripts" to execute, to test ABE (since you said that ABE is independent from NoScript, right?).

I also tried using SELF++ instead, and NoScript still allows 3rd party scripts.

Here's another good example that I found:

http://www.myimager.com

If I tell NoScript to ONLY allow scripts from "myimager.com", it still allows several pop-up windows from FastClick (a 3rd party ad service).

Shouldn't ABE be blocking ALL GET requests from 3rd party ad services such as FastClick? I'm confused.

Thanks again for your help!

[Tom T.]

Wow, I can't believe that no one stepped in while I had to take a hiatus to start dealing with 2011 Income Tax stuff.

I can't reproduce the myimager issue. Even with no pertinent ABE rule, Fastclick doesn't even show in the menu unless google-syndication is TA'd, and NS still blocks Fastclick, unless you TA it. G-S is a happy resident of my Untrusted list, which solves a lot right there.

In reflecting on your goal -- to allow from Self only -- not good. See, for example, the recently-updated section of NoScript Quick Start Guide, that many sites use "cdn", "img", or "static" script names to store and serve some of their legitimate content.

For example, if you were to visit maps.google.com, under our Self-rules, only that script would be allowed. Yet the site will not function properly without script from gstatic.com. Being a different domain, the self-only rule will break a lot of such sites -- and the number of them is increasing.

Blacklist all the major ad players as they appear, and give some thought to the above. A single universal rule just might not be feasible. I'll think about it, too. Sorry if the replies are intermittent, but one has to pay taxes and make a living.

[Thrawn]

Hi Tom...

Actually, I don't want to allow any of those scripts from executing on that page (or any page).

I'm just trying to block ALL 3rd party scripts, while ONLY allowing scripts from the same domain (and perhaps a few exceptions like googleapis.com).

I've tried every combination, and nothing seems to work.

Maybe I'm misunderstanding, but do you actually want something like this?

Code: Select all

Site *
Accept from SELF++
Deny

In plain English: every site is allowed to send requests only to itself and other subdomains of the same parent domain. It would go at the end of the USER ruleset, so that any more specific rules take precedence.

However, take note: This rule is highly restrictive. It will break a very large number of sites, and you'll have to write exceptions for them by hand. If you really want to block all cross-site requests, then you may be better off using RequestPolicy. See Giorgio's view on the subject.

ETA: You can soften the ABE rule somewhat by using Sandbox instead of Deny. It will still break lots of sites (but less of them).

[Tom T.]

In plain English: every site is allowed to send requests only to itself and other subdomains of the same parent domain.....

Regardless of whether this is done with ABE or with RequestPolicy, it still doesn't address the increasing use of secondary servers for more-or-less static content, as in my previous post.
fbcdn.net is not a sub-domain of Facebook.com.