Blocking DOM storage with ABE?

aloishammer · Post by **aloishammer** » Tue Oct 12, 2010 12:08 am

NewTwitter is, sadly, 100% reliant on DOM storage to work at all. With no DOM storage, there's a topbar and no content. With DOM storage, NewTwitter works fine. twitter.com's support is proving useless. Their best suggestion is to "upgrade" my browser, followed by "trying" another one.

I'm guessing (hoping?) ABE is the best way to handle this: can I re-enable DOM storage and use ABE to restrict its usage to (for instance) twitter.com and twimage.com and allow no other usage? The only alternative I can think of is a script surrogate, but I'm not sure I'd want to trust that route for security / privacy.

Thanks in advance!

Post by **Alan Baxter** » Tue Oct 12, 2010 12:25 am

DOM storage already works that way. By default, Firefox requires you to give permission on a site-by-site basis for using it.

Verify that Options > Advanced > Network > Tell me when a website asks to store data for offline use is still checked. You'll get a notification bar at the top of the web page if twitter -- or anyone else -- wants permission to use DOM storage. You can give twitter.com and twimage.com permission -- even blanket permission, if I recall correctly. If any other website asks, just say no.

Edit: I just verified that once you Allow twitter.com to "store data on your computer for offline use", you won't be prompted for twitter.com again. It will just work.

aloishammer · Post by **aloishammer** » Tue Oct 12, 2010 1:53 am

Alan Baxter wrote:DOM storage already works that way. By default, Firefox requires you to give permission on a site-by-site basis for using it.

Verify that Options > Advanced > Network > Tell me when a website asks to store data for offline use is still checked. You'll get a notification bar at the top of the web page if twitter -- or anyone else -- wants permission to use DOM storage. You can give twitter.com and twimage.com permission -- even blanket permission, if I recall correctly. If any other website asks, just say no.

Edit: I just verified that once you Allow twitter.com to "store data on your computer for offline use", you won't be prompted for twitter.com again. It will just work.

I didn't know that, and I appreciate the info! ...but for now I can't imagine letting anything but Twitter use DOM storage, so it'd still be helpful-- and it would enhance my understanding of writing ABE rules, which is slim --to see an example of using it to block DOM storage. I don't know if it's my limited knowledge of Fox internals or something else, but reading the ABE guide hasn't gotten me anywhere.

Post by **Alan Baxter** » Tue Oct 12, 2010 1:57 am

You're welcome. I'm not competent to be an ABE helper, but Giorgio may be able to give you some info when he's available.

al_9x · Post by **al_9x** » Tue Oct 12, 2010 2:05 am

If the twitter problem is the same as Bug 527970, then the following surrogate should take care of it.

Code: Select all

user_pref("noscript.surrogate.localStorage.sources", "@^https?:");
user_pref("noscript.surrogate.localStorage.replacement", "__defineGetter__('localStorage', function() {}); __defineGetter__('sessionStorage', function() {});");

But I am not sure that it is. What twitter url has the problem? And what's the error in the error console?

aloishammer · Post by **aloishammer** » Tue Oct 12, 2010 3:01 am

al_9x wrote:If the twitter problem is the same as Bug 527970, then the following surrogate should take care of it.
Code: Select all
user_pref("noscript.surrogate.localStorage.sources", "@^https?:");
user_pref("noscript.surrogate.localStorage.replacement", "__defineGetter__('localStorage', function() {}); __defineGetter__('sessionStorage', function() {});");
But I am not sure that is. What twitter url has the problem? And what's the error in the error console?

No particular URL-- once your twitter.com account is switched to #NewTwitter, it's every page. That surrogate caught one of the two errors (apparently). Here's the other:

Code: Select all

Error: uncaught exception: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"  location: "http://a1.twimg.com/a/1286818005/javascripts/phoenix.bundle.js Line: 69"]

I set sources to "@*.twimg.com *.twitter.com"; I think the other error was from a script on twitter.com.

al_9x · Post by **al_9x** » Tue Oct 12, 2010 3:20 am

aloishammer wrote:I set sources to "@*.twimg.com *.twitter.com"; I think the other error was from a script on twitter.com.

