How to add custom site exclusions to NoScript
NoScript is a powerful add-on for the Firefox web browser that gives you control over web scripts and several other security related features.
Its core feature is the blocking of scripts loaded by websites to improve overall security and also privacy.
While that requires initial configuration on the user's part, as some websites may stop functioning at all or partially after the installation of the add-on, it is held in high regard by security conscious users.
Scripts can be enabled temporarily or permanently. Permanently makes sense if you use a service regularly, trust it and don't want to whitelist it temporarily each time you visit it.
Sometimes, you may come upon scripts that you only want to enable on select sites but not on all. You may want to enable scripts from Facebook domains on Facebook for instance but not on third-party sites.
Or, to take a recent example closer to home, enable advertising domains here on Ghacks but not generally.
This cannot be done in the frontend. If you enable a script temporarily or permanently there, that rule is valid for all sites you visit.
Enter ABE, NoScript's Application Boundaries Enforcer. It is a powerful module that allows you to add custom configurations to NoScript.
The system looks complicated on first glance as it uses a specific syntax to define rules. Each rule is made up of directives that define it.
- Resources define the boundaries of the rule. A resource can be a site address, a single page on a site or global.
- Actions define what is and what is not allowed, or how requests are handled.
Examples
One of the examples given on the NoScript website is the following one:
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
It defines facebook.com and fbcdn.net as the resources the rule is set for, that requests from those domains should be accessed on them, and to deny the inclusion of scripts and objects on all other resources.
If you want to allow advertising scripts to run on Ghacks but not on other sites, you can add the following rules to NoScript:
Site .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com
Accept from .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com https://www.ghacks.net
Deny
This allows the scripts to run here on Ghacks. If you want to support other websites this way, you can simply add them to the list of accepted resources to do so.
Adding rules
Rules are added in the NoScript configuration. To open the options of the extension, either load about:addons and click on the options button next to NoScript, or open the options from one of the extension's menus instead.
There you need to switch to the advanced tab and then to ABE.
To add a rule, simply write it directly in the user section or paste it in. It is still necessary afterwards to whitelist the domains in question.
If you do, rules are enforced automatically based on that configuration. This means basically that you can define exceptions for some sites only using NoScript.
Overall this shit is just TOO MUCH of a pain in the ass to endlessly configure. Almost have to be a dam coder or something. I recall that it USED to have a permanent exception option years ago that no longer seems to be the case and now you have to write up your own scripts. Pain the dam ass all the time!
Scripting? Guess what!
WILL NEVER HAPPEN!!!!
You *nix programmers MUST learn the mantra:
“No scripting, GUI only”
Repeat over a million times:
“No scripting, GUI only”
“No scripting, GUI only”
“No scripting, GUI only”
“No scripting, GUI only”
“No scripting, GUI only”
And get someone who CAN design a GUI, YOU CAN’T! Neither can the bloke at the other desk.
You need an ANTHROPOLOGIST who CAN tell how people want to use the GUI.
You, coders, must be locked up in the lowest basement, fed pizza and coke but you are not allowed to get close to any user-interface design.
@chef-koch, I’m not understanding your post. Could you restate?
I believe he’s referring to adblocking based on the operating system hosts file. Eg http://winhelp2002.mvps.org/hosts.htm
And yes, if you have multiple layers of adblocking, then of course you need to configure all of them.
You should notice that this isn’t enouth in most cases, since most people using a host it doesn’t matter if you whitelist it in NoScript alone, it needs to apply also on the hosts. … And of course any external AdBlocker like Adblock, uMatrix or uBlock.
Thrawn or Martin,, can you say more about INCLUSION? I don’t understand this. I have noticed that if I set DENY then I cannot go to the website I listed in the ABE rule if it appears in the listings of a search engine’s search results. But if I set DENY INC then I can.
What is the difference between DENY and DENY INC? What does DENY protect against that DENY INC does not? What exactly are we settings with these?
This is explained in the ABE documentation, at http://noscript.net/abe/abe_rules.pdf, section 1.2
The short answer is, INC only applies to resources (eg images, scripts, styles, frames), not the site in the address bar.
Actually it would make sense to use INC for an adblocking rule:
Site .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com
Accept INC from .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com .ghacks.net
Deny
As mentioned in the first comment, more detailed support is available at the forums.
Actually, your suggested rule would not just *isolate* example.com, but completely take it off the web (for you). If you want it to be able to load at all, at least when you type example.com in the address bar, then you need to explicitly say so:
Site .example.com
Accept from SELF
Deny
You can also use SELF+ or SELF++ to be more forgiving about different port numbers and subdomains (see documentation).
There certainly are attacks that don’t rely on including resources, and could only be blocked with a complete Deny. You can launch some kinds of CSRF and XSS using redirection, for example. It also makes sense to use a simple Deny for the single built-in rule – which isolates your local network – because tampering with your router tends to involve weirdness around DNS resolution etc.
Oh, this helps. Thank you! So if I set
Site .example.com
Deny
I am saying do not allow anything to connect to the example.com domain nor any of its hosts. The domain cannot be linked to from other websites/domains, it cannot be redirected to from other websites/domains, none of its scripts or images can be hosted or shown from other websites/domains. In a sense, it completely isolates example.com and all of its hosts from all other entities on the web. Accurate?
Off the top of your head, can you think of a situation where “Deny” thwarts an attack that “Deny INC” does not? “Deny INC” would seem to handle most attacks while still allowing seemingly normal access to the domain. Under what scenarios might “Deny” be a good choice?
Thanks again. Your explanation really helped.
“INC only applies to resources (eg images, scripts, styles, frames), not the site in the address bar.”
If you set:
Site example.com
Deny INC
Then you can visit example.com, click links to it, redirect to it, etc, as long as it is the top-level site, the one in the address bar. But no page will be able to load (INClude) images that are hosted on example.com, or scripts, or show it in a frame/iframe. So INC makes sense for adblocking: you don’t really need to stop yourself from visiting doubleclick.net, if you want to read about their business practices; you just want to stop including their tracking scripts.
Yes, I read the pdf before posting and looked at forum posts as well. But I was hoping for more info because I still don’t have a firm grasp on the concept. Like in my first post, I don’t understand why adding INC results in the different behavior I described in my earlier post.
I would like to do this but friends of friends have reported getting cryptoware infections from simple drive-by downloads of malware from Flash ads, presumably via JS.
You can block Flash even if you allow JavaScript:
Options-Embeddings-Apply these restrictions to whitelisted sites too
NoScript was always a headache to toggle from site to site. What was required on one site to work was also the source of mischief on another and there was no GUI per page to help us see what was what. I’m thinking a big arrow and section highlighting to show us this script loads this part of the page, toggle it on/off ? What I turned on – on one page broke another and there was no hint what to disable and what to block which is why I went with Ghostery instead.
Yes I did disable it last week after the site loading was taking forever but after a week of noticing what uBlock does not block and Ghostery did, I re-enabled it again. Ghostery isn’t site specific, but it does come with info regarding the widgets, scripts, beacons trackers, and advertising components it encounters and this helps us decide if we need to turn it on/off. It also has a white-list we can easily add domains to it, but it isn’t perfect. I find sometimes after I add a site to the list and refresh the page, it will still stop functioning and only disabling Ghostery entirely (un-check on extensions page) can the site load.
So not perfect but it doesn’t break as many pages as NoScript did. And besides, it is easier to use.. simply toggle items on/off like a light switch and refresh the page.
Just FYI
NoScript 3.0 is planned to have “Site-specific permissions”
https://forums.informaction.com/viewtopic.php?f=10&t=7987
@Martin Could not click a reply button at your post “That is strange. ABE is enabled in the options, right?”
Yes, ABE is enabled.
Then I don’t know why that is happening unfortunately.
Mr. Martin
Have you thought about applying for Adblock Plus acceptable ads ?
It is a good way to support websites IMO
Apparently not
It is much easier to use uBlock Origin, extension that combines adblocker and script blocker. Specially if you on Chromium based browser…
Yes, but people use NoScript for other reasons. In fact, it’s not primarily an adblocker at all; it is a security tool for controlling active content. The fact that most advertising is based on JavaScript/Flash, and is therefore blocked as well, is a side effect.
Does uBlock Origin protect against cross-site scripting, clickjacking, cursorjacking, cross-zone attacks, or CSRF? NoScript does. Unfortunately, since it is not designed as an adblocker, it doesn’t have the same flexibility in terms of allowing scripts only in certain locations (because example.com either *is* going to attack your computer, or *isn’t*, and location doesn’t matter).
I want to support ghacks, so I turned of ublock for this site, whitelisted ghacks.net in Noscript and added this script in de ABE tab:
Site .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com
Accept from .doubleclick.net .googleadservices.com .googlesyndication.com .googletagservices.com https://www.ghacks.net
Deny
But I still don’t see the ads on your site.
I would like this to work but perhaps someone can help me.
Is there something else I should do
Peter
I had the same problem as well, i found that in embeddings tag in noscript i had ticked the check box Apply these restrictions for whitelisted sites too, unticking it fixed that problem for me. Now if i can just remember to switch Bluhell blocker off before i get to this site!
Hello again well after looking at it it’s an iframe problem i think? i have unticked forbid iframe and reticked Apply these restrictions for whitelisted sites too, and Martins ads are getting through, NoScript it’s a love/hate relationship!
just a thought but as picture show there is a # at start of text “user defined rules…” presumably that is excluded from being read so can comment?
, does this require an end tag, be deleted, or new line perhaps?
Yes, # indicates a single-line comment.
The full specification is at https://noscript.net/abe/abe_rules.pdf
Did you whitelist the sites as well?
If you’ve whitelisted the four ad sites, then you’re doing it right.
The regular script-blocking is a completely separate feature to ABE. As far as the script-blocking is concerned, the sites are globally whitelisted, but ABE comes along separately, applies its own rules, and blocks the requests. You can see it happen in the Browser Console (Ctrl+Shift+J).
When I whitelist
doubleclick.net
googleadservices.com
googlesyndication.com and
googletagservices.com
they are whitelisted global inspite of the script under ABE tab
That is strange. ABE is enabled in the options, right?
:D You’re welcome, Martin.
Caveat: It’s easy to get ABE rules backwards at first. Always remember that ‘Site’ is the *target of a web request*. So, what we want in this case is to say, eg, “Requests being sent to ‘Site googlesyndication.com’ should be allowed if they come ‘from ghacks.net’ (or from Google itself)”. It’s easy to make the mistake of instead thinking, “I want ghacks to accept scripts from googlesyndication.com” and write the rule backwards.
Why was it designed this way? Mostly because the initial purpose of ABE was to protect sensitive sites against Cross-Site Request Forgery. The original intent was to be able to say things like, “Site bank.com should only accept requests from itself”. The fact that it’s actually a general-purpose content blocker and web application firewall is a bonus.
If you run into trouble, free support and advice is available on the forums: https://forums.informaction.com
Thanks for the added explanation. I have to agree that I would have found it more intuitive the other way around ;)