Allow Facebook.com only on Facebook

[Bunda]

Hello,

I would like to allow Facebook.com script only on Facebook.com but on no other internet page. I think it is similar to this:

5.4
Q: I'm worried by the fact some sites require the akamai.net domain to be whitelisted. I'd prefer not to allow it everywhere, but only on some parent sites I trust. How can I do it?
A: You can use to this effect, by adding the following rule to your NoScript Options|Advanced|ABE USER ruleset:

Site .akamai.net
Accept INCLUSION from SELF++
Accept INCLUSION from .trusted-site1.com .trusted-site2.com trusted-site3.com
Deny

Notice the leading dot "." before domains, which is syntactic sugar for site.com *.site.com, i.e. a domain and its subdomains.
It should also be noted that, independently from this rule, external scripts are never loaded from pages which don't belong to a whitelisted site, hence no malicious website you didn't explicitly whitelisted could execute scripts from akamai.net anyway.

However I don't know what rule I have to add since it is not exactly the same (as far as I can tell). Please let me know if this is possible and how it works. I'm not really into this stuff

[GµårÐïåñ]

A simple search of the forum would have yielded TONS of topics where this has been discussed and various rules have been provided. In fact it is given as an example on the http://www.noscript.net/abe page.

Code: Select all

# This one allows Facebook scripts and objects to be included only from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

Further information provided on the www.noscript.net page by clicking on the FAQ link at the top and the non the ABE link to get this:

8.10
Q: Can I use ABE to fine-tune NoScript's permissions?
A: While ABE's main purpose is providing anti-CSRF protection, you can certainly use it to conditionally block certain HTTP requests depending on their origin and destination URLs, in order to add more granularity to NoScript's traditional domain-based whitelist.
For instance, you may want to allow scripts from google-analytics.com to be executed on www.friend.com and www.friend2.com but fail on www.foe.com and any other web site. You can do it by opening NoScript Options|Advanced|ABE, selecting your USER ruleset, and add the following rule in the text box:

# google-analytics.com rule
Site google-analytics.com *.google-analytics.com
Accept from friend.com *.friend.com friend2.com *.friend2.com
Deny

Notice that since ABE's rule work independently from NoScript's permissions, you need to "Allow google-analytics.com" in NoScript's menu for the above to work.
Notice also that, independently from ABE, even if a certain script source is whitelisted in NoScript it won't run as a 3rd party script on pages whose origin is not whitelisted itself.

You can also use finer grained Deny INCLUSION rules which allow some web sites (e.g. Facebook) to work and be linked by other web sites, but not to embed iframes, plugins, and scripts (or other kind of inclusions, if you wish) in 3rd party web pages:

# facebook.com containment rule
# This rule allows Facebook scripts objects and frames to be included only
# from Facebook pages and apps
Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com .fbcdn.net .facebook.net .mafiawars.com .eamobile.com
Deny INCLUSION

More info in ABE's docs.