This is a page level surrogate, the source has to match the container page, not the script, keep it at what I posted for now. Does it take care of the problem or is there still an error and screwed up page?

aloishammer · Post by **aloishammer** » Tue Oct 12, 2010 4:18 am

This is a page level surrogate, the source has to match the container page, not the script, keep it at what I posted for now. Does it take care of the problem or is there still an error and screwed up page?[/quote]
It takes care of only one error. Details of second error in previous post.

al_9x · Post by **al_9x** » Tue Oct 12, 2010 4:52 am

Ok, they are checking explicitly for null, the following should work.

Code: Select all

user_pref("noscript.surrogate.localStorage.sources", "@^https?:");
user_pref("noscript.surrogate.localStorage.replacement", "__defineGetter__('localStorage', function() {return null;}); __defineGetter__('sessionStorage', function() {return null;});");

al_9x · Post by **al_9x** » Tue Oct 12, 2010 5:27 am

@Giorgio this may be worth including (in a more universal form)

Code: Select all

user_pref("noscript.surrogate.localStorage.sources", "@^https?:");
user_pref("noscript.surrogate.localStorage.replacement", "try { window.localStorage; } catch(e) { __defineGetter__('localStorage', function() {return null;}); __defineGetter__('sessionStorage', function() {return null;});}");

aloishammer · Post by **aloishammer** » Tue Oct 12, 2010 6:30 am

al_9x wrote:Ok, they are checking explicitly for null, the following should work.

Code: Select all

user_pref("noscript.surrogate.localStorage.sources", "@^https?:");
user_pref("noscript.surrogate.localStorage.replacement", "__defineGetter__('localStorage', function() {return null;}); __defineGetter__('sessionStorage', function() {return null;});");

It certainly works for Twitter. Thanks! Now I just need to see if I can write myself a simple ABE rule to disallow access to "amazonaws.com" from (to?) everywhere but twimg.com and twitter.com.

Post by **therube** » Tue Oct 12, 2010 2:11 pm

(
Had never heard of that before:

DOM Storage

Introduction to DOM Storage
)

Post by **Alan Baxter** » Tue Oct 12, 2010 3:04 pm

therube wrote:Had never heard of that before:

Very few sites use it yet. You have to explicitly allow a site to use DOM storage by Allowing a request from the site in the notification bar. The only site which has ever asked me is this demo:
Mark Finkle's weblog | Task Helper demo

It's not necessary to block these requests with ABE. Most users shouldn't want to block these requests.

al_9x · Post by **al_9x** » Tue Oct 12, 2010 4:01 pm

Alan Baxter wrote:
therube wrote:Had never heard of that before:
Very few sites use it yet. You have to explicitly allow a site to use DOM storage by Allowing a request from the site in the notification bar. The only site which has ever asked me is this demo:
Mark Finkle's weblog | Task Helper demo

It's not necessary to block these requests with ABE. Most users shouldn't want to block these requests.

You are mixing up "Offline Storage" (what you are referring to) and "DOM storage" (this thread)

ABE is not being used to block it. DOM Storage is disabled with dom.storage.enabled. When disabled, Fx throws an exception when it's referenced, something many sites don't handle. The surrogate suppresses the exception throwing.

Post by **Alan Baxter** » Tue Oct 12, 2010 4:42 pm

al_9x wrote:
Alan Baxter wrote:
therube wrote:Had never heard of that before:
Very few sites use it yet. You have to explicitly allow a site to use DOM storage by Allowing a request from the site in the notification bar. The only site which has ever asked me is this demo:
Mark Finkle's weblog | Task Helper demo

It's not necessary to block these requests with ABE. Most users shouldn't want to block these requests.
You are mixing up "Offline Storage" (what you are referring to) and "DOM storage" (this thread)

No, I'm not mixing it up. Toggling dom.storage.enabled to false disables offline storage completely. The demo link I provided fails if dom.storage.enabled is toggled to false. I'm not referring to the cache. When Firefox refers to "data for offline use" in Options > Advanced > Network, it's referring to DOM storage. Setting dom.storage.enabled to false disables storing "data for offline use" completely.

ABE is not being used to block it. DOM Storage is disabled with dom.storage.enabled. When disabled, Fx throws an exception when it's referenced, something many sites don't handle. The surrogate suppresses the exception throwing.

It appears to me that aloishammer wants twitter to be able use offline/DOM storage, but no other site should even be allowed to ask. Good luck with that.

InformAction Forums

Blocking DOM storage with ABE?

Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?

Re: Blocking DOM storage with ABE?