ABE rule breaks Gmail Notifier

[lunboks]

Code: Select all

[ABE] <mail.google.com> Deny on {GET https://mail.google.com/mail/?ui&ui=html&zy=l&pli=1&auth=[snip]&gausr=[snip] <<< https://mail.google.com/mail?ui, https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%26ui%3Dhtml%26zy%3Dl&bsv=[snip]&ss=1&scc=1&ltmpl=googlemail, https://mail.google.com/mail?ui}
USER rule:
Site mail.google.com
Accept from SELF google.com
Deny

I added this rule to protect my Gmail account, but it seems to keep out the Gmail notifier add-on as well.

What's happening here, and how can I fix it, other than making myself vulnerable to CSRF? Isn't ABE supposed to ignore browser requests?

[Flash_Gordon]

As mentionned by the logs you posted, it seems that www.google.com needs an HTTPS connection to mail.google.com for login purposes...

I don't remember how precise rules can get, but I'd give a try to this one:

Code: Select all

Site mail.google.com
Accept from SELF www.google.com/accounts/ServiceLogin
Deny

If ABE's engine accepts this, no other www.google.com request will be accepted, only ServiceLogin. If ABE's engine is even more precise, maybe you can add a couple paramaters that you know never change from one Gmail notification to the other, service=mail for instance.

The most precise rule would be using https://www.google.com/accounts/Service ... googlemail or whatever works last before it breaks.

[lunboks]

I don't remember how precise rules can get, but I'd give a try to this one:

Code: Select all

Site mail.google.com
Accept from SELF www.google.com/accounts/ServiceLogin
Deny

Hmm, that didn't work, and neither did http://www.google.com or https://www.google.com.