InformAction Forums

iDrugoy wrote:Did I get it right, that regular NoScript's rules (allow/block) are just simpler versions of ABE rules?

Who's priority higher - regular rules' or ABE ones'?

What is "SELF++" from the example in FAQ?

What's the difference between "SYSTEM" and "USER" rulesets?

NoScript's rules get stored to a Firefox profile, how would it affect another one?

How does a feature "Allow sites to push their own rulesets" work? Does it mean that sites that may recognize NoScript - can use some NoScript's internal protocol to send their rulesets to users?
What's the use of such a feature? Sites would then permit everything they need, don't you think that's a security hole and that checkbox should be put away to about:config?

Could you add a non-text GUI to manage ABE rules?

Thrawn wrote:No, the regular script-blocking is not in the form of ABE rules. Actually, it uses Content Security Policy. But it would probably be possible to write ABE rules that would simulate NoScript's regular behavior. With tremendous amounts of work.

Both. If either one blocks a request, then it will be blocked.

Please read ABE Rules .pdf.

No difference; both rulesets are applied exactly the same way. The reason to have two of them is: once a request matches a rule, ABE stops processing the rest of that ruleset, BUT it will still process the other ruleset. So, you can write whatever you want in the USER ruleset without affecting the built-in SYSTEM rule.

Guardian and I have started to develop such a GUI, but it is a lot of work, and we haven't had time to get far.

In the meantime, you can try the RequestPolicy addon, which is less powerful than ABE, but suffices for most jobs, and is very easy to use (interface inspired by NoScript, actually).

iDrugoy wrote:

Thrawn wrote:No, the regular script-blocking is not in the form of ABE rules. Actually, it uses Content Security Policy. But it would probably be possible to write ABE rules that would simulate NoScript's regular behavior. With tremendous amounts of work.

What is CSP? And your 2nd statement contradicts the 1st one.

iDrugoy wrote: And what if one blocks and the other one permits?

iDrugoy wrote:

No difference; both rulesets are applied exactly the same way. The reason to have two of them is: once a request matches a rule, ABE stops processing the rest of that ruleset, BUT it will still process the other ruleset. So, you can write whatever you want in the USER ruleset without affecting the built-in SYSTEM rule.

Don't you think it's lame? Why does it stop? What if a page has many scripts and I have ABE rules for each of them - then the first matching rule in each ruleset will stop NoScript completely?

Giorgio Maone wrote: The regular script blocking uses CAPS and nsIDocShell's API. CSP is different beast (a W3C standard, now). You can easily google both acronyms.
ABE intercepts HTTP requests instead: it doesn't affect script permissions (beside the Sandbox predicate) but can block any HTTP request, thus preventing stuff from loading at all.

Giorgio Maone wrote: The first matching rule for any single request, i.e. all rules from all rulesets are applied to each request, and processing of each ruleset is stopped as soon as the first rule matches, but it's resumed from the beginning for the next request. In other words, "if a page has many scripts" all the rulesets will be iterated many times, one for each script.

# Google only on google
Site .google.com
Accept ALL from .google.com
Deny

# Google only on google
Site .google.com
Accept ALL from .google.com

# Google only on google
Site .google.com
Accept ALL from SELF++
Deny

# Google only on google
Site .google.com
Accept ALL from SELF++

iDrugoy wrote:Or do I still have to allow google's scripts in regular rules? [I still don't get whether ABE can fully replace regular rules, or it's just an addition to them]

Site .google.com
Accept from SELF++ # "ALL" is optional
Deny

Site .google.com .google.ru
Accept from .google.com .google.ru
Deny

Site .google.com .google.ru
Accept from .google.com .google.ru
Deny INC

iDrugoy wrote:I've already figured out all you said.
I just didn't know, that ABE rules require regular rules to work. To me that seems pretty awkward, could you please add a hidden pref to make ABE rules work without requiring regular rules?

iDrugoy wrote:

Guardian and I have started to develop such a GUI, but it is a lot of work, and we haven't had time to get far.

Awesome, I didn't know that not only Giorgio develops NoScript.

Then maybe you could also add another feature I've requested years ago, please? Bring subscriptions support for all NoScript rules: whitelist, blacklist, ABE, XSS and HTTPS.

2. many Firefox users don't use NoScript at all, since it's too complicated to use. They would be the main target group for subscriptions.

In the meantime, you can try the RequestPolicy addon, which is less powerful than ABE, but suffices for most jobs, and is very easy to use (interface inspired by NoScript, actually).

Yeah, I've used that add-on years ago, but it's author doesn't have time for further development, so for me it's an almost dead extension, not gonna use it.

