INC strangeness

Discussions about the Application Boundaries Enforcer (ABE) module

INC strangeness

Postby aberrometer » Wed Feb 22, 2017 8:22 pm

I've had some ABE rules for the big sites like Facebook, to keep all kinds embedded stuff away from other websites. Here are my current rules for FB:

Code: Select all
Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com moz-nullprincipal:
Deny INCLUSION

The INCLUSION used to have SCRIPT, OBJECT, SUBDOC with it, meaning the rule was almost identical with the example in the ABE documentation PDF. At some point - possible when Firefox 51 came - embedded content from Facebook domains started to appear non-Facebook pages. After some experimentation, it started to look like only inclusion type that had any effect was OTHER, so I turned the Deny rule into a basic INCLUSION.

That alone isn't too bad (though of course having the earlier, more fine-grained control would be nice), but turns out the Deny INCLUSION rule affects top-level loads too. Trying to follow a link into facebook.com just doesn't work, and browser console shows that clicking the link triggered the Deny INCLUSION rule. The moz-nullprincipal: at least lets copy-pasting the address to address bar work.

Now, these changes seem like a regression, but maybe something has just changed in a non-erroneous way and I should change some setting or write the rules differently, so I'm asking if there's maybe some other approach to writing rules for denying the FB embeddings and keeping links to FB functional? (And Twitter and Google+ and... but the principles should be same.)

I should probably also note that I'm using NoScript in "lazy mode", that is I have the "Cascade top document's permissions to 3rd party scripts" checked, to make it easier enabling scripting for a site if I need to, making the ABE rule more necessary.
Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
aberrometer
 
Posts: 3
Joined: Wed Feb 22, 2017 7:44 pm

Re: INC strangeness

Postby barbaz » Wed Feb 22, 2017 9:58 pm

What version of NoScript?

aberrometer wrote:Here are my current rules for FB:

Code: Select all
Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com moz-nullprincipal:
Deny INCLUSION

The INCLUSION used to have SCRIPT, OBJECT, SUBDOC with it, meaning the rule was almost identical with the example in the ABE documentation PDF.

To be clear, was this what you had before? -
Code: Select all
Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com moz-nullprincipal:
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)


Or was it this, which isn't a valid ABE rule? -
Code: Select all
Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com moz-nullprincipal:
Deny INCLUSION(SCRIPT, OBJECT, SUBDOC)


aberrometer wrote:At some point - possible when Firefox 51 came - embedded content from Facebook domains started to appear non-Facebook pages. After some experimentation, it started to look like only inclusion type that had any effect was OTHER, so I turned the Deny rule into a basic INCLUSION.

Do you have a example URL where this occurs?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8695
Joined: Sat Aug 03, 2013 5:45 pm

Re: INC strangeness

Postby aberrometer » Thu Feb 23, 2017 8:11 pm

Oh! I was trying to reproduce the issue on a clear profile, and just found out this was a mess caused by myself, meddling with about:config. I had forced e10s on as I was bit impatient - I had expected that by Firefox 51 multiprocess support would be enabled by default, but it wasn't (I'm using Debian testing). Having it forced on is what changes the behavior. Things seem to be working just as intended when I let the browser run in the single-process mode again.

I'm now on Firefox 51.0.1 (64-bit), NoScript version is 2.9.5.3. And yeah, that one type was OBJ instead of OBJECT, I guess I somehow mentally expanded the text when typing the post. I also just checked on another machine that runs Arch Linux (Firefox there has multi-process mode on by default), and the rule works fine. The most minimal test case was a otherwise blank page with only a link pointing to facebook.com. So, apparently this is some Debian-specific thing - sorry about using your time!
Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
aberrometer
 
Posts: 3
Joined: Wed Feb 22, 2017 7:44 pm

Re: INC strangeness

Postby barbaz » Thu Feb 23, 2017 8:17 pm

@aberrometer Remember to log in before posting so that you can use your chosen username and don't need to repeatedly solve the CAPTCHA each time. (I fixed that post for you.)

aberrometer wrote:So, apparently this is some Debian-specific thing - sorry about using your time!

Thank you for reporting your findings. :)
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8695
Joined: Sat Aug 03, 2013 5:45 pm

Re: INC strangeness

Postby Dorcas » Thu Sep 13, 2018 9:40 am

can you let me know what version is this
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Dorcas
 
Posts: 1
Joined: Thu Sep 13, 2018 9:21 am

Re: INC strangeness

Postby barbaz » Thu Sep 13, 2018 12:23 pm

Dorcas wrote:can you let me know what version is this

The versions were already said. Did you not read this thread?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8695
Joined: Sat Aug 03, 2013 5:45 pm


Return to ABE

Who is online

Users browsing this forum: No registered users and 6 guests

cron