ABE Blocks Bing.com

[therube]

ABE Blocks Bing.com


Starting here, http://www.bing.com/shopping/V7-D216W12 ... &FORM=ENCA
Select a "go to store", say Buy.com, http://www.bing.com/cashback/go?o=43537 ... FORM=GWCL2

With ABE enabled, processing gets stuck here, https://ssl.bing.com/cashback/go?FORM=G ... =435370622
Instead of loading (when ABE is disabled) this page, http://www.buy.com/prod/v7-d1711-17-lcd ... caid=17936

With ABE enabled, the page https://ssl.bing.com/cashback/go?FORM=GWCL... never finishes loading (transferring).


EDIT:

On the page ABE blocks, you may need to either enter your email/captcha or select the No thanks. I don't want cashback, take me to the store link.

Code: Select all

[ABE] <LOCAL> Deny on {GET https://0.r.msn.com/scripts/microsoft_adcenterconversion.js <<< https://ssl.bing.com/cashback/go?g=1&FORM=GWCL2&c=274173&cbst=1.2&msclkid=1ecfc3d0521140b5b6baa248c9a2bf01&mu=http%3A%2F%2Fclickfrom.buy.com%2Fdefault.asp%3Fadid%3D17936%26sURL%3Dhttp%3A%2F%2Fwww.buy.com%2Fprod%2Fv7-d1711-17-lcd-monitor-800-1-5ms-1280x1024-built-in-speakers-v7-d1711%2Fq%2Floc%2F101%2F206805396.html&o=435370622}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

Numerous guys like these too (this was in SeaMonkey 1.1.17, above from SeaMonkey 2):

Code: Select all

[NoScript HTTPS] AUTOMATIC SECURE on https://ssl.bing.com: refcookie=http%3A%2F%2Fwww.bing.com%2Fshopping%2FV7-D216W12-N6-Widescreen-LCD-Monitor%2Fsearch%3Fq%3D22%2522%2520lcd%2520monitor%26p1%3D%255bCommerceService%2Bscenario%253d%2522o%2522%2Bdocid%253d%25226C2886AFD63DC3E7BCB9%2522%2Bp%253d%2522df5c7f1ba4404c05b3f423c4e307eee6%2522%255d%26wf%3DCommerce%26FORM%3DENCA; domain=.bing.com; path=/cashback; Secure

---

[NoScript HTTPS] AUTOMATIC SECURE on https://ssl.bing.com: jellyfish=; domain=.bing.com; path=/cashback; Secure

---

[NoScript HTTPS] AUTOMATIC SECURE on https://ssl.bing.com: refcookie=https%3A%2F%2Fssl.bing.com%2Fcashback%2Fgo%3FFORM%3DGWCL2%26c%3D274173%26cbst%3D1.2%26msclkid%3Dfcd420e4d4c44113ac3b97d5a5ca4f2c%26mu%3Dhttp%253A%252F%252Fclickfrom.buy.com%252Fdefault.asp%253Fadid%253D17936%2526sURL%253Dhttp%253A%252F%252Fwww.buy.com%252Fprod%252Fv7-d1711-17-lcd-monitor-800-1-5ms-1280x1024-built-in-speakers-v7-d1711%252Fq%252Floc%252F101%252F206805396.html%26o%3D435370622; domain=.bing.com; path=/cashback; Secure

[Tom T.]

First off, you do realize that this is a *Microsoft* service, so expecting it to work correctly is unrealistic.
Expecting it to work with any browser other than IE = ditto. With NS, double ditto.
I don't have an account, so can't get to the secured part, but if ABE is blocking it, I would not be surprised if it turns out to be for a very good reason. Consider the source. ("source", get it? )

With that said, good luck in resolving it. My expectations are low -- either poor coding by MS (No!) or deliberate invasions of privacy, and probably security (or incompetent security practices.) Having seen the TV ads for this "service", I look forward to Giorgio's explanation of the issue. GL.

[Giorgio Maone]

It was an ABE bug involving LOCAL checks (in the SYSTEM ruleset). Fixed in 1.9.4 RC1.

[GµårÐïåñ]

First off, you do realize that this is a *Microsoft* service, so expecting it to work correctly is unrealistic.
Expecting it to work with any browser other than IE = ditto. With NS, double ditto.
I don't have an account, so can't get to the secured part, but if ABE is blocking it, I would not be surprised if it turns out to be for a very good reason. Consider the source. ("source", get it? )

With that said, good luck in resolving it. My expectations are low -- either poor coding by MS (No!) or deliberate invasions of privacy, and probably security (or incompetent security practices.) Having seen the TV ads for this "service", I look forward to Giorgio's explanation of the issue. GL.

Brother, I won't say that I don't have issues with Microsoft, but their Bing is a good algorithm and functions just fine. As Giorgio already addressed, it was a local policy ABE issue.

[therube]

In some instances I'm getting an XSS warning on Bing along with an unexpected message from Bing.

Sorry, we did not find any product results for this search.

I went through the steps above, Initially with everything blocked, opening each link in a new tab as I went along.

Starting here ...
"go to store" (in new tab)
"No thanks ..." (in new tab)

At that point, you have to Allow bing.com for it to proceed further.

If I then go back to the starting tab (the "Starting here" link above) & refresh the page, the XSS warning is generated.
(Originally when I went to Starting here, bing was not allowed. Now as I go back, bing.com is Allowed (though that particular page had not refreshed prior <noscript.autoReload.allTabs is false>), so now I attempt a manual refresh of the page, resulting in the XSS warning.)

Now I know all kinds of crap ends up on the URL line, but still it's unexpected.

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://www.bing.com/shopping/V7-D216W12-N6-Widescreen-LCD-Monitor/search?q=22%22%20lcd%20monitor&p1=%5bCommerceService+scenario%3d%22o%22+docid%3d%226C2886AFD63DC3E7BCB9%22+p%3d%22df5c7f1ba4404c05b3f423c4e307eee6%22%5d&wf=Commerce&FORM=ENCA] requested from [http://forums.informaction.com/viewtopic.php?f=7&t=1606]. Sanitized URL: [http://www.bing.com/shopping/V7-D216W12-N6-Widescreen-LCD-Monitor/search?q=22%22%20lcd%20monitor%22&p1=%20CommerceService+scenario%20%22o%22+docid%20%226C2886AFD63DC3E7BCB9%22+p%20%22df5c7f1ba4404c05b3f423c4e307eee6%22%20&wf=Commerce&FORM=ENCA#5044495543353136738].

[Giorgio Maone]

In some instances I'm getting an XSS warning on Bing along with an unexpected message from Bing.

Sorry, we did not find any product results for this search.

I went through the steps above, Initially with everything blocked, opening each link in a new tab as I went along.

If everything includes forums.informaction.com, then when you allowed bing.com the result to be expected because of the paranoid XSS filters applied to untrusted->trusted requests.

[therube]

I guess I should have made that more clear.

"everything" is (only) the default whitelist, Allowed, but otherwise "everything" else not allowed (by performing a Revoke Temporary Permissions).

hmm. I'll have to think about that again. Somewhere along the line I guess I must have blocked information.com for some reason? I'm adverse to doing a Reset in my main Profiles (where is that more granular control ) so if I happened to have have marked a site as Untrusted <or is it Forbidden> (neither option which I would use except for testing) & then forgotten to remove the block, I guess I could have ended up as I did?

[Tom T.]

Brother, I won't say that I don't have issues with Microsoft, but their Bing is a good algorithm and functions just fine. As Giorgio already addressed, it was a local policy ABE issue.

Well, I was having a little joke at MS's expense, not that they don't deserve it. Assuming therube's issue is determined also not to be the site's fault, then I guess I would owe MS an apology ... *this* time. In my own very humble opinion, although stuck with their OS for varied reasons not pertinent here, I use almost nothing else created by MS -- not IE, not Office, not the current WinMediaPlayer (6.4 is 1/10th the size, simpler, and safer), not .NET, not their firewall (although it's actually pretty good), certainly not MSN or their email. Just don't trust them. Neither does the EU, who is currently pressing to require MS to offer *other browsers* along with any OS install. You'll have a splash screen: Do you want to install Chrome, Firefox, Internet Explorer, Opera, or Safari? (or more than one). sorry. </rant>

[therube]

Just don't trust them. Neither does the EU

Trust has nothing to do with the reasons the EU is doing this.

[GµårÐïåñ]

Well, I was having a little joke at MS's expense, not that they don't deserve it. Assuming therube's issue is determined also not to be the site's fault, then I guess I would owe MS an apology ... *this* time. In my own very humble opinion, although stuck with their OS for varied reasons not pertinent here, I use almost nothing else created by MS -- not IE, not Office, not the current WinMediaPlayer (6.4 is 1/10th the size, simpler, and safer), not .NET, not their firewall (although it's actually pretty good), certainly not MSN or their email. Just don't trust them. Neither does the EU, who is currently pressing to require MS to offer *other browsers* along with any OS install. You'll have a splash screen: Do you want to install Chrome, Firefox, Internet Explorer, Opera, or Safari? (or more than one). sorry. </rant>

I know, hell who can resist, they are an easy target They are big enough to handle a dig, I just think we should keep hitting them when they actually do something wrong, otherwise what's their motivation to do anything right if all they get is knee jerk criticism and cannot expect anything else, you know?

Trust has nothing to do with the reasons the EU is doing this.

Agreed, the EU's issue with MS has nothing to do with the quality of their work, its more logistical and political and business driven. The lord of all decisions, MONEY.

[Tom T.]

Trust has nothing to do with the reasons the EU is doing this.

Agreed, the EU's issue with MS has nothing to do with the quality of their work, its more logistical and political and business driven. The lord of all decisions, MONEY.

It has to do with MS's monopolistic power gained through anti-competitive practices, which is pretty untrustworthy in itself, and with their abuse of that power, e. g. *forcing* the installation of IE with any MS OS. And IE *cannot* be uninstalled. (If you manually deleted all of its files, you would kill Windows Explorer and other things, and not be able to boot to Windows. That "tight integration with the OS" that has been discussed so much.) Since most OOB users use and trust the little blue e icon, MS is abusing that power and trust by providing what is arguably the least secure among all major browsers, with no information or incentive for Average User to look any further.

[GµårÐïåñ]

In all fairness though, IE8 in many ways surpasses Fx and Opera right now and they did a good job listening to what was missing and fixing it. To be honest, right now my loyalty to Fx is a matter of honor and principle and IE8 in our test environment has shown to be quite formidable. Its faster, its lighter, its better integrated and the features are plentiful without needing addons. Nothing breaks, everything loads fine and you don't have to go poor extension development conflict hunting every two days. Alot to be said about arriving late to the party but being the best at it. Fx is playing catchup right now and not all that well.

[Tom T.]

So are you saying that this IE issue blogged at Hackademix has been fixed, and that you're retracting your comment to it, which was the first comment to the post?

I echoed your statement about Fx playing catchup here. Cheers!

[GµårÐïåñ]

Yes it has been fixed and plus, I didn't say they are perfect, did I, by this logic anyone posting a bug with Mozilla is denouncing Fx? I said at the moment they are doing better than the competition. Fact is that they are dominating the browser market not just because they come preinstalled, its also that they don't have to constantly perform "standard diagnostics" every time a piece of crap extension is updated that screws everything else or the OSS model of free is used to justify, eh, we are doing it for free what the hell do you expect? You might recall the need to release 4 versions of Fx in 2-4 weeks because of a bug they couldn't fix without breaking something else. Hell NS fixed the issue before Fx did. Anyway.

[Tom T.]

Yes it has been fixed and plus, I didn't say they are perfect, did I, by this logic anyone posting a bug with Mozilla is denouncing Fx? I said at the moment they are doing better than the competition. Fact is that they are dominating the browser market not just because they come preinstalled, its also that they don't have to constantly perform "standard diagnostics" every time a piece of crap extension is updated that screws everything else or the OSS model of free is used to justify, eh, we are doing it for free what the hell do you expect? You might recall the need to release 4 versions of Fx in 2-4 weeks because of a bug they couldn't fix without breaking something else. Hell NS fixed the issue before Fx did. Anyway.

I don't believe that IE has the extensibility of Fx, and that that extensibility is a *huge* advantage of Fx, though like anything else, it can be misused. Installing crap extensions, or installing 50 or 100 extensions, that's your fault, not Fx's. IE does updates once each month, instead of when vulns are found, leaving you vulnerable for much longer than Fx (statistics to prove it), and it has always needed plenty of updating. As for the need of F3 to release 4 versions in 2-4 weeks, I don't recall it, because I made the personal choice to stick with the last version of F2, and so, no updates. Your criticisms of F3 here and elsewhere support my feeling that this was the right decision for me personally.