Document "Error Console" and the need to "Allow" ABE sites

Discussions about the Application Boundaries Enforcer (ABE) module
Phil

Document "Error Console" and the need to "Allow" ABE sites

Post by Phil » Sat Nov 14, 2015 6:33 am

https://noscript.net/abe/users.html states that "Whenever a certain rule is matched, a message is logged in the browser's Error Console".

For a great many people, the console they are familiar with is the one in the developer tools available via F12 (either Firebug, or the suite which is nowadays built-in), and it's entirely unclear that those consoles are useless for seeing ABE messages!

Furthermore, even if you do open the required console with Ctrl-Shift-J, it *looks* identical to the console in the built-in developer tools, so one might even presume that they were simply different ways of viewing the same things, and not even test it. (I did test it, but I was certainly surprised to see the difference.)

This is very confusing when you are trying to learn how ABE works, and nothing you try produces any apparent log message. It would be very beneficial if you could update https://noscript.net/abe/users.html to explain both (a) that you get to the error console with either Ctrl-Shift-J or via the Tools -> Web Developer -> Browser Console menu items; and (b) that you MUST use this particular console, because other consoles will NOT show the messages in question.

The second critical point which could really use some highlighting on that page is the fact that ABE rules take second place to the normal NoScript blocking, and that you therefore must first "Allow" any Site covered by an ABE rule before that ABE rule will be processed.

Thanks!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9280
Joined: Sat Aug 03, 2013 5:45 pm

Re: Document "Error Console" and the need to "Allow" ABE sit

Post by barbaz » Sat Nov 14, 2015 6:12 pm

(You're actually the first person to express confusion about the consoles...)

Phil wrote:The second critical point which could really use some highlighting on that page is the fact that ABE rules take second place to the normal NoScript blocking, and that you therefore must first "Allow" any Site covered by an ABE rule before that ABE rule will be processed.

No, no, no, and no. This is not true and a VERY dangerous thing to add to the docs, as people will Allow things they don't need and things that are potentially malicious.
ABE is intended for blocking CSRF, which is completely unrelated to your idea that ABE is only useful for per-site script permissions.

And if an ABE rule in question doesn't touch the stuff script blocking would cover, and some ignorant user follows that advice... well, this :o :o.
*Always* check the changelogs BEFORE updating that important software!
-

Phil

Re: Document "Error Console" and the need to "Allow" ABE sit

Post by Phil » Sun Nov 15, 2015 4:47 am

ABE rules take second place to the normal NoScript blocking, and that you therefore must first "Allow" any Site covered by an ABE rule before that ABE rule will be processed

This is not true

In which case I'm either mightily confused, or I've failed to communicate my meaning properly.

https://noscript.net/faq#qa8_10 states the following regarding a rule for "Site .google-analytics.com":
Notice that since ABE's rule work independently from NoScript's permissions, you need to "Allow google-analytics.com" in NoScript's menu for the above to work.
and a little further down the page, regarding a different rule:
Again, you will still need to allow those domains also from NoScript's permissions menu.

This matches my (brief) experience of writing ABE rules: Unless I have whitelisted the Site domain for the rule, my ABE rules for that Site are completely ignored, and NoScript simply blocks all requests to that Site as usual.

Perhaps my phrasing was not strictly accurate? ("take second place to" and "work independently from" are not the same thing). But it does seem to be the way this works in effect: You need to Allow a Site in order for your ABE rules to do anything.

Is that not actually true?

I do certainly understand that if people write bad ABE rules then Allowing a Site can leave them unprotected, but that just seems like information which should be provided alongside the information that they need to Allow the site if they wish to use ABE rules for it?

Unless I'm still wrong? (in which case I would greatly appreciate any clarification you can provide, and would suggest that the documentation could use the same).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0

Phil

Re: Document "Error Console" and the need to "Allow" ABE sit

Post by Phil » Sun Nov 15, 2015 9:08 am

Regarding the error console, perhaps the reason behind my problem is that the Error Console has been deprecated and replaced by two different things?

They now draw a distinction between the Web Console and the Browser Console.

It is the latter that people must use to see ABE messages, so I would suggest the documentation be updated to use the new "Browser Console" name, and to draw the distinction between the two console types, linking to those official pages.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9280
Joined: Sat Aug 03, 2013 5:45 pm

Re: Document "Error Console" and the need to "Allow" ABE sit

Post by barbaz » Sun Nov 15, 2015 1:37 pm


Not in SeaMonkey. But...

Phil wrote: I would suggest the documentation be updated to use the new "Browser Console" name, and to draw the distinction between the two console types, linking to those official pages.

... +1 to this request, because SeaMonkey users will almost certainly know what the "Browser Console (Ctrl-Shift-J)" means.
If there is any risk of confusion from that, both names can be used in the first mention, something like this
Browser Console (Error Console in SeaMonkey)
*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9280
Joined: Sat Aug 03, 2013 5:45 pm

Re: Document "Error Console" and the need to "Allow" ABE sit

Post by barbaz » Sun Nov 15, 2015 1:50 pm

Phil wrote:[...]
Unless I'm still wrong? (in which case I would greatly appreciate any clarification you can provide, and would suggest that the documentation could use the same).

Not "wrong" per se, but just not seeing the whole picture.
You are correct that ABE works completely independently of script blocking, and your wording to express that is good. Where you are misunderstanding is that script blocking is not capable of doing everything ABE does, and that ABE is not intended for per-site script permissions and as such is far more capable and powerful than that.

Script-blocking does not block images nor stylesheets nor iframes (the latter depending on user configuration). It also will not block clicked links or redirects to a script-blocked site (as ABE's Deny to a Site would).
Emulating script blocking with ABE would look something like this:

Code: Select all

Site .somesi.te
Deny INCLUSION(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox

The FAQ version is simplified to make it not look to hairy for newbie users.
And you are correct that if using a ABE rule intended for per-site script blocking, it is needed to Allow the site in the script-blocking side of NoScript for the rule to be useful.

Again, ABE is broader than the functionality needed for per-site script permissions - it can block *all* types of requests, which is important for a CSRF blocker as CSRF can come in the form of any type of request to a "victim" resource.

Does that help?
*Always* check the changelogs BEFORE updating that important software!
-

Phil

Re: Document "Error Console" and the need to "Allow" ABE sit

Post by Phil » Sun Nov 15, 2015 8:36 pm

Yes, that's tremendously helpful, thank you.

I think that some version of that explanation would be a great asset to the documentation.

I'm away for a few days, but would gladly help draft something for this later, if that would be useful (along with this, which is on my to-do list).
Last edited by barbaz on Sun Nov 15, 2015 8:52 pm, edited 1 time in total.
Reason: strip sid from internal forum link
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9280
Joined: Sat Aug 03, 2013 5:45 pm

Re: Document "Error Console" and the need to "Allow" ABE sit

Post by barbaz » Sun Nov 15, 2015 9:06 pm

You're welcome, glad it helped.

Phil wrote:I think that some version of that explanation would be a great asset to the documentation.

I'm away for a few days, but would gladly help draft something for this later, if that would be useful

Well, the purpose of ABE is covered in the ABE FAQ, which you suggested linking w/ the docs ( viewtopic.php?f=23&t=21400 )

If you don't think the extra detail given above would confuse novice users, then it would be very helpful, thanks.

(Please note that what actually goes in the docs is completely up to Giorgio Maone. Once the drafts are ready one of us active Mods can notify him of these discussions.)
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply