Page 1 of 1
moz-nullprincipal origin for google domains
Posted: Sat Jun 09, 2012 12:32 pm
by Thrawn
I've been trying to protect google.com domains with ABE, anonymizing requests from other domains, but I'm finding that certain GMail features - notably those that automatically open a new tab, such as switching accounts or viewing an attachment in Google Docs - produce requests with origins similar to:
Code: Select all
moz-nullprincipal:{8204ac4c-5794-4fa0-8975-f6eb07ca0b48}
with the part in braces being different each time.
I can match it with a regular expression like
Code: Select all
Site .google.com
Accept from SELF++ ^moz-nullprincipal:\{.*\}$
Anon
but since I know very little about moz-nullprincipal, can anyone advise whether this is a) the best way to match it, and b) safe (I suspect not)?
Re: moz-nullprincipal origin for google domains
Posted: Thu Dec 06, 2012 3:26 am
by Thrawn
Bump.
Is there a better way to do this? I'm not really comfortable with:
Code: Select all
Accept from ^moz-nullprincipal:\{.*\}
since if Gmail can deliberately create a request that appears to come from moz-nullprincipal, then surely other sites could too, which might give them a way to CSRF my Gmail account.
Re: moz-nullprincipal origin for google domains
Posted: Tue Mar 19, 2013 9:56 pm
by Thrawn
Just saw a further variation on this. My Google-related rule is now:
Code: Select all
# Google - allow encrypted connections
Site https://*.google.com/* https://*.google.com.au/*
Accept from https://*.google.com/* https://*.google.com.au/* ^moz-nullprincipal:\{.*\}
Anon GET
Deny
and when I tried to download a file from my own Google Drive (which opens a new tab), I landed at the login page, with nothing in the Error Console. Logging in didn't do anything, just took me back to the login page.
I tried changing Anon GET to Accept GET, then reloading the page (re-submitting login details), and this time ABE gave an error message:
Code: Select all
Request {POST https://accounts.google.com/ServiceLoginAuth <<< - 6} filtered by ABE: <https://*.google.com/* https://*.google.com.au/*> Deny
So...ABE thinks that the origin is '- 6'?
Re: moz-nullprincipal origin for google domains
Posted: Wed Mar 20, 2013 8:41 am
by Giorgio Maone
Please update to
latest development build 2.6.6rc2 and change the rule to
Code: Select all
Site .google.com .google.com.au
Accept from .google.com .google.com.au
Anon GET
Deny
(the repetition instead of SELF++ handles mixed redirections .com -> .com.au, which wouldn't match SELF++)
Re: moz-nullprincipal origin for google domains
Posted: Wed Mar 20, 2013 10:37 am
by Thrawn
That fixed the issue with delegated Gmail access, thanks
. Google Drive still has trouble.
and change the rule to
Code: Select all
Site .google.com .google.com.au
Accept from .google.com .google.com.au
Anon GET
Deny
(the repetition instead of SELF++ handles mixed redirections .com -> .com.au, which wouldn't match SELF++)
Hmm...my latest rule (in my previous post) actually does use repetition instead of SELF++, but it's still getting the same error from Google Drive. I'd rather keep it as https-only, instead of the leading dot wildcard; is that possible?
Re: moz-nullprincipal origin for google domains
Posted: Wed Mar 20, 2013 11:01 am
by Giorgio Maone
Thrawn wrote:
That fixed the issue with delegated Gmail access, thanks
. Google Drive still has trouble.
I just installed Google Drive and tried to fiddle a bit with it, but I couldn't reproduce.
Could you give me step-by-step instructions?
Thrawn wrote:
Hmm...my latest rule (in my previous post) actually does use repetition instead of SELF++, but it's still getting the same error from Google Drive. I'd rather keep it as https-only, instead of the leading dot wildcard; is that possible?
Yes, the last rule (https://*.google.com) is OK, but you should remove moz-nullprincipal.
Re: moz-nullprincipal origin for google domains
Posted: Mon Apr 01, 2013 12:22 pm
by Thrawn
Giorgio Maone wrote:I just installed Google Drive and tried to fiddle a bit with it, but I couldn't reproduce.
I'm not sure what you mean by 'installed' Google Drive; I'm using the web interface, there's no installation involved. I know that there is a desktop application, but not for Linux.
Could you give me step-by-step instructions?
- Set up an ABE rule like the one in the error message below.
- Log in to Google Drive, https://drive.google.com
- Click on the Create button, and choose any option except Folder; OR
- Click on an existing document, spreadsheet, etc, to open it in Google Drive.
Error message:
Code: Select all
[ABE] <https://*.google.com/* https://*.google.com.au/* https://*.gstatic.com/* https://*.googleusercontent.com/* https://*.youtube.com/*> Anonymize on {GET https://docs.google.com/document/create?usp=drive_web&folder=xxxxx <<< moz-nullprincipal:{5d8d44d5-9f24-41c0-a9bb-7a1e8be32821} - 6}
USER rule:
Site https://*.google.com/* https://*.google.com.au/* https://*.gstatic.com/* https://*.googleusercontent.com/* https://*.youtube.com/*
Accept from https://*.google.com/* https://*.google.com.au/* https://*.gstatic.com/* https://*.googleusercontent.com/* https://*.youtube.com/*
Anonymize
Yes, the last rule (https://*.google.com) is OK, but you should remove moz-nullprincipal.
Thanks; yes, I removed moz-nullprincipal once you posted the development build that fixed the Gmail issue.