Can ABE allow sub-objects, too?

Discussions about the Application Boundaries Enforcer (ABE) module
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Can ABE allow sub-objects, too?

Post by Tom T. »

Specifically, the infamous Yahoo Classic Mail attachment upload or download objects. They don't show in the menu until you attempt the u/l or d/l (and the menu changes color in F2 now -- thanks given elsewhere!). The rules I have tried, based on what shows in "Blocked Objects" when attempting to upload an attachment, are:

Code: Select all

Site *@http://attach.*.mail.yahoo.com *@http://attach.re3.mail.yahoo.com
Accept from mail.yahoo.com
Deny

Site unknown@http://attach.re3.mail.yahoo.com
Accept from yahoo.com
Deny
These were based on there usually being two objects, one starting with *@http... and the other, unknown@http.. , the rest of it being,
*@http://attach.XXX.mail.yahoo.com. The *@hhtp one is the one I have always used successfully, manually.
...where XXX is often either "mud" (Mail Up/Download?), "re3", "reX", where X is an integer 1-9, but sometimes other seemingly random characters, hence the attempt at wildcarding.

No success. Still must manually allow the objects for each session. Are these outside the scope of ABE?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Can ABE allow sub-objects, too?

Post by Giorgio Maone »

The request processing flow of NoScript+ABE is roughly the following:
  • The browser is asked to initiate a request
  • The browser asks content policies (e.g. ABP and NoScript) if the request can be initiated, passing the URL and some context info (at this time no request exists yet)
  • NoScript checks for scripts, plugin objects and frames in this phase, vetoing the request if needed. In this case, no request is created.
  • If a request is created because no content policy objected, the request gets created and request observers are notified before it hits the network. Request observers can veto request before they're initiate, but can also modify it before it's sent. Among request observers are XSS Filters and ABE.
As you can see, ABE comes late in the blocking game, after NoScript has done its "traditional" work.
Therefore an "Accept" directive cannot "resuscitate" a request which had been vetoed by a content policy (either ABP or NoScript itself), because the request never got created and therefore never reached ABE.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Can ABE allow sub-objects, too?

Post by Tom T. »

Thanks, Giorgio, I understand the Big Picture *much* better now. So, this Yahoo annoyance will have to wait for Site-Specific Policy implementation, correct? -- no way to permanently allow the attachment sub-objects At This Time.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
Post Reply