ABE support in 10.1.x

Discussions about the Application Boundaries Enforcer (ABE) module
ericrobe

ABE support in 10.1.x

Post by ericrobe »

Does NoScript 10.1.x support ABE? I see a note about ABE in the release notes for 10.1.1 but that is all I see. Is the ABE implementation different in the new addon?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE support in 10.1.x

Post by barbaz »

ericrobe wrote:Does NoScript 10.1.x support ABE?
Not yet.
*Always* check the changelogs BEFORE updating that important software!
-
hierWirdGeblockt

Re: ABE support in 10.1.x

Post by hierWirdGeblockt »

I just want to endorse the implementation of ABE in NoScript Quantum, too. It's a very important feature. I need it to block facebook, doubleclick and other malicious sites. Currently I use Firefox ESR with NoScript 5. When Firefox ESR gets updated next month however, I will need a replacement.

I'd even donate to NoScript by the way, if SEPA payment was possible (Paypal and flattr are not an option).
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
yorktown
Posts: 1
Joined: Sat Apr 14, 2018 5:36 pm

Re: ABE support in 10.1.x

Post by yorktown »

I concur. ABE needs to be in NoScript for FF Quantum. The trend for multiple scripts on sites is increasing.

Google: I noticed even google is using multiple domains with multiple scripts. To login, now gstatic.com and google.com is required. But gstatic.com is on a heck of alot of other websites than google.

Youtube: Youtube now uses googlevideo.com to play videos, yimg is needed to login, etc. But I would be selective as to other websites that have access to these scripts.

So ABE is a must to add back. Please
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
ajay

Re: ABE support in 10.1.x

Post by ajay »

Hello,

Like to try and respond to both questions.
I have just emailed Giogio about the availability of ABE and ClearClick in the current version, and he said
"Not there yet, but still planned. Hopefully out before the Tor Browser 8 (based on Firefox 60ESR) goes stable. -- G

Concerning payments through SEPA, if you email Giorgio he will provide you with his IBAN for a wire transfer, like
he did for me years ago. I just can't post his IBAN number here ... obviously.

Hope this help - AJ
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
Mad_Man_Moon
Senior Member
Posts: 75
Joined: Fri Oct 27, 2017 12:02 pm

Re: ABE support in 10.1.x

Post by Mad_Man_Moon »

Hello!

Still loving NS, and all the amazingness that it does.

Thought I'd check in on the ABE progress. Obviously it wasn't ready for TOR 8 (and the way that browser trashes your settings I wouldn't be surprised if it's hard to code ABE there), and I don't say that in a chastising way, just pointing out the obvious. :-)

Is there a rough outlook on when it will be around? I'm barely using Firefox on my main PC these days, because I can't do the internet without ABE (because I'm pathetic, it's true) ... Instead I'm relying on multiple browsers, and accounts, and trying to keep everything in multiple places.

Anyway, thank you again for the brilliant work, and I can assure you that those that use it would *llloooooove* a new ABE :-)

Best
M_M_M
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Mad_Man_Moon
Senior Member
Posts: 75
Joined: Fri Oct 27, 2017 12:02 pm

Re: ABE support in 10.1.x

Post by Mad_Man_Moon »

Heyyyyyyy, @barbaz (and maybe @Giorgio !) ... Thought I'd lightly ask to see how ABE (or ABE 2.0 / similar site by site ruling for external domains) is moving along.

I'm 100% asking for my normal firefox usage, not tor, as I desparately want to move closer to single browser web surfing again! :-)

As always: This isn't said or asked with any entitlement, expectation, nor any ill subterfuge. Just wanna see how ABE is progressing, and what we're realistically looking at for timelines. ¹

EDIT: I've seen ABE in the noscript about:config, if I enable it (it still has my old rules in there!) will it start working, or is the underlying functionality still not quite finished in quantumfox? :idea:

______________________________________________________
Relatedly: I had a thought of something I could do that might help ... Would it be OK for me to maybe start a (temporary, until abe comes home) sub forum (or thread, if that's more workable) for a temporary workaround called:
  • Site Temporary Allows (or maybe swap "Allows" for "Rules" or "Allow Rules")
Each post (or reply) would list:
  1. Site Name
  2. Site URL
  3. The domains required to get the site working at the most basic level (imagery, and basic navigation). ²
  4. Notes (why the user posted)
This could allow people to search noscript [site] temporary rules in google or here, and quickly find a workaround for ABE functionality. It's janky, but it might help a few in the meantime. I'd also be happy to consider making a separate resource out there online somewhere, perhaps just a webform website, or a simple SQLite DB, I dunno.

If someone's already done this, then I'm a fool and my search skill really suck, hah!

Also, again offered with pure transparency, and purely as a 'look over there', I think the ScriptSafe folks are doing some nice things over on Chrome. If you guys teamed up you'd probably be unstoppable! (scary!!! :o ...)

______________________________________________________
¹ I'm just starting on my coding journey, but if I can help at all, please do get in touch. :-)
² This would assume that these are all checked in trusted, let's not make it too complex!: script, object, media, frame, font, webgl, fetch, other
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
User avatar
therube
Ambassador
Posts: 7922
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: ABE support in 10.1.x

Post by therube »

I've seen ABE in the noscript about:config
Anything (extension) related in about:config is a relic to when times were good.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.5
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE support in 10.1.x

Post by barbaz »

Mad_Man_Moon wrote: Fri Mar 01, 2019 3:33 pm Heyyyyyyy, @barbaz [...] Thought I'd lightly ask to see how ABE (or ABE 2.0 / similar site by site ruling for external domains) is moving along.
I have no idea. Giorgio is the only dev of NoScript and I haven't heard any further news on this.
Mad_Man_Moon wrote: Fri Mar 01, 2019 3:33 pm Relatedly: I had a thought of something I could do that might help ... Would it be OK for me to maybe start a (temporary, until abe comes home) sub forum (or thread, if that's more workable) for a temporary workaround called:
  • Site Temporary Allows (or maybe swap "Allows" for "Rules" or "Allow Rules")
Each post (or reply) would list:
  1. Site Name
  2. Site URL
  3. The domains required to get the site working at the most basic level (imagery, and basic navigation). ²
  4. Notes (why the user posted)
This could allow people to search noscript [site] temporary rules in google or here,
You are welcome to start such a thread, but please note that it is not a workaround for missing ABE, nor even related to ABE at all. NoScript 10 is currently not capable of preventing CSRF - "bypassing" this would only require making the malicious request as an image. I'm not aware of any content blocker that has the needed functionality to act as an ABE replacement.
*Always* check the changelogs BEFORE updating that important software!
-
Mad_Man_Moon
Senior Member
Posts: 75
Joined: Fri Oct 27, 2017 12:02 pm

Re: ABE support in 10.1.x

Post by Mad_Man_Moon »

barbaz wrote: Fri Mar 01, 2019 6:42 pmI have no idea. Giorgio is the only dev of NoScript and I haven't heard any further news on this.
Apologies, it wasn't an assumption that you're a dev, it was an assumption that you knew what was going on since you've been very vocal about what's happening with ABE in this thread. I'll ensure that I don't pester you in the future, apologies, I'm sure that you'll also do similarly. Apologies again!
barbaz wrote: Fri Mar 01, 2019 6:42 pmYou are welcome to start such a thread, but please note that it is not a workaround for missing ABE, nor even related to ABE at all. NoScript 10 is currently not capable of preventing CSRF - "bypassing" this would only require making the malicious request as an image. I'm not aware of any content blocker that has the needed functionality to act as an ABE replacement.
Once again, many apologies. I've not been clear enough in what I'm discussing here.

Yes. The main point of ABE is the CSRF XSS, etc ... However there were also, in ABE's menus, scripting sections that allowed one *considerable* control over their browsing experience. So one could whitelist YouTube, but YouTube's whitelist functionality *only* worked in the sites that you defined in the scripting.

I'll edit this comment soon (hopefully) with an example of this scripting.

Essentially, it was the main reason noscript was so amazing for me, because it allowed a permanence in granularly allowed JavaScript across the web. I could be sure that I could visit, say, independent.co.uk and YouTube (and it's inherent required domains) would essentially be blacklisted to never run JavaScript, but on YouTube.com it would be fine (including the inherent selection of Googlevideo.com).
Mozilla/5.0 (Android 7.0; Tablet; rv:66.0) Gecko/66.0 Firefox/66.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE support in 10.1.x

Post by barbaz »

Mad_Man_Moon wrote: Sun Apr 21, 2019 8:18 am there were also, in ABE's menus, scripting sections that allowed one *considerable* control over their browsing experience. So one could whitelist YouTube, but YouTube's whitelist functionality *only* worked in the sites that you defined in the scripting.

I'll edit this comment soon (hopefully) with an example of this scripting.
You mean like FAQ 8.10, right? For this use case you could use µMatrix or uBlock Origin.

EDIT
Update: Note that µMatrix is no longer maintained since September 2020.
*Always* check the changelogs BEFORE updating that important software!
-
Mad_Man_Moon
Senior Member
Posts: 75
Joined: Fri Oct 27, 2017 12:02 pm

Re: ABE support in 10.1.x

Post by Mad_Man_Moon »

barbaz wrote: Sun Apr 21, 2019 11:50 am
Mad_Man_Moon wrote: Sun Apr 21, 2019 8:18 am there were also, in ABE's menus, scripting sections that allowed one *considerable* control over their browsing experience.
You mean like FAQ 8.10, right? For this use case you could use µMatrix or uBlock Origin.
Yep, that's the baby! :-)

Cheers, I'll look in to those, but I'd rather wait for noscript to get its full mojo back for this, multiple add-ons will be a bit of a bitch to manage, if you'll excuse my language. Also, importing/exporting rules to umatrix and/or back when it's all said and done could also be a pain. 8-)

EDIT LOL, just started looking at uMatrix's "Recipes" ... bloody hell, I thought that ABE scripting was complicated ;)
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE support in 10.1.x

Post by barbaz »

@Mad_Man_Moon: see PM
*Always* check the changelogs BEFORE updating that important software!
-
Mad_Man_Moon
Senior Member
Posts: 75
Joined: Fri Oct 27, 2017 12:02 pm

Re: ABE support in 10.1.x

Post by Mad_Man_Moon »

barbaz wrote: Sun Jul 28, 2019 4:20 am @Mad_Man_Moon: see PM
👐
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE support in 10.1.x

Post by barbaz »

Giorgio Maone wrote: Tue Jun 02, 2020 7:25 am Most users didn't use ABE, but power users (and myself) did, and I've got some plans for that too, but unfortunately I first need to ensure it's not all lost work with Manifest V3.
Contextual permissions are likely to come earlier, probably as a a further CUSTOM option (e.g. an "on this site only" checkbox).
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply