help me to understood ABE

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: help me to understood ABE

Re: help me to understood ABE

by Thrawn » Fri Jan 24, 2014 7:59 am

If the requests aren't being sent when scripts from putlocker.com are blocked, then probably it's a piece of JavaScript that is sending them.

It's normal (although unfortunate) for sites to be broken when their scripts are blocked.

Re: help me to understood ABE

by forecehh » Fri Jan 24, 2014 3:05 am

look i change and use this

Code: Select all

Site .twitter.com
Accept from .somesite.com
Deny
Site .google-analytics.com
Accept from .somesite.com
Deny
and with FAQ I read must add to allowed script

so google-analytics.com and twitter.com must accept from .somesite.com .right?
so when i go to .putlocker.com both blocked.
but if i temp allow .putlocker.com
i see both make request.is this normal?
also if i use below rule,even if make temp allow .putlocker.com that keep blocking that

Code: Select all

Site ALL
Accept from SELF++
Deny
also look this screenshot
Image

Code: Select all

http://photoload.ru/data/8d/eb/fe/8debfe89ff4e816e85d96e401d37073d.png

Re: help me to understood ABE

by Thrawn » Thu Jan 23, 2014 7:56 pm

I'm not sure I'm following you. What problems are you actually seeing?

The fact that all scripts are blocked on a page until you allow the top-level site is a normal part of script-blocking, not related to ABE.

Are there ABE-related messages in the Browser Console (Ctrl+Shift+J)?

Re: help me to understood ABE

by forecehh » Thu Jan 23, 2014 2:29 pm

ok
i have one rule like this in system rulsets

Code: Select all

Site .2o7.net .ix.e .e.cl .i.ua .u.pl .a.com .a.net .ad.hu .am.ru
Deny ALL from ALL
then i have some rule in userrulesets

Code: Select all

Site .tumblr.com .stumble-upon.com .stumbleupon.com .twitter.com .reddit.com .digg.com .yandex.st .yandex.ru .disqus.com .aol.com .ebay.com .yahoo.com .msn.com  .godaddy.com .feedburner.com
Accept from .tumblr.com .stumble-upon.com .stumbleupon.com .twitter.com .reddit.com .digg.com .yandex.st .yandex.ru .disqus.com .aol.com .ebay.com .yahoo.com .msn.com  .godaddy.com .feedburner.com
Deny

Code: Select all

Site .google-analytics.com
Accept from .google-analytics.com
Deny
and all of user rulset is in white listed script
but i dont know where i wrong
example i visit

Code: Select all

http://www.putlocker.com
script not allowd
every request blocked until i temp-allow script putlocker.com
then in Request policy log window i see this

Code: Select all

http://www.putlocker.com/cdn-cgi/pe/bag2?r[]=http%3A%2F%2Fwww.google-analytics.com%2Fga.js
http://www.putlocker.com/cdn-cgi/pe/bag2?r[]=http%3A%2F%2Fplatform.twitter.com%2Fwidgets.js
so what is it?

Re: help me to understood ABE

by forecehh » Wed Sep 25, 2013 10:49 pm

because since I See NoScript Forbid Everything i wanted that to
but i you dont add this no problem

Re: help me to understood ABE

by Thrawn » Tue Sep 24, 2013 10:07 pm

forecehh wrote: but what option in no script?
i looking you add such feature if its not available in noscript.
NoScript can block refreshes using the META tag (which doesn't need JavaScript) on untrusted sites. Options menu, Advanced tab, Untrusted sub-tab, "Forbid META redirections inside <NOSCRIPT> elements".

Firefox can block some kinds of refreshes. In the Preferences dialog, choose Advanced tab, General sub-tab, "Warn me when websites try to redirect or reload the page".

Anything more than this is not part of NoScript (why would you need it for security?), so you need a different addon (like RefreshBlocker, as you mentioned).

Re: help me to understood ABE

by forecehh » Tue Sep 24, 2013 5:06 pm

Thrawn wrote:
forecehh wrote:thank you very much now i get that how that work :)
but what about my suggestion ?it possible add it?
If you mean the suggestion to block automatic refreshes, that is already available under Options - Advanced - Untrusted. Firefox has a built-in setting for this too.
thankyou
but what option in no script?
i looking you add such feature if its not available in noscript.
RefreshBlocker 0.8
https://addons.mozilla.org/en-US/firefo ... r/?src=api

i know that on some older version noscript can not block auto refresh(RefreshBlocker can block) but with new version im not sure.
examplepage:
http://www.physiology.wisc.edu/ravi/test/test9.html

Re: help me to understood ABE

by Thrawn » Sun Sep 22, 2013 9:48 pm

forecehh wrote:thank you very much now i get that how that work :)
but what about my suggestion ?it possible add it?
If you mean the suggestion to block automatic refreshes, that is already available under Options - Advanced - Untrusted. Firefox has a built-in setting for this too.

Re: help me to understood ABE

by forecehh » Mon Jul 29, 2013 12:40 pm

thank you very much now i get that how that work :)
but what about my suggestion ?it possible add it?

Re: help me to understood ABE

by Thrawn » Mon Jul 29, 2013 4:41 am

kainee wrote:Thanks for your replies - especially yours, Thrawn, was very clear and comprehensible and finally provided me with the information and understanding I was hoping for :P
Thanks :). That's what the support team is here to do.

Re: help me to understood ABE

by kainee » Mon Jul 29, 2013 1:42 am

Thanks for your replies - especially yours, Thrawn, was very clear and comprehensible and finally provided me with the information and understanding I was hoping for :P

Re: help me to understood ABE

by Thrawn » Sun Jul 28, 2013 11:03 pm

ABE is not about script-blocking at all. There is no interaction between them. ABE does not automatically whitelist anything, and it will apply to all sites, whitelisted or not.

The original purpose of ABE was to protect sensitive sites against fraudulent requests from other sites. The classic example is something like this:

Code: Select all

Site .bank.com
Accept from SELF
Deny
So other sites you visit can't send requests to your bank telling it to transfer money to themselves.

If you want to use ABE for site-specific blocking, you certainly can, but you have to use it separately to regular whitelisting.
Usually, this means that you need to allow the site in the regular whitelist (otherwise it will be blocked everywhere), and then use an ABE rule to manage it. The googleapis rule at the start of this thread looks about right.

Code: Select all

Site <the site I want to allow only at some places>
Accept from <list of sites where it should be allowed>
Deny
If this looks backward, that's because it was designed to protect 'Site' from cross-site requests.

Effectively, the rule at the start of this thread tells ABE that ajax.googleapis.com and google.com are sensitive, and that only themselves and goal.com should be allowed to access them.

Re: help me to understood ABE

by Ilya » Sun Jul 28, 2013 10:47 pm

So am I correct in assuming that ABE rules apply to whitelisted(or temporarily allowed) sites ONLY? Meaning that using ABE rules I can specify more precisely on which sites a given domain in the whitelist can really be used and for which it will be denied DESPITE being in the whitelist?
The short answer is "no".
An extract from that very section 8.10 of the NoScript FAQ:
Notice that since ABE's rule work independently from NoScript's permissions [...]

Re: help me to understood ABE

by kainee » Sun Jul 28, 2013 11:21 am

Hi everyone,

I'd just like to support this request since I have a similar problem. After reading the forum sticky on site specific permissions and the ABE section in the FAQ and testing a bit I THINK I understand but I'm not sure I really do - and I don't want to punch a hole in noscript security by misunderstanding how ABE and the whitelist interact.

So am I correct in assuming that ABE rules apply to whitelisted(or temporarily allowed) sites ONLY? Meaning that using ABE rules I can specify more precisely on which sites a given domain in the whitelist can really be used and for which it will be denied DESPITE being in the whitelist?

I believe that is more or less a rephrasing of the above question in more general terms, but I may be missing something ...

Thank you for all the wonderful work you do and thank you for this great tool!
Best wishes,
kainee

p.s.: I do understand that section 8.10 of the faq is supposed to answer this question but I'm still confused - maybe because I'm not a native English speaker. Maybe because I'm over anxious to get it right 'cos I'm also preparing to hold a NoScript workshop. Or maybe I'm just dumb ;-) (but even if that's the case, it wouldn't be my fault but just the way I am, so maybe someone could still enlighten me :roll: )

help me to understood ABE

by forecehh » Fri Jul 26, 2013 1:16 pm

hi
i added below rule-sets in user rule set in ABE,to auto allow ajax.googleapis.com and google.com
on google.com and deny from any other site
but still i must use temporarily allow menu to allow them
so i am not sure ABE doing this job or i am wrong?

http://www.goal.com/en-us/news/1110/maj ... ID=HP_TN_6

Code: Select all

Site .ajax.googleapis.com
Accept from .goal.com .ajax.googleapis.com
Deny
Site .google.com
Accept from .goal.com .google.com
Deny
some suggestion
when i export white list i see my untrusted site is under [UNTRUSTED] section
its not better and easy add something to allow origin to destination
example

Code: Select all

[UNTRUSTED]
http://ajax.googleapis.com/

[ALLOWPERSITEUNTRUSTED]
goal.com|ajax.googleapis.com
So ajax.googleapis.com blocked everywhere
but allowed on goal.com

also some site refresh automatically itself,is there any options in noscript to block this automatically refresh on all site?
if there is no options can you please add that?

thanks

Top