[RESOLVED] NoScript breaks google desktop

[Morac]

The ABE feature is blocking all local traffic to Google and as such blocks Google Desktop's integration feature from working.

I managed to get it working by modifying the SYSTEM.abe file. I tried editing the USER.abe file, but it looks like the system one takes preference.

# Prevent Internet sites (except Google) from requesting LAN resources.
Site LOCAL
ACCEPT from http://www.google.com
Accept from LOCAL
Deny

[Giorgio Maone]

@Morac:
there's no surprise, as web->LAN requests are blocked by the "LocalRodeo" rule you modified.
You changed it correctly, but the following form is both more concise and faster at runtime:

Code: Select all

Site LOCAL
Accept LOCAL www.google.com
Deny

Also, if you can find a more specific rule by observing the notification it would be better, since otherwise I could theoretically (by using a fast-flux DNS) make Google index a CSRF attack of mine and direct the DNS to your LAN when it's browsed from a Google result.

[Morac]

Well I'm not sure exactly how to make the rule more specific exactly. Google Desktop does run on a specific port, which is randomly chosen when it is installed. Can the rules block incoming traffic except for specific ports?

[Giorgio Maone]

I'd like to see the exact ABE warning, in order to guess if the origin can be more restricted than the whole www.google.com.

[Morac]

The exact warning is (note I Xed out the port number and the unique "s" number just to be safe):

Code: Select all

[ABE] <LOCAL> Deny on {GET http://127.0.0.1:xxxx/search?q=test&num=2&s=XXXXXXXXXX&mode=onebox&cacheid=30 <<< http://www.google.com/search?q=test}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

As such I changed the rule to the following which seems to work:

Code: Select all

Site LOCAL
Accept LOCAL http://www.google.com/search
Deny

Technically Google Desktop still works by itself, but the injection of the local search results into the main Google search was being blocked.

[Giorgio Maone]

OK, then the wisest tweak is actually prepending the default rule with a more specific Accept one, i.e.:

Code: Select all

# Google Desktop exception.
Site ^http://127\.0\.0\.1:\d+/search\?q=
Accept from http://www.google.com/search?q=

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

[Morac]

Okay thanks.

[Reid Rankin]

Replacing the contents of SYSTEM.abe with

Code: Select all

# Google Desktop exception.
Site ^http://127\.0\.0\.1:\d+/search\?q=
Accept from http://www.google.com/search?q=

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

Gives me the following error:
line 3:42 no viable alternative at character '='

[Giorgio Maone]

Hrm, bug.
Use this, it's the same:

Code: Select all

# Google Desktop exception.
Site ^http://127\.0\.0\.1:\d+/search\?q
Accept from http://www.google.com/search?q

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

[Reid Rankin]

Works fine now.

[Morac]

Code: Select all

# Google Desktop exception.
Site ^http://127\.0\.0\.1:\d+/search\?q=
Accept from http://www.google.com/search?q=

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

I replaced SYSTEM.abe with this and I'm still getting deny messages. I'm not sure why though since it looks like the RegExp is correct.

Edit: It's working now. I had to restart Firefox for it to take effect. Is that how it's supposed to work?

[Giorgio Maone]

I replaced SYSTEM.abe with this and I'm still getting deny messages.
Edit: It's working now. I had to restart Firefox for it to take effect. Is that how it's supposed to work?

It works this way: if you edit the file from the NoScript Options|Advanced|ABE it gets refreshed immediately.
Otherwise it gets reloaded after one hour at most or when you restart the browser.

[mark]

I had to change the rule a bit:

Code: Select all

# Google Desktop exception.
Site ^http://127\.0\.0\.1:\d+/search\?q
Accept from http://www.google.com/search

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

i removed the ?q of the Accept argument because i show my results in english, so i have ..search?hl=en?q

[Giorgio Maone]

FAQ 8.3 edited, thanks.

[Reid Rankin]

Tiny change, I left on the ? after http://www.google.com/search... Just seemed like better security practice to me. (Who knows what pages on google.com start with the word "search"? Probably none, but why leave it to chance?)

Code: Select all

# Google Desktop exception.
Site ^http://127\.0\.0\.1:\d+/search\?q
Accept from http://www.google.com/search?

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny