Help understanding SELF and INCLUSION

Discussions about the Application Boundaries Enforcer (ABE) module
tarjk
Junior Member
Posts: 40
Joined: Tue Apr 01, 2014 12:28 pm

Help understanding SELF and INCLUSION

Post by tarjk » Mon Feb 23, 2015 12:23 pm

# as I understand, these rules are functionally the same. Why use one over the other? (Is it just personal preference?)

Code: Select all

Site www.google.com
Accept from SELF+
Deny


Code: Select all

Site www.google.com
Accept from www.google.com
Deny


# Do I understand INCLUSION correctly? Does this rule allow www.site1.com to send a request to www.google.com but blocks all active content in the material sent back from the request?

Code: Select all

Site www.google.com
Accept from www.site1.com
Deny INCLUSION


# And this rule prevents www.site1.com from even sending the request to www.google.com?

Code: Select all

Site www.google.com
Accept from www.site1.com
Deny


# this rule allows site1.com domains to send requests to the host www.google.com, allowing all active content in the material returned except javascript and iFrames (subdocuments).

Code: Select all

Site www.google.com
Accept from .site1.com
Deny INCLUSION(SCRIPT, SUBDOC)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0

barbaz
Senior Member
Posts: 9147
Joined: Sat Aug 03, 2013 5:45 pm

Re: Help understanding SELF and INCLUSION

Post by barbaz » Mon Feb 23, 2015 5:44 pm

tarjk wrote:# as I understand, these rules are functionally the same. Why use one over the other? (Is it just personal preference?)

Code: Select all

Site www.google.com
Accept from SELF+
Deny


Code: Select all

Site www.google.com
Accept from www.google.com
Deny

Those rules are functionally the same, yes. However, these are not:

Code: Select all

Site www.google.com forums.informaction.com
Accept from SELF+
Deny


Code: Select all

Site www.google.com forums.informaction.com
Accept from www.google.com forums.informaction.com
Deny


The first is equivalent to

Code: Select all

Site www.google.com
Accept from www.google.com
Deny

Site forums.informaction.com
Accept from forums.informaction.com
Deny


tarjk wrote:# Do I understand INCLUSION correctly? Does this rule allow www.site1.com to send a request to www.google.com but blocks all active content in the material sent back from the request?

Code: Select all

Site www.google.com
Accept from www.site1.com
Deny INCLUSION


# And this rule prevents www.site1.com from even sending the request to www.google.com?

Code: Select all

Site www.google.com
Accept from www.site1.com
Deny


# this rule allows site1.com domains to send requests to the host www.google.com, allowing all active content in the material returned except javascript and iFrames (subdocuments).

Code: Select all

Site www.google.com
Accept from .site1.com
Deny INCLUSION(SCRIPT, SUBDOC)

INCLUSION is not about active content, it's about "not top level load", meaning not something you would see in the address bar.
You're confusing it with the Sandbox directive, because Deny INCLUSION can be coupled with Sandbox to emulate NoScript's active content blocking.

The first quoted rule would make non-top-level loads from Google allowed *only* if the page attempting the loads is on www.site1.com. You're even blocking google loads on google itself. If Google image result previews were served to you from www.google.com, that rule would make Google image search unusably broken.

The second blocks all links and redirections to google as well (except those on www.site1.com), thus breaking all Google searches.

The third blocks js files and iframes from google everywhere except for all subdomains of site1.com (and site1.com itself).


Hope that helps.
*Always* check the changelogs BEFORE updating that important software!
-

tarjk
Junior Member
Posts: 40
Joined: Tue Apr 01, 2014 12:28 pm

Re: Help understanding SELF and INCLUSION

Post by tarjk » Wed Feb 25, 2015 1:32 pm

barbaz wrote:

Code: Select all

Site www.google.com
Accept from www.site1.com
Deny

blocks all links and redirections to google ... (except those on www.site1.com)

So if a request is sent to www.google.com from www.site1.com, it will be allowed, correct? Requests from all hosts to www.google.com will be denied except if the requesting host is www.site1.com.

barbaz wrote:

Code: Select all

Site www.google.com
Accept from www.site1.com
Deny INCLUSION

would make non-top-level loads from Google allowed *only* if the page attempting the loads is on www.site1.com.

So in this example, a request to www.google.com from www.site1.com will be denied if www.site1.com is the domain/host that appears in the addressbar?

But if I am at XYZ.com and a request to www.google.com is sent from www.site1.com, the request would be allowed?

If I am at XYZ.com, why would a request from www.site1.com be sent? I guess I'm not understanding what is meant by "not top level load." If I'm at XYZ.com, I see XYZ in the address bar. So what would cause a request to go to Google from www.site1.com if I am on an XYZ webpage? Can you example this out? INCLUSION is saying to let the request go through when www.site1.com is the originator of the request but it is also not the domain/host that appears in the addressbar?

Thank you so much for your help!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0

barbaz
Senior Member
Posts: 9147
Joined: Sat Aug 03, 2013 5:45 pm

Re: Help understanding SELF and INCLUSION

Post by barbaz » Wed Feb 25, 2015 9:16 pm

Please check "Do not automatically parse URLs" when posting example domains starting with "www.", otherwise the board linkifies them. Thanks.
(I've fixed your prior post.)

tarjk wrote:So if a request is sent to www.google.com from www.site1.com, it will be allowed, correct? Requests from all hosts to www.google.com will be denied except if the requesting host is www.site1.com.

Correct.

tarjk wrote:
barbaz wrote:

Code: Select all

Site www.google.com
Accept from www.site1.com
Deny INCLUSION

would make non-top-level loads from Google allowed *only* if the page attempting the loads is on www.site1.com.

So in this example, a request to www.google.com from www.site1.com will be denied if www.site1.com is the domain/host that appears in the addressbar?

No, request to www.google.com will be denied if the request isn't what you see in the address bar, except that request to www.google.com will *always* be allowed if the request is from a page on www.site1.com

tarjk wrote:But if I am at XYZ.com and a request to www.google.com is sent from www.site1.com, the request would be allowed?

Yes.

tarjk wrote:If I am at XYZ.com, why would a request from www.site1.com be sent?

Lots of reasons.. probably the simplest is if www.site1.com is in an iframe on XYZ.com?

tarjk wrote:I guess I'm not understanding what is meant by "not top level load." If I'm at XYZ.com, I see XYZ in the address bar. So what would cause a request to go to Google from www.site1.com if I am on an XYZ webpage? Can you example this out? INCLUSION is saying to let the request go through when www.site1.com is the originator of the request but it is also not the domain/host that appears in the addressbar?

Sorry, I'm oversimplifying by saying "in the address bar" (I'm not always good at explaining things).
INCLUSION means "something included by a page" - that includes external JS files, external CSS files, images, (i)frames, and embedded Flash. However redirections and links are not INCLUSIONs, nor is anything you type in the address bar or a browser background load.
Is that clearer?

If you're on XYZ webpage, XYZ could embed www.site1.com/some/page.htm in an iframe, and that www.site1.com page could request www.google.com/jsapi (real google URL). There the google URL is an INCLUSION of www.site1.com.

(I actually have no idea what happens if you click a link inside an IFRAME that points to a site that ABE will only/always Deny INCLUSION. If you want me to test it out and get back to you let me know.)
*Always* check the changelogs BEFORE updating that important software!
-

Phil

Re: Help understanding SELF and INCLUSION

Post by Phil » Sat Nov 14, 2015 5:21 am

FWIW, I think this information about what is meant by "top-level load" would be of tremendous value in the documentation; either in https://noscript.net/abe/abe_rules.pdf or https://noscript.net/abe/users.html
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9147
Joined: Sat Aug 03, 2013 5:45 pm

Re: Help understanding SELF and INCLUSION

Post by barbaz » Sat Nov 14, 2015 6:14 pm

Phil wrote:FWIW, I think this information about what is meant by "top-level load" would be of tremendous value in the documentation; either in https://noscript.net/abe/abe_rules.pdf or https://noscript.net/abe/users.html

Sure, but I think my convoluted explanation will just confuse some people. Can you please suggest a better way to explain it that isn't too long?
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply