Page 1 of 1
[FIXED]ABE weirdness with regexp site
Posted: Fri Nov 22, 2013 6:12 pm
by barbaz
I have the following ruleset:
Code: Select all
Site ^https?://www\.deeplinkradio\.com/modules/mod_radioplayerjoomla-pro/muses\.swf#!flashvars#
Accept from .deeplinkradio.com
Deny
Site .deeplinkradio.com
Accept INCLUSION(OBJSUB)
Sandbox INCLUSION(OBJ, XHR)
But if I go to http://deeplinkradio.com (mirror of http://www.deeplinkradio.com), the Flash object from http://deeplinkradio.com is allowed where I would expect it to be sandboxed
I'm not sure if this is a bug. Does ABE use DNS lookup to determine hosts, even if a site is specified by regexp? (My DNS says that the two hosts are the same.)
Re: ABE weirdness with regexp site
Posted: Sat Nov 23, 2013 8:36 am
by Giorgio Maone
Sandbox INCLUSION has no effect:
ABE Rules Reference wrote:
Sandbox – sends the requests as it is, but disables JavaScript and other active content (e.g.
plugin embeddings) in the landing page
"Landing page", which I used instead of just "document" (which could apply also to SVG or XHR-loaded XML documents, for instance) means a document loaded in a HTML/XUL renderer such as a window (more specifically, in a Gecko DocShell).
Re: ABE weirdness with regexp site
Posted: Sat Nov 23, 2013 1:13 pm
by barbaz
Thanks for explaining exactly what Sandbox does. (I'm assuming that iframes could be affected?)
However, changing that to Deny doesn't work either. Now this example isn't a serious problem because I do want to allow that object, but the concern is that it's happening without any action on my part to change the ABE rule.
Is there a better ruleset for restricting Flash objects from, say, site.com to one object only if it's being requested by site.com?
Re: ABE weirdness with regexp site
Posted: Sat Nov 23, 2013 1:45 pm
by Giorgio Maone
Confirmed regression(not sure whether in NoScript or Gecko).
Investigating, thanks.
Re: ABE weirdness with regexp site
Posted: Mon Nov 25, 2013 7:26 pm
by barbaz
Another bug: on the latest Firefox 17 ESR (17.0.11 at the time of writing), the Accept INCLUSION(OBJSUB) line is being ignored, thus causing the last line of that ruleset (with the change to Deny) to block object subrequests to deeplinkradio and bork the online player. Upgrading Fx past 17 on this machine is not really an option as 18.0.2 is pretty insecure these days...
(No big deal since I mostly use latest SeaMonkey anyway, but still would be nice if this worked.)
Re: ABE weirdness with regexp site
Posted: Wed Nov 27, 2013 7:20 pm
by Giorgio Maone
Fixed in
latest development build 2.6.8.6rc2, thanks.
@
barbaz distinct issues but same root cause: the increased asynchronicity of Gecko's networking caused some assumptions on code flows not to be generally valid anymore and therefore made ABE behave erratically under certain circumstances.
Re: ABE weirdness with regexp site
Posted: Wed Nov 27, 2013 7:39 pm
by barbaz
The issue originally reported here is fixed, thank you.
barbaz wrote:the Accept INCLUSION(OBJSUB) line is being ignored, thus causing the last line of that ruleset (with the change to Deny) to block object subrequests to deeplinkradio and bork the online player.
But now I'm getting this behavior on SeaMonkey 2.22.1...
Is this a ruleset issue or NoScript issue?
Re: ABE weirdness with regexp site
Posted: Wed Nov 27, 2013 9:20 pm
by Giorgio Maone
The following rules:
Code: Select all
Site .deeplinkradio.com/modules/mod_radioplayerjoomla-pro/muses.swf*
Accept from .deeplinkradio.com
Deny
Site .deeplinkradio.com
Accept INCLUSION(OBJSUB)
Deny INCLUSION(OBJ, XHR)
make the player work fine for me on any Firefox >= 17, both on deeplinkradio.com and
www.deeplinkradio.com.
Re: ABE weirdness with regexp site
Posted: Wed Nov 27, 2013 9:24 pm
by barbaz
I get this
Code: Select all
[ABE] <.deeplinkradio.com> Deny INCLUSION(OBJ, XHR) on {GET http://www.deeplinkradio.com/modules/mod_radioplayerjoomla-pro/muses.swf <<< http://www.deeplinkradio.com/ - 5}
DEEPLINK rule:
Site .deeplinkradio.com
Accept INCLUSION(OBJSUB)
Deny INCLUSION(OBJ, XHR)
with my original ruleset
Edit: Your ruleset does work, thanks. I'll do some experimenting to see if I can figure this out and let you know.
Re: ABE weirdness with regexp site
Posted: Wed Nov 27, 2013 9:56 pm
by barbaz
Solved!
The problem was the reference to flashvars at the end of the Site line. If I just end it with .swf all works as expected.
Why though?
Re: ABE weirdness with regexp site
Posted: Wed Nov 27, 2013 10:29 pm
by Giorgio Maone
barbaz wrote:Solved!
The problem was the reference to flashvars at the end of the Site line. If I just end it with .swf all works as expected.
Why though?
Because the flashvars are not really part of the URL, and are just used by NoScript's plugin blocking machinery as a more specific key to selectively block/allow instances of the same content which possibly load different sub-content (movie players, typically, with different movies).