Thrawn wrote:I can make a pretty good guess at answering for Giorgio and say "No." ABE is a completely separate feature from the regular script-blocking, and was primarily designed for preventing CSRF attacks.

Thrawn wrote:What situations do you have where you want this? There may be a better way to achieve what you want.

Thrawn wrote:Actually, he does. Guardian and I were working on a separate addon that would interact with NoScript. If Giorgio were to then choose to merge it in, he could. NoScript (and FlashGot) are exclusively his.

ABE subscriptions have been talked about, but I actually don't like the idea. I think the best option is to collect rules that people have found useful, and pick & choose which ones you like. People have such different usage patterns for sites that it's not feasible to just sign up to a list.

Do you want to allow Facebook everywhere, just on its own site, or just block Facebook Connect?
Do you use Google at all? Just Google Maps? Gmail?
Similarly for Yahoo?

I can see some legitimate uses for a subscription list for bank-related sites, since their usage patterns are much more consistent, and you definitely want to restrict them to their own sites. But you probably only use a very small number of banks, so signing up to a list of rules for hundreds or thousands of them is overkill. As Giorgio mentioned, every single HTTP request you make will be filtered through every rule, which would be a big performance hit for huge ABE rulesets. Better to just have a list of potential rules, identify which ones apply to you, and copy those ones.

As for the other subscriptions - there are already predefined lists of untrusted sites (like hosts files), and HTTPS sites (HTTPS Everywhere), while XSS exceptions should only be used in rare cases where a site's normal (bad) behavior is to XSS itself. And subscription-based whitelisting is a minefield that I recommend everyone keep out of. Huge issues with who you choose to trust to set up such a list.

If you want to set up a 'Subscription helper for NoScript' addon (with Giorgio's permission to use the name), which would edit the Content Security Policy settings, you may try it.

Then they should a) put NoScript in 'Scripts Globally Allowed' mode,

and/or b) use Adblock Plus, preferably with the Anti-Malware subscription list. Or ask a tech-savvy friend to set it up for them.

iDrugoy wrote:

Thrawn wrote:Then they should a) put NoScript in 'Scripts Globally Allowed' mode,

that's almost equal to not install NoScript.

iDrugoy wrote:

Thrawn wrote:and/or b) use Adblock Plus, preferably with the Anti-Malware subscription list. Or ask a tech-savvy friend to set it up for them.

Hmm, I forgot that ABP can block scripts. Thanks for reminding, now I'll consider removing NoScript in favor of anti-script rules for AdBlock. The only thing I'll miss then is NoScript's surrogate system.

iDrugoy wrote:That's acceptable for me: if Giorgio ignores my feature requests & bug reports - I'd be glad to see them released as a separate add-on.

Take a look at Wind Li's AutoPager add-on and how it's subscriptions work: the author hosts a site that contains a database, so when a user visits any site, he may click to send the query to Wind Li's database to search for rules for that site. And the user selects the one he likes more (sometimes there are different rules by different authors for the same site).
Thus, the user has only the rules for the sites he visits. Thus, no overkill/performance hit.

As for the other subscriptions - there are already predefined lists of untrusted sites (like hosts files), and HTTPS sites (HTTPS Everywhere), while XSS exceptions should only be used in rare cases where a site's normal (bad) behavior is to XSS itself. And subscription-based whitelisting is a minefield that I recommend everyone keep out of. Huge issues with who you choose to trust to set up such a list.

I don't know what you are talking about. Predefined lists? Thanks, no. I've even removed most of "whitelisted" rules that NoScript has by default.

If you want to set up a 'Subscription helper for NoScript' addon (with Giorgio's permission to use the name), which would edit the Content Security Policy settings, you may try it.

URL, please?
Or you suggest me to write that add-on? If so - then it'd be easier just to patch NoScript the way I like (without anyone's permissions).

Then they should a) put NoScript in 'Scripts Globally Allowed' mode,

that's almost equal to not install NoScript.
All those "CSRF/XSS/WUTEVAELSE" attacks are so rare, that plain users mostly never get affected. But what they get affected by - is the tracking by evilCorps (mostly, scroogle). And if all scripts are globally allowed - it's way easier to delete NoScript and have a slight performance boost.

and/or b) use Adblock Plus, preferably with the Anti-Malware subscription list. Or ask a tech-savvy friend to set it up for them.

Hmm, I forgot that ABP can block scripts. Thanks for reminding, now I'll consider removing NoScript in favor of anti-script rules for AdBlock. The only thing I'll miss then is NoScript's surrogate system.

Thrawn wrote:I really do recommend trying RequestPolicy. AFAIK, it's actively maintained, and it does most of what you seem to what.