Say that a user has the following rule in ABE:
Site *
Accept from SELF++
Anonymize
Say that the user visits https://exampleONE.com with an image loaded from https://exampleTWO.com/image.jpg, and that image would normally set a cookie ... with the above rule set, the cookie is striped out. But (when enabled) another request is sent to https://exampleTWO.com/rules.abe, and if that file (or the 404 document) sets a cookie, it is not filtered by ABE.
Working example (EDIT: this example doesn't work unless you have HTTPS Everywhere installed, because /rules.abe is only requested for https resources):
1) Set the above rule in ABE
2) Enable "Allow sites to push their own rulesets" in ABE
3) Visit noscript.net ... notice that a cookie is set from flattr.com with the request for /rules.abe
/rules.abe request does not respect user's ABE rules
-
AlbertMTom
- Posts: 12
- Joined: Wed Oct 01, 2014 2:59 am
/rules.abe request does not respect user's ABE rules
Last edited by AlbertMTom on Tue Oct 07, 2014 6:59 pm, edited 1 time in total.
Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Re: /rules.abe request does not respect user's ABE rules
I suspect that is because the rules.abe request is treated like another top-level request, meaning that to the browser, it appears originated by the browser and thus ABE sees it as a request from chrome which is implicitly Accepted in that rule.
To confirm that, is the cookie still set if you allow all 3rd-party cookies in the browser, then remove or comment out the Accept line in your rule?
(I still agree with you that that is a potential privacy issue, but if I'm correct, I don't know if it's technically possible to do anything about it.)
To confirm that, is the cookie still set if you allow all 3rd-party cookies in the browser, then remove or comment out the Accept line in your rule?
(I still agree with you that that is a potential privacy issue, but if I'm correct, I don't know if it's technically possible to do anything about it.)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:37.6) Gecko/25272270 Firefox/37.6 SeaMonkey/8.24.9a1pre
-
AlbertMTom
- Posts: 12
- Joined: Wed Oct 01, 2014 2:59 am
Re: /rules.abe request does not respect user's ABE rules
Yes, the cookie is still set....barbaz wrote:To confirm that, is the cookie still set if you allow all 3rd-party cookies in the browser, then remove or comment out the Accept line in your rule?
FYI, the "working example" I put in my original post actually doesn't work unless you have HTTPS Everywhere installed, because /abe.rules is only requested for https resources. Sorry about any confusion. The issue still exists, it's just that the example I listed doesn't demonstrate it.
Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
-
Giorgio Maone
- Site Admin
- Posts: 9529
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: /rules.abe request does not respect user's ABE rules
Yes, it is an issue which should be fixed, both by anonymizing/sterilizing rules.abe requests by default and subjecting them to ABE processing.
Unfortunately, being this feature not very popular, there are currently higher priorities.
Putting in my TODO list, nevertheless.
Unfortunately, being this feature not very popular, there are currently higher priorities.
Putting in my TODO list, nevertheless.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
-
AlbertMTom
- Posts: 12
- Joined: Wed Oct 01, 2014 2:59 am
Re: /rules.abe request does not respect user's ABE rules
I completely understand regarding prioritization. Thanks!
Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0