InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

/rules.abe request does not respect user's ABE rules

https://forums.informaction.com/viewtopic.php?t=20157

Page 1 of 1

/rules.abe request does not respect user's ABE rules

Posted: Tue Oct 07, 2014 2:20 am
by AlbertMTom
Say that a user has the following rule in ABE:

Site *
Accept from SELF++
Anonymize

Say that the user visits https://exampleONE.com with an image loaded from https://exampleTWO.com/image.jpg, and that image would normally set a cookie ... with the above rule set, the cookie is striped out. But (when enabled) another request is sent to https://exampleTWO.com/rules.abe, and if that file (or the 404 document) sets a cookie, it is not filtered by ABE.

Working example (EDIT: this example doesn't work unless you have HTTPS Everywhere installed, because /rules.abe is only requested for https resources):
1) Set the above rule in ABE
2) Enable "Allow sites to push their own rulesets" in ABE
3) Visit noscript.net ... notice that a cookie is set from flattr.com with the request for /rules.abe

Re: /rules.abe request does not respect user's ABE rules

Posted: Tue Oct 07, 2014 3:53 am
by barbaz
I suspect that is because the rules.abe request is treated like another top-level request, meaning that to the browser, it appears originated by the browser and thus ABE sees it as a request from chrome which is implicitly Accepted in that rule.

To confirm that, is the cookie still set if you allow all 3rd-party cookies in the browser, then remove or comment out the Accept line in your rule?

(I still agree with you that that is a potential privacy issue, but if I'm correct, I don't know if it's technically possible to do anything about it.)

Re: /rules.abe request does not respect user's ABE rules

Posted: Tue Oct 07, 2014 6:57 pm
by AlbertMTom
barbaz wrote:To confirm that, is the cookie still set if you allow all 3rd-party cookies in the browser, then remove or comment out the Accept line in your rule?
Yes, the cookie is still set....

FYI, the "working example" I put in my original post actually doesn't work unless you have HTTPS Everywhere installed, because /abe.rules is only requested for https resources. Sorry about any confusion. The issue still exists, it's just that the example I listed doesn't demonstrate it.

Re: /rules.abe request does not respect user's ABE rules

Posted: Tue Oct 07, 2014 9:23 pm
by Giorgio Maone
Yes, it is an issue which should be fixed, both by anonymizing/sterilizing rules.abe requests by default and subjecting them to ABE processing.
Unfortunately, being this feature not very popular, there are currently higher priorities.
Putting in my TODO list, nevertheless.

Re: /rules.abe request does not respect user's ABE rules

Posted: Tue Oct 07, 2014 10:22 pm
by AlbertMTom
I completely understand regarding prioritization. Thanks!
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited