moz-nullprincipal origin for google domains

[Thrawn]

I've been trying to protect google.com domains with ABE, anonymizing requests from other domains, but I'm finding that certain GMail features - notably those that automatically open a new tab, such as switching accounts or viewing an attachment in Google Docs - produce requests with origins similar to:

Code: Select all

moz-nullprincipal:{8204ac4c-5794-4fa0-8975-f6eb07ca0b48}

with the part in braces being different each time.
I can match it with a regular expression like

Code: Select all

Site .google.com
Accept from SELF++ ^moz-nullprincipal:\{.*\}$
Anon

but since I know very little about moz-nullprincipal, can anyone advise whether this is a) the best way to match it, and b) safe (I suspect not)?

[Thrawn]

Bump.

Is there a better way to do this? I'm not really comfortable with:

Code: Select all

Accept from ^moz-nullprincipal:\{.*\}

since if Gmail can deliberately create a request that appears to come from moz-nullprincipal, then surely other sites could too, which might give them a way to CSRF my Gmail account.

[Thrawn]

Just saw a further variation on this. My Google-related rule is now:

Code: Select all

# Google - allow encrypted connections
Site https://*.google.com/* https://*.google.com.au/*
Accept from https://*.google.com/* https://*.google.com.au/* ^moz-nullprincipal:\{.*\}
Anon GET
Deny

and when I tried to download a file from my own Google Drive (which opens a new tab), I landed at the login page, with nothing in the Error Console. Logging in didn't do anything, just took me back to the login page.

I tried changing Anon GET to Accept GET, then reloading the page (re-submitting login details), and this time ABE gave an error message:

Code: Select all

Request {POST https://accounts.google.com/ServiceLoginAuth <<< - 6} filtered by ABE: <https://*.google.com/* https://*.google.com.au/*> Deny

So...ABE thinks that the origin is '- 6'?

[Giorgio Maone]

Please update to latest development build 2.6.6rc2 and change the rule to

Code: Select all

Site .google.com .google.com.au
Accept from .google.com .google.com.au
Anon GET
Deny

(the repetition instead of SELF++ handles mixed redirections .com -> .com.au, which wouldn't match SELF++)

[Thrawn]

Please update to latest development build 2.6.6rc2

That fixed the issue with delegated Gmail access, thanks . Google Drive still has trouble.

and change the rule to

Code: Select all

Site .google.com .google.com.au
Accept from .google.com .google.com.au
Anon GET
Deny

(the repetition instead of SELF++ handles mixed redirections .com -> .com.au, which wouldn't match SELF++)

Hmm...my latest rule (in my previous post) actually does use repetition instead of SELF++, but it's still getting the same error from Google Drive. I'd rather keep it as https-only, instead of the leading dot wildcard; is that possible?

[Giorgio Maone]

Please update to latest development build 2.6.6rc2

That fixed the issue with delegated Gmail access, thanks . Google Drive still has trouble.

I just installed Google Drive and tried to fiddle a bit with it, but I couldn't reproduce.
Could you give me step-by-step instructions?

Hmm...my latest rule (in my previous post) actually does use repetition instead of SELF++, but it's still getting the same error from Google Drive. I'd rather keep it as https-only, instead of the leading dot wildcard; is that possible?

Yes, the last rule (https://*.google.com) is OK, but you should remove moz-nullprincipal.

[Thrawn]

I just installed Google Drive and tried to fiddle a bit with it, but I couldn't reproduce.

I'm not sure what you mean by 'installed' Google Drive; I'm using the web interface, there's no installation involved. I know that there is a desktop application, but not for Linux.

Could you give me step-by-step instructions?

• Set up an ABE rule like the one in the error message below.
• Log in to Google Drive, https://drive.google.com
• Click on the Create button, and choose any option except Folder; OR
• Click on an existing document, spreadsheet, etc, to open it in Google Drive.

Error message:

Code: Select all

[ABE] <https://*.google.com/* https://*.google.com.au/* https://*.gstatic.com/* https://*.googleusercontent.com/* https://*.youtube.com/*> Anonymize on {GET https://docs.google.com/document/create?usp=drive_web&folder=xxxxx <<< moz-nullprincipal:{5d8d44d5-9f24-41c0-a9bb-7a1e8be32821} - 6}
USER rule:
Site https://*.google.com/* https://*.google.com.au/* https://*.gstatic.com/* https://*.googleusercontent.com/* https://*.youtube.com/*
Accept from https://*.google.com/* https://*.google.com.au/* https://*.gstatic.com/* https://*.googleusercontent.com/* https://*.youtube.com/*
Anonymize

Yes, the last rule (https://*.google.com) is OK, but you should remove moz-nullprincipal.

Thanks; yes, I removed moz-nullprincipal once you posted the development build that fixed the Gmail issue.