What does "Sandbox" actually do?

Discussions about the Application Boundaries Enforcer (ABE) module
johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

What does "Sandbox" actually do?

Post by johnscript » Thu Jan 26, 2017 11:16 am

The ABE manual says:

Sandbox – sends the requests as it is, but disables JavaScript and other active content (e.g.
plugin embeddings) in the landing page


would this mean that Javascript will be actually disabled on every website for which I've applied a sandbox rule, even when allowing that website from NoScript' s icon ?

It is my understanding that ABE rules should be overriding NoScript permssions set from the GUI, so if I have such a rule

Code: Select all

Site ^https?://.*youtube\.com
Sandbox INC (IMAGE,CSS,SCRIPT,OBJ,XHR) from SELF++
Deny INC SUB
Sandbox GET from SELF++
Deny


I would expect youtube not being able to run scripts, and therefore quite broken... yet if I allow it from the menu icon (along with ytimg.com and other youtube domains) I can indeed see videos in HTML5.

I'm not considering plugins simply because I'm not using any, but as far as scripts go, I would say that ABE isn't actually blocking them with a sandboxing rule : I think I got this wrong, because if I were right, by now other people would have noticed that sandboxing doesn't do what it's supposed to do...

Am I misunderstanding that quote from the ABE pdf manual?
Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: What does "Sandbox" actually do?

Post by barbaz » Thu Jan 26, 2017 6:14 pm

Read this - viewtopic.php?f=23&t=18144 and let us know if you have further questions. :)
*Always* check the changelogs BEFORE updating that important software!
-

johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: What does "Sandbox" actually do?

Post by johnscript » Sat Jan 28, 2017 4:04 pm

I may have indeed more questions, and I apologize in advance if I'm misunderstanding how the ABE machinery really works (it's really complicated IMO, but worth learning)...

As Giorgio clearly states in the thread you've linked, Sandbox INC isn't worth using because sandboxing rules are not actually applied to inclusions : it is unfortunately still not clear to me, however, what does he mean with "landing page" .

In the example I've posted, leaving now the INC rules aside, wouldn't that Sandbox GET from SELF++ rule still disable JavaScript and other active content on youtube?
Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: What does "Sandbox" actually do?

Post by barbaz » Sat Jan 28, 2017 5:45 pm

johnscript wrote: it is unfortunately still not clear to me, however, what does he mean with "landing page" .

Sandbox only affects stuff that A) is rendered by the browser, and B) can contain, embed, and run active content. IOW, basically documents that can contain script tags etc, directly loaded in a browser window or (i)frame.

To help clarify why it doesn't affect a script itself, paste this in your address bar -

Code: Select all

https://forums.informaction.com/styles/prosilver/template/styleswitcher.js

... and see what happens. The script will be displayed as plain text. It will not be run.

Plugin content is not affected because it's rendered by the plugin, not the browser itself.

johnscript wrote:In the example I've posted, leaving now the INC rules aside, wouldn't that Sandbox GET from SELF++ rule still disable JavaScript and other active content on youtube?

How are you accessing Youtube?
*Always* check the changelogs BEFORE updating that important software!
-

johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: What does "Sandbox" actually do?

Post by johnscript » Thu Feb 02, 2017 9:52 pm

I'm accessing youtube normally with Firefox, no plugins or other players are involved: however, between the sandboxing issue in 2.9.5.2 and recent changes in youtube, I may have to look further into this to be sure.

My first impression was that something like

Code: Select all

Site .googlevideo.com ^https?://.*ytimg\.com
Anon from chrome: moz-nullprincipal:
Anon INC from SELF++ ^https?://.*youtube\.com.*  moz-nullprincipal:
Deny INC SUB
Anon GET from SELF++ moz-nullprincipal:

Site ^https?://.*youtube\.com
Anon from chrome: moz-nullprincipal:
Anon INC (CSS,IMAGE,OBJ,SCRIPT,XHR,DTD,MEDIA) from SELF++ .googlevideo.com .ytimg.com moz-nullprincipal:
Deny INC SUB
Sandbox GET from SELF++ .googlevideo.com .ytimg.com moz-nullprincipal:
Deny

would still work, even with that last sandbox rule in place, but I'm not 100% sure as of now.
Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: What does "Sandbox" actually do?

Post by barbaz » Thu Feb 02, 2017 11:32 pm

johnscript wrote:I'm accessing youtube normally with Firefox,

Are you clicking links on Youtube, clicking links on another site (if so which), typing in the URL bar, accessing through bookmarks,...?
*Always* check the changelogs BEFORE updating that important software!
-

johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: What does "Sandbox" actually do?

