ABE rules triggering messages for some rules

Discussions about the Application Boundaries Enforcer (ABE) module
access2godzilla
Senior Member
Posts: 109
Joined: Sun May 20, 2012 5:09 pm

ABE rules triggering messages for some rules

Post by access2godzilla » Fri Jan 17, 2014 11:03 am

I have the following rules in ABE:

Code: Select all

Site .googlesyndication.com .google-analytics.com .adzerk.net .scorecardreasearch.com cdn-careers.sstatic.net .quantserve.com .chartbeat.com .2mdn.net .revsci.net .criteo.com .krxd.net .amazon-adsystem.com .doubleclick.net .adobetag.com .fbcdn.net .peer39.net demdex.net .adsonar.com .crwdcntrl.com .2o7.net .omtrdc.net .troveread.com .mathtag.com .parsely.com
Deny

Site .reddit.com .stumbleupon.com .twitter.com
Accept from SELF
Deny

Site .google.com
Accept from .youtube.com .blogspot.com
Accept from SELF
Deny


On this page: http://arstechnica.com/information-technology/2014/01/bitrot-and-atomic-cows-inside-next-gen-filesystems/ , if I scroll down to the end, I get this:

Code: Select all

Request {GET hxxp://www. reddit. com / static/ button /button3. html ? (snipped due to spam filter) - 7} filtered by ABE: < .reddit.com .stumbleupon.com .twitter.com> Deny


I know that I can turn off ABE notifications, but why does this specific rule generate a message?
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140116 Firefox/24.0 PaleMoon/24.2.2

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: ABE rules triggering messages for some rules

Post by Thrawn » Fri Jan 17, 2014 11:43 am

Can you send the whole message to a moderator via private message?

The second rule restricts reddit to receive requests only from itself, which may be your problem.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0

access2godzilla
Senior Member
Posts: 109
Joined: Sun May 20, 2012 5:09 pm

Re: ABE rules triggering messages for some rules

Post by access2godzilla » Sat Jan 18, 2014 4:50 pm

Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140116 Firefox/24.0 PaleMoon/24.2.2

barbaz
Senior Member
Posts: 9094
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE rules triggering messages for some rules

Post by barbaz » Sat Jan 18, 2014 5:12 pm

Script permission status of those sites?
Could you please post also the messages in the Browser Console?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

access2godzilla
Senior Member
Posts: 109
Joined: Sun May 20, 2012 5:09 pm

Re: ABE rules triggering messages for some rules

Post by access2godzilla » Sun Jan 19, 2014 11:41 am

Scripts globally allowed, no sites in untrusted. All other settings are same as the defaults.

I can't post anything from the browser console here due to the spam filter, but the general structure is:

Code: Select all

[ABE] <<site>> <action> on {<request type> <url> <<< <document> - <number>}
USER rule:
<ruleset>

To see what is actually generated, you can put in my rules.

Just to clarify, my question is, why would some specific rules generate a message while others do not?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0

barbaz
Senior Member
Posts: 9094
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE rules triggering messages for some rules

Post by barbaz » Sun Jan 19, 2014 3:07 pm

OK, reproduced. Unfortunately the washingtonpost message got lost, but here's the reddit one with irrelevant parts snipped:

Code: Select all

[ABE] <.reddit.com .stumbleupon.com .twitter.com> Deny on {GET http://www.reddit.com/ [ ETC ] <<< (snip) arstechnica (snip) - 7}
USER rule:
Site .reddit.com .stumbleupon.com .twitter.com
Accept from SELF
Deny


Note the number 7:
https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIContentPolicy wrote:TYPE_SUBDOCUMENT 7 Indicates a document contained within another document (for example, IFRAMEs, FRAMES, and OBJECTs).

Looks like the notification is firing for iframes, even though it's not supposed to: (emphasis added by me)
http://noscript.net/abe/users.html wrote:If ACTION is Deny and the blocked request is targeted to a *top-level* window, an user-facing notification is also issued, with an Options button which lands directly in the ABE configuration panel.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

User avatar
SeanM
Junior Member
Posts: 44
Joined: Fri Jul 24, 2009 1:42 pm
Location: Upstate, New York USA
Contact:

Re: ABE rules triggering messages for some rules

Post by SeanM » Sat Apr 19, 2014 8:34 pm

While tinkering with doubleclick.net in ABE, I ran into the subject matter of this thread. To wit, the following is displayed at the top of the display:

Code: Select all

[ABE] <.doubleclick.net> Deny on {GET http://3687047.fls.doubleclick.net/activityi;src=3687047;type=retar754;cat=retar424;ord=1856690113655.9634? <<< http://www.classmates.com/places/school/West-High-School/25?startYear=1963&endYear=1969&type=registration - 7} filtered by ABE: <.doubleclick,net> Deny


The associated USER rule:

Code: Select all

Site .doubleclick.net
Accept from SELF++
Accept from *.last.fm
Accept from .americanexpress.com
Accept from .nysaves.org
Accept from .pandora.com
Deny


I have checked "iFrame" under "Embeddings". After I parsed out the message (above), I added "Deny INCLUSION" to the ABE rule, to read:

Code: Select all

Site .doubleclick.net
Accept from SELF++
Accept from *.last.fm
Accept from .americanexpress.com
Accept from .nysaves.org
Accept from .pandora.com
Deny INCLUSION
Deny


The message to the display no longer appears, rather logs correctly (and only) to the Error Console. Is the behavior correct, or is NoScript diplaying the error regardless of the "Notifications" settings ?
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0

barbaz
Senior Member
Posts: 9094
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE rules triggering messages for some rules

Post by barbaz » Mon Apr 21, 2014 7:48 pm

SeanM wrote:I have checked "iFrame" under "Embeddings".

Apparently, this bug also applies to <frame> elements.

SeanM wrote:The message to the display no longer appears, rather logs correctly (and only) to the Error Console. Is the behavior correct, or is NoScript diplaying the error regardless of the "Notifications" settings ?

NoScript does correctly obey the ABE notification setting. The problem is that it's not correctly identifying whether a window is top-level, so it's erroneously firing the notification.
I suppose what's going on might be that when it's hitting "Deny INC", it *knows* that the blocked resource isn't displayed as a top-level window, so it doesn't fire the notification.


(Side note: For performance reasons, I suggest you edit your ABE rule to look like this:

Code: Select all

Site .doubleclick.net
Accept from SELF++
Accept from *.last.fm .americanexpress.com .nysaves.org .pandora.com
Deny INCLUSION
Deny
)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 SeaMonkey/2.28a1

User avatar
Giorgio Maone
Site Admin
Posts: 8694
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: ABE rules triggering messages for some rules

Post by Giorgio Maone » Tue Apr 22, 2014 8:20 am

barbaz wrote: The problem is that it's not correctly identifying whether a window is top-level, so it's erroneously firing the notification.
I suppose what's going on might be that when it's hitting "Deny INC", it *knows* that the blocked resource isn't displayed as a top-level window, so it doesn't fire the notification.

Investigating, thanks.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0

Guest

Re: ABE rules triggering messages for some rules

Post by Guest » Thu May 01, 2014 2:50 am

(Side note: For performance reasons, I suggest you edit your ABE rule to look like this:

Code: Select all
Site .doubleclick.net
Accept from SELF++
Accept from *.last.fm .americanexpress.com .nysaves.org .pandora.com
Deny INCLUSION
Deny

And what this?

Code: Select all

Site .doubleclick.net
    Accept from SELF++
    *.last.fm .americanexpress.com .nysaves.org .pandora.com
    Deny INCLUSION
    Deny
Mozilla/5.0 (Windows NT 6.0; rv:28.0) Gecko/20100101 Firefox/28.0

Post Reply