ABE Electrolysis support

Discussions about the Application Boundaries Enforcer (ABE) module
cepheus
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

ABE Electrolysis support

Post by cepheus » Wed Apr 12, 2017 11:45 am

Hello,

I noticed that direct links to sites affected by ABE restrictions do not work anymore. The "big" examples are google, facebook and twitter. I use firefox ESR on linux, and after the upgrade to version 52, I force-enabled multiprocess (Electrolysis,e10s) and replaced some addons which did no longer work. I want to keep e10s enabled, mainly because I can enable seccomp-bpf on the Web Content process.

This thread is about the same problem: viewtopic.php?f=23&t=22593&p=86828#p86828.

With e10s, it seems ABE cannot distinguish between inclusions of third party content on the site, and opening a third party link. Without e10s, the following ABE user rule works as expected:

Code: Select all

Site .twitter.com .twimg.com
Accept from .twitter.com .twimg.com
Deny INC
Example site: https://www.techdirt.com/articles/20170 ... view.shtml

The site contains a javascript from twitter, which is blocked according to the "ABE" message in firefox's browser console (for the test, javascript from all domains is allowed). The last link in the article text is a link to twitter, which can be opened.

However, with e10s, nothing happens when clicking the link, and it gets an ABE message. Adding "moz-nullprincipal:" does not solve the problem.

For the moment, I have changed the rules for google, twitter and facebook like so:

Code: Select all

Site .twitter.com .twimg.com
Accept from .twitter.com .twimg.com
Accept INC(OTHER)
Deny INC
But this seems to be overly permissive: No ABE message for the included script.

I can live with that, but I would like to know:

Are there other possibilities in the configuration?

Are there plans to make ABE e10s-compatible?

Thank you
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

barbaz
Senior Member
Posts: 9032
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE Electrolysis support

Post by barbaz » Wed Apr 12, 2017 3:31 pm

cepheus wrote:However, with e10s, nothing happens when clicking the link, and it gets an ABE message.
Can you please post that Browser Console message here?

In the mean time, if your primary interest in e10s is seccomp sandboxing, this might be a workaround for you - https://firejail.wordpress.com/
*Always* check the changelogs BEFORE updating that important software!
-

cepheus
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: ABE Electrolysis support

Post by cepheus » Wed Apr 12, 2017 4:55 pm

barbaz wrote:
cepheus wrote:However, with e10s, nothing happens when clicking the link, and it gets an ABE message.
Can you please post that Browser Console message here?

Code: Select all

[ABE] < .twitter.com .twimg.com> Deny INCLUSION on {GET https://twitter.com/internetofshit/status/849231009036066816 <<< https://twitter.com/internetofshit/status/849231009036066816, https://www.techdirt.com/articles/20170404/10460937082/garage-door-opener-company-bricks-customer-hardware-after-negative-review.shtml - 1}
USER rule:
Site .twitter.com .twimg.com
Accept from .twitter.com .twimg.com
Deny INCLUSION
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Post Reply