Post by johnscript » Sun Feb 05, 2017 7:47 pm

Tipically, starting from a bookmark either accessed from the bookmarks sidebar or the url bar directly, and then using the search box on youtube itself : after more investigation, I'd definitely say that these rules (which should IMO sandbox youtube.com and googlevideo.com )

Code: Select all

Site .googlevideo.com ^https?://.*ytimg\.com
Anon from chrome: moz-nullprincipal:
Anon INC (CSS,IMAGE,OBJ,SCRIPT,XHR,MEDIA,DTD,SUBDOC)  from SELF++ ^https?://.*youtube\.com.*  moz-nullprincipal:
Deny INC SUB
Sandbox GET from SELF++ moz-nullprincipal:
Deny

Site ^https?://.*youtube\.com
Anon  from chrome: moz-nullprincipal:
Anon INC (CSS,IMAGE,OBJ,SCRIPT,XHR,MEDIA) from SELF++ .googlevideo.com .ytimg.com moz-nullprincipal:
Deny INC SUB
Sandbox  GET from SELF++ .googlevideo.com .ytimg.com moz-nullprincipal:
Deny

in fact still allow youtube to run scripts and play videos, although much fiddling with reloading pages (sometimes more than once) and allowing the right frames (I 've also set forbidding frames and iframes in Embeddings) is required for it to work.

I know this kind of use is generally not recommended (Giorgio would probably call it "stretching ABE beyond its scope"), but I'm doing it mainly to understand how ABE really works : in this case for instance, it's not obvious to me why youtube still works with those sandboxing rules - I would have expected it to be unable to play videos because of scripts being blocked.


EDIT: on a related note, here and there on this forum I've seen references to MEDIA and FONT as valid types for INCLUSION, but they aren't really listed in the ABE rules specification : is maybe that document out of date in that regard?
Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: What does "Sandbox" actually do?

Post by barbaz » Sun Feb 05, 2017 8:34 pm

johnscript wrote:Tipically, starting from a bookmark either accessed from the bookmarks sidebar or the url bar directly,

Your ABE rules says "Anon from chrome: moz-nullprincipal:". So, it will Anon instead of Sandbox, and thus scripts will be allowed to run.

Also, for sites that aren't completely blocked by ABE, there is supposed to be an implicit Accept in effect for requests from the address bar, bookmarks, etc. But as you know, there's currently an ABE bug breaking this behavior in some cases.

johnscript wrote:and then using the search box on youtube itself

1) You are only sandboxing GET requests. A search could, in theory be using POST instead of GET. That search box is kinda blocked here, so I can't really check it.

2) Lately I've noticed Youtube doing something weird with navigation within their site. I think that when you click a link on Youtube to another Youtube video, it loads the link's content by AJAX, replaces what you see, and then uses some JS trick to change the URL in the address bar. I'm not sure what effect that'd have on ABE rules.


Anyway, let's remove the unnecessary complexity from your ruleset -

Code: Select all

Site .googlevideo.com .ytimg.com
Anon from chrome: moz-nullprincipal:
Anon INC (CSS,IMAGE,OBJ,SCRIPT,XHR,MEDIA,DTD,SUBDOC)  from .youtube.com .ytimg.com .googlevideo.com
Deny INC
Sandbox from .googlevideo.com .ytimg.com
Deny

Site .youtube.com
Anon  from chrome: moz-nullprincipal:
Anon INC (CSS,IMAGE,OBJ,SCRIPT,XHR,MEDIA) from .youtube.com .googlevideo.com .ytimg.com
Deny INC
Sandbox from .youtube.com .googlevideo.com .ytimg.com
Deny

What results do you get with that?
*Always* check the changelogs BEFORE updating that important software!
-

johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: What does "Sandbox" actually do?

Post by johnscript » Fri Feb 10, 2017 10:20 am

Thanks for your explanation: I really missed that the 2nd "Anon from chrome: moz-nullprincipal:" line in fact determined that all requests to youtube were going to be anonimized as opposed to sandboxed.

Truth to tell, this recent ABE behaviour (where you have to add chrome: and moz-nullprincipal: to some lines to get things working) is sometimes making harder for me to set rules correctly for what I have in mind.

Also, for sites that aren't completely blocked by ABE, there is supposed to be an implicit Accept in effect for requests from the address bar, bookmarks, etc


Is that always the case, or do some options in the GUI (e.g. unchecking "Allow sites opened through bookmarks") override such implicit rule?

You are only sandboxing GET requests. A search could, in theory be using POST instead of GET.


If I specify either Anon GET or Sandbox GET from a site and then end with a Deny rule, wouldn't I be blocking POST requests ?

Lastly, as for youtube doing something weird, thats's IMHO kind of an understatement : they are doing, as far as I can tell, all kind of tricks and experiments all the time... ABE (probably even NoScript itself) breaks a lot of that stuff - which may be a good thing after all, depending on what you are after.
Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: What does "Sandbox" actually do?

Post by barbaz » Fri Feb 10, 2017 4:47 pm

johnscript wrote: do some options in the GUI (e.g. unchecking "Allow sites opened through bookmarks") override such implicit rule?

I don't know of a way to override it in NoScript.

johnscript wrote:If I specify either Anon GET or Sandbox GET from a site and then end with a Deny rule, wouldn't I be blocking POST requests ?

Yes. But in this set of ABE rules, you are specifying Anon INC before that lot. I think if ABE sees the POST request as certain type of INC, it'll Anon instead of Deny.

johnscript wrote:Lastly, as for youtube doing something weird, thats's IMHO kind of an understatement : they are doing, as far as I can tell, all kind of tricks and experiments all the time... ABE (probably even NoScript itself) breaks a lot of that stuff - which may be a good thing after all, depending on what you are after.

Yeah, maybe Youtube isn't the best site to use for learning ABE.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply