Currently the ABE Sandbox action breaks many web pages because it indiscriminately blocks all frames and iframes, even those loading content from the same site as their parent.
Is there a security reason for this behaviour? Otherwise, a configuration option to allow same-site (i)frames would make ABE Sandbox rules much more useful.
ABE Sandbox action and same-site (i)frames
-
Guest
ABE Sandbox action and same-site (i)frames
Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
Re: ABE Sandbox action and same-site (i)frames
Particular sites where this happens?
Particular rules that you are using?
Particular rules that you are using?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 SeaMonkey/2.23
-
Guest
Re: ABE Sandbox action and same-site (i)frames
http://krautchan.net/therube wrote:Particular sites where this happens?
Site krautchan.nettherube wrote:Particular rules that you are using?
Sandbox
krautchan.net ist just an example - any ABE sandboxed frameset page will appear empty, frame content source doesn't matter.
Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
Re: ABE Sandbox action and same-site (i)frames
I'm thinking that Sandbox was probably intended originally as an XSS defence. In which case, the site is potentially compromised and scripts coming from it shouldn't be automatically trusted.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
-
Guest
Re: ABE Sandbox action and same-site (i)frames
Sandbox filtering scripts and other active contents - including third-party (i)frames - is reasonable, but blocking content from the same site just because it would load in an (i)frame doesn't make sense to me.Thrawn wrote:I'm thinking that Sandbox was probably intended originally as an XSS defence. In which case, the site is potentially compromised and scripts coming from it shouldn't be automatically trusted.
Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
Re: ABE Sandbox action and same-site (i)frames
Do you understand the idea of cross-site scripting?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
-
Guest
Re: ABE Sandbox action and same-site (i)frames
So the best solution would be an about:config preference similar to noscript.forbidIFramesContext but for the ABE Sandbox.Thrawn wrote:Do you understand the idea of cross-site scripting?
Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0