How to turn off Sandbox

Discussions about the Application Boundaries Enforcer (ABE) module
Guest

How to turn off Sandbox

Post by Guest » Fri Jun 17, 2016 5:00 pm

I am trying to allow only css and images.

I have this for now:

#Site ALL
#Sandbox

Site ...
Accept from ....
Deny

Site ALL
Accept from SELF++
Deny INC
Accept INC(IMAGE, CSS) from ALL
Accept INC(SCRIPT) from ......
#Sandbox

I am not sure maybe my ABE is wrong, but it seems that I can only block with Sandbox, but i can't unblock it for some websites sites. What i like to have is to block inline-scripts and scripts for all websites and later allow it for some sites. Is this possible with ABE or can this only be done via noscript?
Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to turn off Sandbox

Post by barbaz » Fri Jun 17, 2016 5:09 pm

It's possible with ABE but why are you trying to do it with ABE?
*Always* check the changelogs BEFORE updating that important software!
-

Guest

Re: How to turn off Sandbox

Post by Guest » Sat Jun 18, 2016 8:19 am

Hi, i am trying to replace Privoxy with uBlock or uMatrix or a mix of noscript with uMatrix and a cookie blocker. Privoxy and uBlock can handle scripts and inline-scripts (for http only) but uBlock can. So it is only a try.

How can i unblock Sandbox?
Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to turn off Sandbox

Post by barbaz » Sat Jun 18, 2016 4:48 pm

OK, I think I see what you're trying to do. I'll post how to do exactly what you're asking, then what I'd recommend, and leave you to decide what you'd prefer.

This is how I would write ABE rule to accomplish that:

Code: Select all

Site <your_unblocked_sites>
Accept

Site ALL
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox

You might also want to put it separate from SYSTEM and USER, so that you keep this separate from your other uses of ABE:
about:config > right-click > new > string
name: noscript.ABE.rulesets.SCRIPTBLOCK
value: #

Then open NoScript Options and edit the SCRIPTBLOCK ruleset in ABE.


As for what I'd recommend that you do:
Install all 3 of uBlock Origin (*not* ublock!), µMatrix, and NoScript. Leave most of the script-blocking to NoScript, it uses script-blocked status of sites to fine-tune some of its "under-the-hood" features. Some good advice about setting up µMatrix alongside NoScript here: viewtopic.php?f=18&t=20815
Mostly use uBlock Origin for subscription-based blocking and your personal fine-tuning of blocking (uBlock Origin is the only of the 3 addons that can filter by path and not just entire sites/domains/protocols), but you can use host files in µMatrix too if you want.
µMatrix is a nice way to fine-tune NoScript's permissions, or generally set any sorts of per-site permissions. I personally also like it for (i)frame blocking.
If you want to use cookie blocking in µMatrix, make sure to install a version that has the fix for this: viewtopic.php?f=10&t=21926
Plus, where these addons overlap you can have defense-in-depth if you want.
There's some discussion of this sort of setup in viewtopic.php?f=8&t=21685 as well.

Hope this helps.
*Always* check the changelogs BEFORE updating that important software!
-

Guest

Re: How to turn off Sandbox

Post by Guest » Thu Aug 04, 2016 12:32 pm

barbaz wrote:

Code: Select all

Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox



What is MEDIA?

MEDIA is not mentioned in abe_rules.pdf.

Valid types are
SCRIPT
,
CSS
,
IMAGE
,
OBJ
(plugin objects and sub-requests from plugin
objects),
OBJSUB
(just sub-request from plugin objects),
SUBDOC
(subdocuments, i.e.
documents loaded in frames and iframes),
XBL
,
PING
,
XHR
,
DTD
and
OTHER
.
ABE
Rules Syntax and Capabilities v. 1.0.1
p.
4
/
7
Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to turn off Sandbox

Post by barbaz » Thu Aug 04, 2016 4:40 pm

Guest wrote:What is MEDIA?

HTML5 audio/video.

Guest wrote:MEDIA is not mentioned in abe_rules.pdf.

Nice catch. Neither is FONT mentioned, for that matter.
Giorgio will probably see this thread and fix it, but if not I'll let him know.

On a side note, ABE invalidates rulesets where an invalid type is given to INC.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply