InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[RESOLVED] Trying to finger out YouTube & s.ytimg.com

https://forums.informaction.com/viewtopic.php?t=22063

Page 1 of 1

[RESOLVED] Trying to finger out YouTube & s.ytimg.com

Posted: Fri Aug 05, 2016 11:15 pm
by wxman1
I'm trying to finger out why I must temp allow s.ytimg.com despite having an ABE rule:

Site s.ytimg.com
Accept from https://www.youtube.com
deny

Also, it would also be nice to define an ABE ruleset for googlevideo.com and restrict it to personally deemed 'safe' sites, e.g., https://www.youtube.com, and subsequently add specific sites as they're discovered.

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Sat Aug 06, 2016 12:00 am
by barbaz
wxman1 wrote:I'm trying to finger out why I must temp allow s.ytimg.com despite having an ABE rule:
Because ABE is totally separate from script blocking.
wxman1 wrote:Also, it would also be nice to define an ABE ruleset for googlevideo.com and restrict it to personally deemed 'safe' sites, e.g., https://www.youtube.com, and subsequently add specific sites as they're discovered.
?
I don't see why you can't already do that. What specifically would you like help with to make it work?

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Sat Aug 06, 2016 5:00 am
by wxman1
Given your answer, I'm actually stupider now than when I first showed up.

This video doesn't play:

https://www.youtube.com/watch?v=pJkb2Esf9Fc

After I temp allow www.youtube.com and WITH the aforementioned ABE rule.

That notwithstanding, IF I temp allow s.ytimg.com it plays. Therefore the ABE rule - and by extension ABE itself - is worthless; in either case, either s.ytimg.com being temp allowed - which defeats ABE entirely because the site is now whitelisted and vulnerable ANYWHERE on the interwebs - or untrusted by NoScript thereby allowing ABE ruleset to come into scope in which case that plain don't work.

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Sat Aug 06, 2016 2:06 pm
by barbaz
wxman1 wrote:Given your answer, I'm actually stupider now than when I first showed up.
Don't worry about it, you're not alone thinking that way.
wxman1 wrote:IF I temp allow s.ytimg.com it plays.
Congratulations, it works as expected for you, that's how it should be and how it's always been.
wxman1 wrote:Therefore the ABE rule - and by extension ABE itself - is worthless; in either case, either s.ytimg.com being temp allowed - which defeats ABE entirely because the site is now whitelisted and vulnerable ANYWHERE on the interwebs
No. ABE will still block it from loading if anyone other than https;//www,youtube,com call it.
ABE is case-sensitive, maybe it's the lowercase d in Deny? (But I'd have thought it would reject the ruleset if it couldn't handle it.)
wxman1 wrote:or untrusted by NoScript thereby allowing ABE ruleset to come into scope in which case that plain don't work.
If you're about to eat a chicken sandwich, would you instinctively decide to use a freight train for that?
Or would you prefer to simply eat the chicken sandwich like any other food, while driving the train at the same time?

ABE is not part of the script blocking. The script blocking is not part of ABE. They are not related. ABE doesn't care about script blocking permissions. Script blocking doesn't care about ABE rules.
It's two totally independent things.

Imagine if what you're saying were really a requirement, then CSRF protection would require you to already know and untrust the site doing the CSRF. But by the time you do that, your bank account is already drained and your router is already compromised.

With it being independent, bad sites get blocked by ABE even if you don't know and untrust the bad sites ahead of time. And you can more easily do what you seem to be trying to do here.
So, win-win all the way.

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Mon Aug 08, 2016 8:58 pm
by wxman1
Thanx for the reply. I'm going to have to analyze that a bit.

That notwithstanding, I believe the issue fundamentally stems from speculative / dynamic loading, i.e., the script src is a parameter to a function.
script src="//s.ytimg.com/yts/jsbin/scheduler.../scheduler.js" type="text/javascript" name="scheduler/scheduler"></script>

script>var ytimg = {};ytimg.count = 1;ytimg.preload = function(src) {var img = new Image();var count = ++ytimg.count;ytimg[count] = img;img.onload = img.onerror = function() {delete ytimg[count];};img.src = src;};</script>

script src="//s.ytimg.com/yts/jsbin/player-en_US.../base.js" name="player/base"></script>

link rel="stylesheet" href="//s.ytimg.com/yts/cssbin/www-core...[URI_ABC].css" name="www-core">
link rel="stylesheet" href="//s.ytimg.com/yts/cssbin/www-player...[URI_DEF].css" name="www-player">

link rel="stylesheet" href="//s.ytimg.com/yts/cssbin/www-pageframe...[URI_GHI].css" name="www-pageframe">
script>ytimg.preload("https:\/\/r9---[URI_JKL].googlevideo.com\/crossdomain.xml");ytimg.preload("https:\/\/r9---[URI_JKL].googlevideo.com\/generate_204");</script>

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Mon Aug 08, 2016 9:15 pm
by barbaz
wxman1 wrote:That notwithstanding, I believe the issue fundamentally stems from speculative / dynamic loading, i.e., the script src is a parameter to a function.
OK back up a moment. How are you determining that your existing ABE rule is in fact not restricting s.ytimg.com?

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Mon Aug 08, 2016 9:28 pm
by barbaz
EDIT Oops, the post I replied to is gone? I was wondering why the board ate my reply.
@wxman1: if you deliberately deleted it, let me know if/how you would like this post edited or deleted.
wxman1 wrote:So ABE can refine globally whitelisted sites?
Yes exactly. It's alluded to in FAQ 8.10 but those examples are simplified and more global than just script permissions. This is what you would do if you wanted only to tweak active content permissions but leave the rest alone:

Code: Select all

Site .ytimg.com
Accept from https://www.youtube.com
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox
wxman1 wrote: If the site is untrusted, the ABE rule don't matter?
In terms of using ABE to tune active content permissions, yes.

More generally, if a site is blocked in ABE, being untrusted doesn't matter.

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Mon Aug 08, 2016 9:31 pm
by wxman1
I did delete the post; I seen your reply and it seems to make that whole post moot. Sorry 'bout the hiccup.
ABE is not part of the script blocking. The script blocking is not part of ABE. They are not related. ABE doesn't care about script blocking permissions. Script blocking doesn't care about ABE rules.
It's two totally independent things.
I was under the impression is that if the site is whitelisted, ABE rule-sets are not in affect. What you're stating is that the site must be whitelisted for an ABE rule-set to become affective.

Apparently you've already confirmed my notion.

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Mon Aug 08, 2016 9:38 pm
by barbaz
wxman1 wrote:I did delete the post; I seen your reply and it seems to make that whole post moot. Sorry 'bout the hiccup.
No problem.
wxman1 wrote: What you're stating is that the site must be whitelisted for an ABE rule-set to become affective.
When using ABE for per-site permissions (and not CSRF protection), a site must be whitelisted for the ABE ruleset to become useful.

I'll just leave this here: viewtopic.php?f=23&t=21401#p79796

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Mon Aug 08, 2016 10:09 pm
by wxman1
Yay, I gots it to work; .googlevideo & s.ytimg.com are now dependent upon a single temp allow of www.youtube.com

8-)

So I'm understanding that if a site is untrusted, and a surrogate script exists, the surrogate becomes affective. If I whitelist a site for which a surrogate script exists, and have an ABE ruleset that accepts that site from various resource URI is the surrogate invoked, or the hosted script? I'm hoping the interweb based script executes, and that the surrogate is affective for all URI otherwise denied.

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Mon Aug 08, 2016 10:17 pm
by barbaz
wxman1 wrote:Yay, I gots it to work;
Great! Image
wxman1 wrote:So I'm understanding that if a site is untrusted, and a surrogate script exists, the surrogate becomes affective. If I whitelist a site for which a surrogate script exists, and have an ABE ruleset that accepts that site from various resource URI is the surrogate invoked, or the hosted script? I'm hoping the interweb based script executes, and that the surrogate is affective for all URI otherwise denied.
It works exactly like you're hoping, the surrogate script will execute regardless of the reason the real script is blocked, and will not execute if the real script is allowed.

Re: Trying to finger out YouTube & s.ytimg.com

Posted: Mon Aug 08, 2016 10:23 pm
by wxman1
Wicked 8-)

I just replaced all the 'deny' in my ABE rule-sets - if that was an issue - with 'Deny' and whitelisted all my ABE rule-set sites.

This is of particular interest with respect to google-analytics; I allow web-masters of explicitely trusted web-sites to avail themselves of whatever statistical info they can glean from my traffic. The rest of the inter-webs can stuff themselves and get the surrogate. :P
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited