Feature/change request: ABE block & redirections

[F-3000]

Hi!

This has been bugging me a lot occasionally. When there's ABE rule, that Allow certain pages, but Deny rest, any redirections outside of the allowed sites get blocked. That's fine, I anyways have things like "tradedoubler" blocked, so I don't mind that it doesn't get a record of my activities (it does get the record, it just can't direct me to the actual target page?). Then I get a notification about the block, which is absolutely good thing, so that I know what's happening. Nice as well is, that the notification informs the page (URL) where I would have landed, should that redirection have occured.



The problem is, that I cannot bypass the blocking without modifying the ABE rule. For something that occurs like twice in a year, it feels stupid to edit ABE rules to be able to have a redirection to occur. This would also allow the third party's scripts to work.

Two suggestions as possible solution:

* Allow user to select the text in ABE notify. This would make it possible to copy the URL.
or
* A button to temporarily bypass the block.

[barbaz]

(it does get the record, it just can't direct me to the actual target page?)

No, otherwise bypassing ABE to do CSRF would be as simple as making the CSRF request a redirection. It can't work that way.
The site never receives the request, so doesn't get the record.

* Allow user to select the text in ABE notify. This would make it possible to copy the URL.

Sounds reasonable, but as it is you can copy it out of the ABE message in the Browser Console (Ctrl-Shift-J)...

* A button to temporarily bypass the block.

Please no. ABE is designed to prevent CSRF, having the option to allow something that you have defined as CSRF is a terrible idea. Many users will click that accidentally or without thinking and then later discover that their router has been taken over or their bank account has been drained into a huge deficit.
Editing the ABE rules to make specific request(s) not defined as CSRF is a MUCH better way, and it can't be done accidentally nor carelessly/thoughtlessly.

[F-3000]

(it does get the record, it just can't direct me to the actual target page?)

No, otherwise bypassing ABE to do CSRF would be as simple as making the CSRF request a redirection. It can't work that way.
The site never receives the request, so doesn't get the record.

Don't know if that's so. As an example, I have restricting ABE rules for Facebook. Any redirects out from FB works, but any redirects into FB (ie. from Google search) does not work (blocked by ABE). Comparing that to the example picture, tradedoubler gets the page load, but fails to redirect to cdon. Their rules are quite similar:

Code: Select all

Site .facebook.com .messenger.com
Accept from .facebook.com .akamaihd.net .messenger.com
Deny

Site .cdon.fi
Accept from .cloudfront.com .cloudfront.net .cdon.fi .cdon.com .cdongroup.com
Deny

The CSRF-block works, even if tradedoubler gets the page load, because tradedoubler can't redirect to target page.

* Allow user to select the text in ABE notify. This would make it possible to copy the URL.

Sounds reasonable, but as it is you can copy it out of the ABE message in the Browser Console (Ctrl-Shift-J)...

Thanks for the info, wasn't aware of that. Works like a charm.

* A button to temporarily bypass the block.

Please no. ABE is designed to prevent CSRF, having the option to allow something that you have defined as CSRF is a terrible idea. Many users will click that accidentally or without thinking and then later discover that their router has been taken over or their bank account has been drained into a huge deficit.
Editing the ABE rules to make specific request(s) not defined as CSRF is a MUCH better way, and it can't be done accidentally nor carelessly/thoughtlessly.

Valid points you have there.

[barbaz]

As an example, I have restricting ABE rules for Facebook. Any redirects out from FB works, but any redirects into FB (ie. from Google search) does not work (blocked by ABE). Comparing that to the example picture, tradedoubler gets the page load, but fails to redirect to cdon. Their rules are quite similar:

Sorry, I didn't look closely enough at that notification and I made wrong assumptions about your ABE rules. Yes, you would have to block tradedoubler itself to not have it record the hit, and as it is it records the hit but cannot complete the redirection.

Thanks for the info, wasn't aware of that. Works like a charm.

You're welcome.