How to add custom site exclusions to NoScript

Martin Brinkmann
Apr 21, 2015
Security
|
32

NoScript is a powerful add-on for the Firefox web browser that gives you control over web scripts and several other security related features.

Its core feature is the blocking of scripts loaded by websites to improve overall security and also privacy.

While that requires initial configuration on the user's part, as some websites may stop functioning at all or partially after the installation of the add-on, it is held in high regard by security conscious users.

Scripts can be enabled temporarily or permanently. Permanently makes sense if you use a service regularly, trust it and don't want to whitelist it temporarily each time you visit it.

Sometimes, you may come upon scripts that you only want to enable on select sites but not on all. You may want to enable scripts from Facebook domains on Facebook for instance but not on third-party sites.

Or, to take a recent example closer to home, enable advertising domains here on Ghacks but not generally.

This cannot be done in the frontend. If you enable a script temporarily or permanently there, that rule is valid for all sites you visit.

Enter ABE, NoScript's Application Boundaries Enforcer. It is a powerful module that allows you to add custom configurations to NoScript.

The system looks complicated on first glance as it uses a specific syntax to define rules. Each rule is made up of directives that define it.

  • Resources define the boundaries of the rule. A resource can be a site address, a single page on a site or global.
  • Actions define what is and what is not allowed, or how requests are handled.

Examples

One of the examples given on the NoScript website is the following one:

Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

It defines facebook.com and fbcdn.net as the resources the rule is set for, that requests from those domains should be accessed on them, and to deny the inclusion of scripts and objects on all other resources.

If you want to allow advertising scripts to run on Ghacks but not on other sites, you can add the following rules to NoScript:

Site .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com
Accept from .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com https://www.ghacks.net
Deny

This allows the scripts to run here on Ghacks. If you want to support other websites this way, you can simply add them to the list of accepted resources to do so.

Adding rules

Rules are added in the NoScript configuration. To open the options of the extension, either load about:addons and click on the options button next to NoScript, or open the options from one of the extension's menus instead.

There you need to switch to the advanced tab and then to ABE.

To add a rule, simply write it directly in the user section or paste it in. It is still necessary afterwards to whitelist the domains in question.

If you do, rules are enforced automatically based on that configuration. This means basically that you can define exceptions for some sites only using NoScript.

Summary
How to add custom site exclusions to NoScript
Article Name
How to add custom site exclusions to NoScript
Description
Find out how to add custom rules to NoScript that allow scripts to be loaded on some resources without enabling them globally.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Tom said on December 30, 2020 at 9:07 am
    Reply

    Overall this shit is just TOO MUCH of a pain in the ass to endlessly configure. Almost have to be a dam coder or something. I recall that it USED to have a permanent exception option years ago that no longer seems to be the case and now you have to write up your own scripts. Pain the dam ass all the time!

  2. Re-design the GUI-NO scripting said on April 6, 2017 at 4:33 pm
    Reply

    Scripting? Guess what!
    WILL NEVER HAPPEN!!!!

    You *nix programmers MUST learn the mantra:
    “No scripting, GUI only”
    Repeat over a million times:
    “No scripting, GUI only”
    “No scripting, GUI only”
    “No scripting, GUI only”
    “No scripting, GUI only”
    “No scripting, GUI only”

    And get someone who CAN design a GUI, YOU CAN’T! Neither can the bloke at the other desk.
    You need an ANTHROPOLOGIST who CAN tell how people want to use the GUI.
    You, coders, must be locked up in the lowest basement, fed pizza and coke but you are not allowed to get close to any user-interface design.

  3. greg said on April 28, 2015 at 4:20 pm
    Reply

    @chef-koch, I’m not understanding your post. Could you restate?

    1. Thrawn said on May 7, 2015 at 3:45 am
      Reply

      I believe he’s referring to adblocking based on the operating system hosts file. Eg http://winhelp2002.mvps.org/hosts.htm

      And yes, if you have multiple layers of adblocking, then of course you need to configure all of them.

  4. CHEF-KOCH said on April 25, 2015 at 5:25 pm
    Reply

    You should notice that this isn’t enouth in most cases, since most people using a host it doesn’t matter if you whitelist it in NoScript alone, it needs to apply also on the hosts. … And of course any external AdBlocker like Adblock, uMatrix or uBlock.

  5. greg said on April 22, 2015 at 5:05 am
    Reply

    Thrawn or Martin,, can you say more about INCLUSION? I don’t understand this. I have noticed that if I set DENY then I cannot go to the website I listed in the ABE rule if it appears in the listings of a search engine’s search results. But if I set DENY INC then I can.

    What is the difference between DENY and DENY INC? What does DENY protect against that DENY INC does not? What exactly are we settings with these?

    1. Thrawn said on April 23, 2015 at 1:07 am
      Reply

      This is explained in the ABE documentation, at http://noscript.net/abe/abe_rules.pdf, section 1.2

      The short answer is, INC only applies to resources (eg images, scripts, styles, frames), not the site in the address bar.

      Actually it would make sense to use INC for an adblocking rule:

      Site .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com
      Accept INC from .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com .ghacks.net
      Deny

      As mentioned in the first comment, more detailed support is available at the forums.

      1. Thrawn said on April 27, 2015 at 5:29 am
        Reply

        Actually, your suggested rule would not just *isolate* example.com, but completely take it off the web (for you). If you want it to be able to load at all, at least when you type example.com in the address bar, then you need to explicitly say so:

        Site .example.com
        Accept from SELF
        Deny

        You can also use SELF+ or SELF++ to be more forgiving about different port numbers and subdomains (see documentation).

        There certainly are attacks that don’t rely on including resources, and could only be blocked with a complete Deny. You can launch some kinds of CSRF and XSS using redirection, for example. It also makes sense to use a simple Deny for the single built-in rule – which isolates your local network – because tampering with your router tends to involve weirdness around DNS resolution etc.

      2. greg said on April 24, 2015 at 2:51 pm
        Reply

        Oh, this helps. Thank you! So if I set

        Site .example.com
        Deny

        I am saying do not allow anything to connect to the example.com domain nor any of its hosts. The domain cannot be linked to from other websites/domains, it cannot be redirected to from other websites/domains, none of its scripts or images can be hosted or shown from other websites/domains. In a sense, it completely isolates example.com and all of its hosts from all other entities on the web. Accurate?

        Off the top of your head, can you think of a situation where “Deny” thwarts an attack that “Deny INC” does not? “Deny INC” would seem to handle most attacks while still allowing seemingly normal access to the domain. Under what scenarios might “Deny” be a good choice?

        Thanks again. Your explanation really helped.

      3. Thrawn said on April 24, 2015 at 12:52 am
        Reply

        “INC only applies to resources (eg images, scripts, styles, frames), not the site in the address bar.”

        If you set:

        Site example.com
        Deny INC

        Then you can visit example.com, click links to it, redirect to it, etc, as long as it is the top-level site, the one in the address bar. But no page will be able to load (INClude) images that are hosted on example.com, or scripts, or show it in a frame/iframe. So INC makes sense for adblocking: you don’t really need to stop yourself from visiting doubleclick.net, if you want to read about their business practices; you just want to stop including their tracking scripts.

      4. greg said on April 23, 2015 at 4:38 pm
        Reply

        Yes, I read the pdf before posting and looked at forum posts as well. But I was hoping for more info because I still don’t have a firm grasp on the concept. Like in my first post, I don’t understand why adding INC results in the different behavior I described in my earlier post.

  6. pd said on April 22, 2015 at 4:26 am
    Reply

    I would like to do this but friends of friends have reported getting cryptoware infections from simple drive-by downloads of malware from Flash ads, presumably via JS.

    1. Thrawn said on April 23, 2015 at 2:41 am
      Reply

      You can block Flash even if you allow JavaScript:
      Options-Embeddings-Apply these restrictions to whitelisted sites too

  7. Blue said on April 21, 2015 at 8:28 pm
    Reply

    NoScript was always a headache to toggle from site to site. What was required on one site to work was also the source of mischief on another and there was no GUI per page to help us see what was what. I’m thinking a big arrow and section highlighting to show us this script loads this part of the page, toggle it on/off ? What I turned on – on one page broke another and there was no hint what to disable and what to block which is why I went with Ghostery instead.

    Yes I did disable it last week after the site loading was taking forever but after a week of noticing what uBlock does not block and Ghostery did, I re-enabled it again. Ghostery isn’t site specific, but it does come with info regarding the widgets, scripts, beacons trackers, and advertising components it encounters and this helps us decide if we need to turn it on/off. It also has a white-list we can easily add domains to it, but it isn’t perfect. I find sometimes after I add a site to the list and refresh the page, it will still stop functioning and only disabling Ghostery entirely (un-check on extensions page) can the site load.

    So not perfect but it doesn’t break as many pages as NoScript did. And besides, it is easier to use.. simply toggle items on/off like a light switch and refresh the page.

  8. abcdef said on April 21, 2015 at 3:39 pm
    Reply

    Just FYI

    NoScript 3.0 is planned to have “Site-specific permissions”

    https://forums.informaction.com/viewtopic.php?f=10&t=7987

  9. Peter said on April 21, 2015 at 11:57 am
    Reply

    @Martin Could not click a reply button at your post “That is strange. ABE is enabled in the options, right?”
    Yes, ABE is enabled.

    1. Martin Brinkmann said on April 21, 2015 at 12:07 pm
      Reply

      Then I don’t know why that is happening unfortunately.

  10. abcdef said on April 21, 2015 at 9:43 am
    Reply

    Mr. Martin

    Have you thought about applying for Adblock Plus acceptable ads ?

    It is a good way to support websites IMO

    1. abcdef said on April 21, 2015 at 4:14 pm
      Reply

      Apparently not

  11. Dukislav said on April 21, 2015 at 9:21 am
    Reply

    It is much easier to use uBlock Origin, extension that combines adblocker and script blocker. Specially if you on Chromium based browser…

    1. Thrawn said on May 7, 2015 at 3:39 am
      Reply

      Yes, but people use NoScript for other reasons. In fact, it’s not primarily an adblocker at all; it is a security tool for controlling active content. The fact that most advertising is based on JavaScript/Flash, and is therefore blocked as well, is a side effect.

      Does uBlock Origin protect against cross-site scripting, clickjacking, cursorjacking, cross-zone attacks, or CSRF? NoScript does. Unfortunately, since it is not designed as an adblocker, it doesn’t have the same flexibility in terms of allowing scripts only in certain locations (because example.com either *is* going to attack your computer, or *isn’t*, and location doesn’t matter).

  12. Peter said on April 21, 2015 at 8:30 am
    Reply

    I want to support ghacks, so I turned of ublock for this site, whitelisted ghacks.net in Noscript and added this script in de ABE tab:

    Site .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com
    Accept from .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com https://www.ghacks.net
    Deny

    But I still don’t see the ads on your site.
    I would like this to work but perhaps someone can help me.
    Is there something else I should do

    1. Tommy said on April 21, 2015 at 6:58 pm
      Reply

      Peter
      I had the same problem as well, i found that in embeddings tag in noscript i had ticked the check box Apply these restrictions for whitelisted sites too, unticking it fixed that problem for me. Now if i can just remember to switch Bluhell blocker off before i get to this site!

      1. Tommy said on April 21, 2015 at 7:37 pm
        Reply

        Hello again well after looking at it it’s an iframe problem i think? i have unticked forbid iframe and reticked Apply these restrictions for whitelisted sites too, and Martins ads are getting through, NoScript it’s a love/hate relationship!

    2. Uhtred said on April 21, 2015 at 1:07 pm
      Reply

      just a thought but as picture show there is a # at start of text “user defined rules…” presumably that is excluded from being read so can comment?
      , does this require an end tag, be deleted, or new line perhaps?

      1. Thrawn said on May 7, 2015 at 3:38 am
        Reply

        Yes, # indicates a single-line comment.

        The full specification is at https://noscript.net/abe/abe_rules.pdf

    3. Martin Brinkmann said on April 21, 2015 at 8:48 am
      Reply

      Did you whitelist the sites as well?

      1. Thrawn said on April 23, 2015 at 1:03 am
        Reply

        If you’ve whitelisted the four ad sites, then you’re doing it right.

        The regular script-blocking is a completely separate feature to ABE. As far as the script-blocking is concerned, the sites are globally whitelisted, but ABE comes along separately, applies its own rules, and blocks the requests. You can see it happen in the Browser Console (Ctrl+Shift+J).

      2. Peter said on April 21, 2015 at 9:10 am
        Reply

        When I whitelist
        doubleclick.net
        googleadservices.com
        googlesyndication.com and
        googletagservices.com
        they are whitelisted global inspite of the script under ABE tab

      3. Martin Brinkmann said on April 21, 2015 at 9:58 am
        Reply

        That is strange. ABE is enabled in the options, right?

  13. Thrawn said on April 21, 2015 at 7:35 am
    Reply

    :D You’re welcome, Martin.

    Caveat: It’s easy to get ABE rules backwards at first. Always remember that ‘Site’ is the *target of a web request*. So, what we want in this case is to say, eg, “Requests being sent to ‘Site googlesyndication.com’ should be allowed if they come ‘from ghacks.net’ (or from Google itself)”. It’s easy to make the mistake of instead thinking, “I want ghacks to accept scripts from googlesyndication.com” and write the rule backwards.

    Why was it designed this way? Mostly because the initial purpose of ABE was to protect sensitive sites against Cross-Site Request Forgery. The original intent was to be able to say things like, “Site bank.com should only accept requests from itself”. The fact that it’s actually a general-purpose content blocker and web application firewall is a bonus.

    If you run into trouble, free support and advice is available on the forums: https://forums.informaction.com

    1. Martin Brinkmann said on April 21, 2015 at 7:41 am
      Reply

      Thanks for the added explanation. I have to agree that I would have found it more intuitive the other way around ;)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.