Page 1 of 1
ABE rule breaks Gmail Notifier
Posted: Fri Jul 10, 2009 6:54 pm
by lunboks
Code: Select all
[ABE] <mail.google.com> Deny on {GET https://mail.google.com/mail/?ui&ui=html&zy=l&pli=1&auth=[snip]&gausr=[snip] <<< https://mail.google.com/mail?ui, https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%26ui%3Dhtml%26zy%3Dl&bsv=[snip]&ss=1&scc=1<mpl=googlemail, https://mail.google.com/mail?ui}
USER rule:
Site mail.google.com
Accept from SELF google.com
Deny
I added this rule to protect my Gmail account, but it seems to keep out the Gmail notifier add-on as well.
What's happening here, and how can I fix it, other than making myself vulnerable to CSRF? Isn't ABE supposed to ignore browser requests?
Re: ABE rule breaks Gmail Notifier
Posted: Sat Jul 11, 2009 3:52 am
by Flash_Gordon
As mentionned by the logs you posted, it seems that
www.google.com needs an HTTPS connection to mail.google.com for login purposes...
I don't remember how precise rules can get, but I'd give a try to this one:
Code: Select all
Site mail.google.com
Accept from SELF www.google.com/accounts/ServiceLogin
Deny
If ABE's engine accepts this, no other
www.google.com request will be accepted, only ServiceLogin. If ABE's engine is even more precise, maybe you can add a couple paramaters that you know never change from one Gmail notification to the other, service=mail for instance.
The most precise rule would be using
https://www.google.com/accounts/Service ... googlemail or whatever works last before it breaks.
Re: ABE rule breaks Gmail Notifier
Posted: Sat Jul 11, 2009 9:07 pm
by lunboks
Flash_Gordon wrote:I don't remember how precise rules can get, but I'd give a try to this one:
Code: Select all
Site mail.google.com
Accept from SELF www.google.com/accounts/ServiceLogin
Deny
Hmm, that didn't work, and neither did
http://www.google.com or
https://www.google.com.