InformAction Forums

Posted: **Wed Oct 01, 2014 8:24 am**

I want to use a web application running in intranet (domain "example", without any toplevel domain), which uses OpenID and therefore should work together with xlogon.net. On start of a session, after feeding the OpenID username, NoScript reports into firefox' browser console:

Code: Select all

[ABE] <.xlogon.net> Deny on {GET https://my.xlogon.net/server/trust/0/ <<< https://my.xlogon.net/server/, http://example:8008/ - 6}
USER rule:
Site .xlogon.net
Accept from example
Accept from example:8008
Accept from .xlogon.net
Deny

– stating my vainly attempt of a rule.

Please give some hints how to distill off suitable rules from the console report. I tried "Accept from LOCAL" – it doesn't work; "Accept from ALL" – it works, but to let pass from any isn't the goal of ABE, I think.

Opposed to the easy-to-update whitelisting I find managing ABE rules very awkward. In my opinion, while displaying a deny-message there should be the possibility to start some kind of assistent that proposes a rule to be inserted in ABE's ruleset.

Thanks – Peter

Posted: **Wed Oct 01, 2014 10:33 am**

Hi,

the message suggest that a redirect is happening.
For an Accept action to apply to a redirect, both sites must be listed in the same "Accept ..." clause.
This should work:

Code: Select all

Site .xlogon.net
Accept from example .xlogon.net
Deny

Notice, though, that the rule above is protecting xlongon.net against CSRF, which I'm not sure is exactly what you meant to do.

Posted: **Wed Oct 01, 2014 2:07 pm**

Giorgio Maone wrote:… in the same "Accept ..." clause.

Ok; important hint.

Giorgio Maone wrote:
Code: Select all
Accept from example .xlogon.net

What is the difference to

Code: Select all

Accept from example SELF

Giorgio Maone wrote:Notice, though, that the rule above is protecting xlongon.net against CSRF, which I'm not sure is exactly what you meant to do.

I thought, protecting against CSRF is in general a goal of ABE. I don't understand – about what do you want to warn?

Ciao – Peter

Posted: **Wed Oct 01, 2014 3:43 pm**

Peter0 wrote:
Giorgio Maone wrote:
Code: Select all
Accept from example .xlogon.net
What is the difference to
Code: Select all
Accept from example SELF

SELF matches only the exact "scheme://ho.st:port" of the origin site
.xlogon.net matches "xlogon.net" and all its subdomains regardless of scheme and port.

Posted: **Thu Oct 02, 2014 4:41 am**

Peter0 wrote:
Giorgio Maone wrote:Notice, though, that the rule above is protecting xlongon.net against CSRF, which I'm not sure is exactly what you meant to do.
I thought, protecting against CSRF is in general a goal of ABE. I don't understand – about what do you want to warn?

I think he meant that your rule is protecting the whole xlogon.net domain - including www.xlogon.net, etc. Probably not what you intended.

You might be better off with

Code: Select all

Site https://my.xlogon.net

instead.

InformAction Forums

distill off ABE-rule from log message; intranet application

distill off ABE-rule from log message; intranet application

Re: distill off ABE-rule from log message; intranet applicat

Re: distill off ABE-rule from log message; intranet applicat

Re: distill off ABE-rule from log message; intranet applicat

Re: distill off ABE-rule from log message; intranet applicat