help me to understood ABE

Discussions about the Application Boundaries Enforcer (ABE) module
forecehh
Posts: 18
Joined: Thu Jul 25, 2013 5:10 pm

help me to understood ABE

Post by forecehh » Fri Jul 26, 2013 1:16 pm

hi
i added below rule-sets in user rule set in ABE,to auto allow ajax.googleapis.com and google.com
on google.com and deny from any other site
but still i must use temporarily allow menu to allow them
so i am not sure ABE doing this job or i am wrong?

http://www.goal.com/en-us/news/1110/major-league-soccer?ICID=HP_TN_6

Code: Select all

Site .ajax.googleapis.com
Accept from .goal.com .ajax.googleapis.com
Deny
Site .google.com
Accept from .goal.com .google.com
Deny


some suggestion
when i export white list i see my untrusted site is under [UNTRUSTED] section
its not better and easy add something to allow origin to destination
example

Code: Select all

[UNTRUSTED]
http://ajax.googleapis.com/

[ALLOWPERSITEUNTRUSTED]
goal.com|ajax.googleapis.com

So ajax.googleapis.com blocked everywhere
but allowed on goal.com

also some site refresh automatically itself,is there any options in noscript to block this automatically refresh on all site?
if there is no options can you please add that?

thanks
Mozilla/5.0 (masking-agent; rv:22.0) Gecko/20100101 Firefox/22.0

kainee
Posts: 2
Joined: Sun Jul 28, 2013 11:09 am

Re: help me to understood ABE

Post by kainee » Sun Jul 28, 2013 11:21 am

Hi everyone,

I'd just like to support this request since I have a similar problem. After reading the forum sticky on site specific permissions and the ABE section in the FAQ and testing a bit I THINK I understand but I'm not sure I really do - and I don't want to punch a hole in noscript security by misunderstanding how ABE and the whitelist interact.

So am I correct in assuming that ABE rules apply to whitelisted(or temporarily allowed) sites ONLY? Meaning that using ABE rules I can specify more precisely on which sites a given domain in the whitelist can really be used and for which it will be denied DESPITE being in the whitelist?

I believe that is more or less a rephrasing of the above question in more general terms, but I may be missing something ...

Thank you for all the wonderful work you do and thank you for this great tool!
Best wishes,
kainee

p.s.: I do understand that section 8.10 of the faq is supposed to answer this question but I'm still confused - maybe because I'm not a native English speaker. Maybe because I'm over anxious to get it right 'cos I'm also preparing to hold a NoScript workshop. Or maybe I'm just dumb ;-) (but even if that's the case, it wouldn't be my fault but just the way I am, so maybe someone could still enlighten me :roll: )
Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0

Ilya

Re: help me to understood ABE

Post by Ilya » Sun Jul 28, 2013 10:47 pm

So am I correct in assuming that ABE rules apply to whitelisted(or temporarily allowed) sites ONLY? Meaning that using ABE rules I can specify more precisely on which sites a given domain in the whitelist can really be used and for which it will be denied DESPITE being in the whitelist?

The short answer is "no".
An extract from that very section 8.10 of the NoScript FAQ:
Notice that since ABE's rule work independently from NoScript's permissions [...]
Mozilla/5.0 (Windows NT 5.1; rv:22.0) Gecko/20100101 Firefox/22.0 SeaMonkey/2.19

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: help me to understood ABE

Post by Thrawn » Sun Jul 28, 2013 11:03 pm

ABE is not about script-blocking at all. There is no interaction between them. ABE does not automatically whitelist anything, and it will apply to all sites, whitelisted or not.

The original purpose of ABE was to protect sensitive sites against fraudulent requests from other sites. The classic example is something like this:

Code: Select all

Site .bank.com
Accept from SELF
Deny

So other sites you visit can't send requests to your bank telling it to transfer money to themselves.

If you want to use ABE for site-specific blocking, you certainly can, but you have to use it separately to regular whitelisting.
Usually, this means that you need to allow the site in the regular whitelist (otherwise it will be blocked everywhere), and then use an ABE rule to manage it. The googleapis rule at the start of this thread looks about right.

Code: Select all

Site <the site I want to allow only at some places>
Accept from <list of sites where it should be allowed>
Deny

If this looks backward, that's because it was designed to protect 'Site' from cross-site requests.

Effectively, the rule at the start of this thread tells ABE that ajax.googleapis.com and google.com are sensitive, and that only themselves and goal.com should be allowed to access them.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0

kainee
Posts: 2
Joined: Sun Jul 28, 2013 11:09 am

Re: help me to understood ABE

Post by kainee » Mon Jul 29, 2013 1:42 am

Thanks for your replies - especially yours, Thrawn, was very clear and comprehensible and finally provided me with the information and understanding I was hoping for :P
Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130626 Firefox/17.0 Iceweasel/17.0.7

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: help me to understood ABE

Post by Thrawn » Mon Jul 29, 2013 4:41 am

kainee wrote:Thanks for your replies - especially yours, Thrawn, was very clear and comprehensible and finally provided me with the information and understanding I was hoping for :P

Thanks :). That's what the support team is here to do.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0

forecehh
Posts: 18
Joined: Thu Jul 25, 2013 5:10 pm

Re: help me to understood ABE

Post by forecehh » Mon Jul 29, 2013 12:40 pm

thank you very much now i get that how that work :)
but what about my suggestion ?it possible add it?
Mozilla/5.0 (masking-agent; rv:22.0) Gecko/20100101 Firefox/22.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: help me to understood ABE

Post by Thrawn » Sun Sep 22, 2013 9:48 pm

forecehh wrote:thank you very much now i get that how that work :)
but what about my suggestion ?it possible add it?

If you mean the suggestion to block automatic refreshes, that is already available under Options - Advanced - Untrusted. Firefox has a built-in setting for this too.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

forecehh
Posts: 18
Joined: Thu Jul 25, 2013 5:10 pm

Re: help me to understood ABE

Post by forecehh » Tue Sep 24, 2013 5:06 pm

Thrawn wrote:
forecehh wrote:thank you very much now i get that how that work :)
but what about my suggestion ?it possible add it?

If you mean the suggestion to block automatic refreshes, that is already available under Options - Advanced - Untrusted. Firefox has a built-in setting for this too.

thankyou
but what option in no script?
i looking you add such feature if its not available in noscript.
RefreshBlocker 0.8
https://addons.mozilla.org/en-US/firefox/addon/refreshblocker/?src=api

i know that on some older version noscript can not block auto refresh(RefreshBlocker can block) but with new version im not sure.
examplepage:
http://www.physiology.wisc.edu/ravi/test/test9.html
Mozilla/5.0 (masking-agent; rv:23.0) Gecko/20100101 Firefox/23.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: help me to understood ABE

Post by Thrawn » Tue Sep 24, 2013 10:07 pm

forecehh wrote:but what option in no script?
i looking you add such feature if its not available in noscript.

NoScript can block refreshes using the META tag (which doesn't need JavaScript) on untrusted sites. Options menu, Advanced tab, Untrusted sub-tab, "Forbid META redirections inside <NOSCRIPT> elements".

Firefox can block some kinds of refreshes. In the Preferences dialog, choose Advanced tab, General sub-tab, "Warn me when websites try to redirect or reload the page".

Anything more than this is not part of NoScript (why would you need it for security?), so you need a different addon (like RefreshBlocker, as you mentioned).
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0

forecehh
Posts: 18
Joined: Thu Jul 25, 2013 5:10 pm

Re: help me to understood ABE

Post by forecehh » Wed Sep 25, 2013 10:49 pm

because since I See NoScript Forbid Everything i wanted that to
but i you dont add this no problem
Mozilla/5.0 (masking-agent; rv:23.0) Gecko/20100101 Firefox/23.0

forecehh
Posts: 18
Joined: Thu Jul 25, 2013 5:10 pm

Re: help me to understood ABE

Post by forecehh » Thu Jan 23, 2014 2:29 pm

ok
i have one rule like this in system rulsets

Code: Select all

Site .2o7.net .ix.e .e.cl .i.ua .u.pl .a.com .a.net .ad.hu .am.ru
Deny ALL from ALL

then i have some rule in userrulesets

Code: Select all

Site .tumblr.com .stumble-upon.com .stumbleupon.com .twitter.com .reddit.com .digg.com .yandex.st .yandex.ru .disqus.com .aol.com .ebay.com .yahoo.com .msn.com  .godaddy.com .feedburner.com
Accept from .tumblr.com .stumble-upon.com .stumbleupon.com .twitter.com .reddit.com .digg.com .yandex.st .yandex.ru .disqus.com .aol.com .ebay.com .yahoo.com .msn.com  .godaddy.com .feedburner.com
Deny


Code: Select all

Site .google-analytics.com
Accept from .google-analytics.com
Deny


and all of user rulset is in white listed script
but i dont know where i wrong
example i visit

Code: Select all

http://www.putlocker.com
script not allowd
every request blocked until i temp-allow script putlocker.com
then in Request policy log window i see this

Code: Select all

http://www.putlocker.com/cdn-cgi/pe/bag2?r[]=http%3A%2F%2Fwww.google-analytics.com%2Fga.js
http://www.putlocker.com/cdn-cgi/pe/bag2?r[]=http%3A%2F%2Fplatform.twitter.com%2Fwidgets.js


so what is it?
Mozilla/5.0 (Windows NT 6.2; rv:19.0) Gecko/20121129 Firefox/19.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: help me to understood ABE

Post by Thrawn » Thu Jan 23, 2014 7:56 pm

I'm not sure I'm following you. What problems are you actually seeing?

The fact that all scripts are blocked on a page until you allow the top-level site is a normal part of script-blocking, not related to ABE.

Are there ABE-related messages in the Browser Console (Ctrl+Shift+J)?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0

forecehh
Posts: 18
Joined: Thu Jul 25, 2013 5:10 pm

Re: help me to understood ABE

Post by forecehh » Fri Jan 24, 2014 3:05 am

look i change and use this

Code: Select all

Site .twitter.com
Accept from .somesite.com
Deny
Site .google-analytics.com
Accept from .somesite.com
Deny

and with FAQ I read must add to allowed script

so google-analytics.com and twitter.com must accept from .somesite.com .right?
so when i go to .putlocker.com both blocked.
but if i temp allow .putlocker.com
i see both make request.is this normal?
also if i use below rule,even if make temp allow .putlocker.com that keep blocking that

Code: Select all

Site ALL
Accept from SELF++

Deny
also look this screenshot
Image

Code: Select all

http://photoload.ru/data/8d/eb/fe/8debfe89ff4e816e85d96e401d37073d.png
Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: help me to understood ABE

Post by Thrawn » Fri Jan 24, 2014 7:59 am

If the requests aren't being sent when scripts from putlocker.com are blocked, then probably it's a piece of JavaScript that is sending them.

It's normal (although unfortunate) for sites to be broken when their scripts are blocked.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0

Post Reply