InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Can ABE allow sub-objects, too?

https://forums.informaction.com/viewtopic.php?t=1779

Page 1 of 1

Can ABE allow sub-objects, too?

Posted: Tue Jun 30, 2009 3:49 am
by Tom T.
Specifically, the infamous Yahoo Classic Mail attachment upload or download objects. They don't show in the menu until you attempt the u/l or d/l (and the menu changes color in F2 now -- thanks given elsewhere!). The rules I have tried, based on what shows in "Blocked Objects" when attempting to upload an attachment, are:

Code: Select all

Site *@http://attach.*.mail.yahoo.com *@http://attach.re3.mail.yahoo.com
Accept from mail.yahoo.com
Deny

Site unknown@http://attach.re3.mail.yahoo.com
Accept from yahoo.com
Deny
These were based on there usually being two objects, one starting with *@http... and the other, unknown@http.. , the rest of it being,
*@http://attach.XXX.mail.yahoo.com. The *@hhtp one is the one I have always used successfully, manually.
...where XXX is often either "mud" (Mail Up/Download?), "re3", "reX", where X is an integer 1-9, but sometimes other seemingly random characters, hence the attempt at wildcarding.

No success. Still must manually allow the objects for each session. Are these outside the scope of ABE?

Re: Can ABE allow sub-objects, too?

Posted: Tue Jun 30, 2009 1:33 pm
by Giorgio Maone
The request processing flow of NoScript+ABE is roughly the following:
  • The browser is asked to initiate a request
  • The browser asks content policies (e.g. ABP and NoScript) if the request can be initiated, passing the URL and some context info (at this time no request exists yet)
  • NoScript checks for scripts, plugin objects and frames in this phase, vetoing the request if needed. In this case, no request is created.
  • If a request is created because no content policy objected, the request gets created and request observers are notified before it hits the network. Request observers can veto request before they're initiate, but can also modify it before it's sent. Among request observers are XSS Filters and ABE.
As you can see, ABE comes late in the blocking game, after NoScript has done its "traditional" work.
Therefore an "Accept" directive cannot "resuscitate" a request which had been vetoed by a content policy (either ABP or NoScript itself), because the request never got created and therefore never reached ABE.

Re: Can ABE allow sub-objects, too?

Posted: Wed Jul 01, 2009 6:55 am
by Tom T.
Thanks, Giorgio, I understand the Big Picture *much* better now. So, this Yahoo annoyance will have to wait for Site-Specific Policy implementation, correct? -- no way to permanently allow the attachment sub-objects At This Time.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited