ABE doesn't work on first page load

[Alqualos]

Hi,

I'm trying to selectively disable scripts on some URLs of a web site. My ABE config is very simple:

Code: Select all

Site www.zr.ru/forum/
Accept

Site www.zr.ru
Sandbox

This is supposed to block scripts everywhere on ZR.RU except the forum. Of course, scripts on ZR.RU are allowed in the NoScript settings. This approach works most of the time, but when I open ZR.RU first time when Firefox starts, it always opens with scripts enabled. If I reload the page or close it and open again, it works fine. It is especially annoying since some scripts on the main page make Firefox loose focus, so I can't just reload the page by hitting F5.

I'm using Firefox 14.0.1 32-bit on Windows 7 64-bit. The version of NoScript is the latest development build (2.4.9rc1), which I installed after encountering this problem on the latest stable build.

[Thrawn]

Maybe the scripts are on a different subdomain? Try changing the rule to use .zr.ru (ie all subdomains).
You could also try

Code: Select all

Site ALL
Accept from www.zr.ru/forum/
Sandbox from .zr.ru

[Alqualos]

Maybe the scripts are on a different subdomain? Try changing the rule to use .zr.ru (ie all subdomains).

That doesn't work on first time either. Besides, I don't see why scripts domain should matter. I want to block everything on a specific page, so when I type "www.zr.ru" in a new blank tab, the page loads with scripts completely disabled (just like when it's not whitelisted in NoScript). And it is exactly what happens when I do it again and again, except for the very first time after I start the browser.

I've just tested it with a freshly created Firefox profile, only with NoScript installed. The same thing. Unless there's a specific difference when opening a page for the first time, this definitely looks like a bug.

You could also try

Code: Select all

Site ALL
Accept from www.zr.ru/forum/
Sandbox from .zr.ru

This doesn't work either. In fact, it doesn't work at all. As I understand, it sandboxes attempts to load external scripts from .zr.ru, but I need to block everything on the www.zr.ru site instead, including inline scripts. And I don't need to accept scripts from www.zr.ru/forum/ on any other sites either. I'm just trying to simulate the ability to whitelist only some pages on the site (that is, allow scripts on www.zr.ru/forum/, disable everywhere else).

[Thrawn]

I think that you misunderstand ABE syntax (as many people do).

ABE is about controlling requests. 'Site' means the destination of a request, and 'from' refers to the origin of a request (usually the site that you're visiting, ie the one in the address bar). So,

Code: Select all

Site ALL
Accept from www.zr.ru/forum/
Sandbox from .zr.ru

actually means "Allow www.zr.ru/forum to request whatever it wants, but prevent any other part of zr.ru and its subdomains from requesting active content".

Whereas

Code: Select all

Site www.zr.ru
Sandbox

actually means "Prevent any site from loading active content hosted on www.zr.ru" (and it doesn't affect any other subdomains of zr.ru).

Your suggested rules tell ABE to sandbox requests aimed at www.zr.ru, but I think that what you really want is to sandbox requests coming from zr.ru. I'm not sure whether that affects inline scripts...Giorgio would know best.

Not entirely sure about the 'not working on first load' thing, but let's first try the right rule(s). If it really is a bug, Giorgio would be the one who could identify and fix it.

ETA: If the syntax that I've described looks backwards, that's because ABE was designed primarily to protect specific sites against CSRF etc, not as a content-blocker. So, the intended pattern is similar to:

Code: Select all

Site valuable-site.com
Accept from SELF++ trusted-site.net
Deny

[Alqualos]

I think that you misunderstand ABE syntax (as many people do).

ABE is about controlling requests. 'Site' means the destination of a request, and 'from' refers to the origin of a request (usually the site that you're visiting, ie the one in the address bar).

Yes, I realize that. It was the first thing I figured out from the docs. So the rule "Site X Do Y" means that if something (be it some site or the user typing in the address bar directly) requests something from site X, the browser should do Y. I have tested it with "Site www.zr.ru Deny" - if I type "www.zr.ru" in the address bar, a message pops up saying "Request GET filtered by ABE", and the browser refuses to open the page at all. That's exactly because I block the request for www.zr.ru with "Site www.zr.ru", and I don't specify "from" so it gets blocked from everywhere, including the address bar.

Now, if I say "Sandbox" instead of "Deny", it is supposed to mean "allow request itself, but block active content in the received data". And that's exactly how it works except for the first time load. To quote the rules spec,

Sandbox – sends the requests as it is, but disables JavaScript and other active content (e.g.
plugin embeddings) in the landing page

That sounds like exactly what I want. And I don't care where the request is coming from. If the user types "www.zr.ru", it should load the page, but block scripts and other active stuff. If some other site is stupid enough to request something from www.zr.ru for whatever reason, the request should come through, but the received data should be completely static.

Code: Select all

Site ALL
Accept from www.zr.ru/forum/
Sandbox from .zr.ru

actually means "Allow www.zr.ru/forum to request whatever it wants, but prevent any other part of zr.ru and its subdomains from requesting active content".

I don't want to prevent zr.ru from requesting active content. I want to block all active content for it, just like NoScript blocks it on all sites that aren't whitelisted. If I do it, it doesn't make any sense to prevent it from requesting anything, since it wouldn't be able to do it anyway.

Besides, I thought that it's Deny INCLUSION that prevents a site from loading active content, not Sandbox.

Whereas

Code: Select all

Site www.zr.ru
Sandbox

actually means "Prevent any site from loading active content hosted on www.zr.ru" (and it doesn't affect any other subdomains of zr.ru).

Not exactly "any site", but "anything", even the user, right? At least it works with "Deny", so I don't see why it shouldn't work with "Sandbox". Especially since it works, just not on the first time.

Your suggested rules tell ABE to sandbox requests aimed at www.zr.ru, but I think that what you really want is to sandbox requests coming from zr.ru. I'm not sure whether that affects inline scripts...Giorgio would know best.

No, I want to make sure that the entire page is sandboxed. I don't mind the page requesting anything since it would be only inactive content like images.

Not entirely sure about the 'not working on first load' thing, but let's first try the right rule(s). If it really is a bug, Giorgio would be the one who could identify and fix it.

As I've already said, that "right" rules don't seem to work at all, whether on first time load on on subsequent ones. Well, maybe they prevent www.zr.ru from loading external resources (not checked that), but since most evil things are done by inline scripts, that doesn't help much.

I have replaced www.zr.ru with .zr.ru in my config because I want to sandbox requests for other subdomains too (not sure if there are any, though), but that didn't change anything. It still blocks scripts on the second and subsequent loads, but fails to do so for the first request.

[Thrawn]

Now, if I say "Sandbox" instead of "Deny", it is supposed to mean "allow request itself, but block active content in the received data". And that's exactly how it works except for the first time load.
<snip>
And I don't care where the request is coming from. If the user types "www.zr.ru", it should load the page, but block scripts and other active stuff. If some other site is stupid enough to request something from www.zr.ru for whatever reason, the request should come through, but the received data should be completely static.

OK, then. Sounds like this one's for Giorgio to investigate.

[GµårÐïåñ]

Another thing people don't understand about ABE is that its not designed to disable scripts. Just access/requests aka boundaries. So if you want the ABE rule to control something, anything on xyz.com you need to permanently allow xyz.com in NoScript and then configure ABE to handle the boundaries. So you can't use ABE to disable scripting per se while you can control access/requests to those resources. Understand?

So on certain sites for example, I allow the parent, some other things, block the rest and then I go and write up my ABE rule to make sure that what I allowed is only accessible by the right sites only. Make sense? Your scripting fine tune is STILL in NoScript, your boundaries are in ABE.

[Alqualos]

Another thing people don't understand about ABE is that its not designed to disable scripts. Just access/requests aka boundaries. So if you want the ABE rule to control something, anything on xyz.com you need to permanently allow xyz.com in NoScript and then configure ABE to handle the boundaries. So you can't use ABE to disable scripting per se while you can control access/requests to those resources. Understand?

I understand that it's the main usage, but then what's the Sandbox action for? It seems to be designed just for that - sandboxing only some requests, not "everything on xyz.com" like NoScript does (if site X requests page Y, allow it along with its scripts, otherwise allow request, but disable active content on the landing page, right?). And it works (except for the first load), so what's wrong with using it? If Sandbox is not supposed to work correctly at all, then why on Earth is it there in the first place?

So on certain sites for example, I allow the parent, some other things, block the rest and then I go and write up my ABE rule to make sure that what I allowed is only accessible by the right sites only. Make sense? Your scripting fine tune is STILL in NoScript, your boundaries are in ABE.

That's just what I did. I allowed zr.ru in NoScript, but then made ABE sandbox all requests for it, except requests for the forum resources.

The root of the problem is that NoScript doesn't allow to whitelist URL patterns. In my case, I want NoScript to look at the address bar, and if there's something starting with www.zr.ru/forum/, then allow scripts from the zr.ru domain, otherwise block everything (default behavior). So instead of "allow zr.ru" I would like to see "allow zr.ru for URLs starting with www.zr.ru/forum/ only). There is no such feature, so I'm trying to emulate it with the ABE. Maybe it's not intended, but since the right tools are there, I see no reason why I shouldn't use them.

[Giorgio Maone]

Unfortunately Sandbox didn't get much testing on edge cases like yours, because it was more meant for sites to safely embed subcontent than an user-facing top level protection.
I'm investigating, thanks.

[GµårÐïåñ]

I refer you to Giorgio's post that puts in perspective what I was trying to explain.