InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[INVALID] Facebook widgets seem to have defeated ABE?

https://forums.informaction.com/viewtopic.php?t=6900

Page 1 of 1

[INVALID] Facebook widgets seem to have defeated ABE?

Posted: Tue Jul 26, 2011 4:50 am
by jojojo
My understanding of ABE, with the default facebook containment rule, is that it allows Facebook to run scripts only while you're on facebook.com. But recently I noticed this:

Image

Why does this facebook element work? I thought this was exactly the kind of thing ABE is supposed to block. Have I misunderstood something or has Facebook and/or Seamlessweb managed to get around ABE?

Re: Facebook widgets seem to have defeated ABE?

Posted: Tue Jul 26, 2011 6:10 am
by al_9x
ABE is like a blacklist, allowing everything by default and requiring explicit denies to block something. There's a "Deny INC" missing from your rule.

Re: Facebook widgets seem to have defeated ABE?

Posted: Wed Jul 27, 2011 5:23 pm
by jojojo
Thanks, don't know how that slipped through the cracks.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited