INC strangeness

Discussions about the Application Boundaries Enforcer (ABE) module
aberrometer
Posts: 3
Joined: Wed Feb 22, 2017 7:44 pm

INC strangeness

Post by aberrometer »

I've had some ABE rules for the big sites like Facebook, to keep all kinds embedded stuff away from other websites. Here are my current rules for FB:

Code: Select all

Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com moz-nullprincipal:
Deny INCLUSION
The INCLUSION used to have SCRIPT, OBJECT, SUBDOC with it, meaning the rule was almost identical with the example in the ABE documentation PDF. At some point - possible when Firefox 51 came - embedded content from Facebook domains started to appear non-Facebook pages. After some experimentation, it started to look like only inclusion type that had any effect was OTHER, so I turned the Deny rule into a basic INCLUSION.

That alone isn't too bad (though of course having the earlier, more fine-grained control would be nice), but turns out the Deny INCLUSION rule affects top-level loads too. Trying to follow a link into facebook.com just doesn't work, and browser console shows that clicking the link triggered the Deny INCLUSION rule. The moz-nullprincipal: at least lets copy-pasting the address to address bar work.

Now, these changes seem like a regression, but maybe something has just changed in a non-erroneous way and I should change some setting or write the rules differently, so I'm asking if there's maybe some other approach to writing rules for denying the FB embeddings and keeping links to FB functional? (And Twitter and Google+ and... but the principles should be same.)

I should probably also note that I'm using NoScript in "lazy mode", that is I have the "Cascade top document's permissions to 3rd party scripts" checked, to make it easier enabling scripting for a site if I need to, making the ABE rule more necessary.
Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
barbaz
Senior Member
Posts: 10940
Joined: Sat Aug 03, 2013 5:45 pm

Re: INC strangeness

Post by barbaz »

What version of NoScript?
aberrometer wrote:Here are my current rules for FB:

Code: Select all

Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com moz-nullprincipal:
Deny INCLUSION
The INCLUSION used to have SCRIPT, OBJECT, SUBDOC with it, meaning the rule was almost identical with the example in the ABE documentation PDF.
To be clear, was this what you had before? -

Code: Select all

Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com moz-nullprincipal:
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
Or was it this, which isn't a valid ABE rule? -

Code: Select all

Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com moz-nullprincipal:
Deny INCLUSION(SCRIPT, OBJECT, SUBDOC)
aberrometer wrote:At some point - possible when Firefox 51 came - embedded content from Facebook domains started to appear non-Facebook pages. After some experimentation, it started to look like only inclusion type that had any effect was OTHER, so I turned the Deny rule into a basic INCLUSION.
Do you have a example URL where this occurs?
*Always* check the changelogs BEFORE updating that important software!
-
aberrometer
Posts: 3
Joined: Wed Feb 22, 2017 7:44 pm

Re: INC strangeness

Post by aberrometer »

Oh! I was trying to reproduce the issue on a clear profile, and just found out this was a mess caused by myself, meddling with about:config. I had forced e10s on as I was bit impatient - I had expected that by Firefox 51 multiprocess support would be enabled by default, but it wasn't (I'm using Debian testing). Having it forced on is what changes the behavior. Things seem to be working just as intended when I let the browser run in the single-process mode again.

I'm now on Firefox 51.0.1 (64-bit), NoScript version is 2.9.5.3. And yeah, that one type was OBJ instead of OBJECT, I guess I somehow mentally expanded the text when typing the post. I also just checked on another machine that runs Arch Linux (Firefox there has multi-process mode on by default), and the rule works fine. The most minimal test case was a otherwise blank page with only a link pointing to facebook.com. So, apparently this is some Debian-specific thing - sorry about using your time!
Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
barbaz
Senior Member
Posts: 10940
Joined: Sat Aug 03, 2013 5:45 pm

Re: INC strangeness

Post by barbaz »

@aberrometer Remember to log in before posting so that you can use your chosen username and don't need to repeatedly solve the CAPTCHA each time. (I fixed that post for you.)
aberrometer wrote:So, apparently this is some Debian-specific thing - sorry about using your time!
Thank you for reporting your findings. :)
*Always* check the changelogs BEFORE updating that important software!
-
barbaz
Senior Member
Posts: 10940
Joined: Sat Aug 03, 2013 5:45 pm

Re: INC strangeness

Post by barbaz »

This old thread seems to have become a spam magnet now. Locking.
*Always* check the changelogs BEFORE updating that important software!
-
Locked