Comments on: Introducing ABE

By: Seth Wisely

Seth Wisely — Wed, 07 Oct 2009 23:13:02 +0000

Was there a bit of federalism on your mind when you coined the name?

Have you considered creating a fox 3.5+ GUI manager for Security Policies?

Though as number of security extensions in a profile increases so does the load. I sometimes pine for proxomitron.

By: hackademix.net » Meet ABE

hackademix.net » Meet ABE — Mon, 29 Jun 2009 23:49:57 +0000

[…] been quite a long development journey since my first announcement, made possible by NLNet’s foresight, and it required more than one month of beta testing: […]

By: Tom T.

Tom T. — Thu, 28 May 2009 08:25:46 +0000

@Giorgio: When do you hope to have a dummy-friendly addition to the NoScript FAQ? That would also be good to link to in the support forum — perhaps in GµårÐïåñ’s proposed sticky?

Minor feat req: Is there any possibility to allow "preview comment" here for the benefit of poor typist like myself? :)

@GµårÐïåñ: If you are going to do a forum sticky, perhaps you could also draft the FAQ addition in plain language accessible to novice-to-average users, and help take that load off Giorgio? This would reduce the need for individual forum questions even more. Thanks.

By: GµårÐïåñ

GµårÐïåñ — Tue, 14 Apr 2009 02:57:43 +0000

Giorgio, can I make this post a sticky on the forum for NoScript. I believe it will reduce the repeated requests for having true-site-specific blocking/allowing feature requests. This tells them its in the works and should reduce the forum load. Let me know and I will prepare and post a summary and link to this.

By: owaspscrubbr - Search your databases for stored cross-site scripting (XSS) attacks. | PenTestIT

Sat, 14 Mar 2009 08:40:35 +0000

[…] Introducing ABE […]

By: hackademix.net » IE8's "Clickjacking Protection" Exposed

hackademix.net » IE8's "Clickjacking Protection" Exposed — Wed, 28 Jan 2009 15:18:40 +0000

[…] support: that’s relatively easy, since I can hook in the work I’m already doing for the ABE module. It’s worth noticing, though, that this is just a cross-browser compatibility effort: neither […]

By: hackademix.net » Ehy IE8, I Can Has Some Clickjacking Protection?

hackademix.net » Ehy IE8, I Can Has Some Clickjacking Protection? — Tue, 27 Jan 2009 14:46:05 +0000

[…] suggested as fix #1 in Michal Zalewski historical “UI Redressing” post and to ABE’s SUBdocument rules) offers an alternate options which, currently, works only in IE8 RC1. Funny how Microsoft can turn […]

By: Giorgio

Giorgio — Thu, 15 Jan 2009 17:44:55 +0000

@tlu:
dom.disable_cookie_* is not a CSRF countermeasure at all.
It might mitigate some XSS attacks (those which specifically try to log session cookie on a remote server by reading document.cookie), but would break lots of web sites and would not prevent session-riding attacks, which just need you to be logged in: this means a good part of XSS attacks and the totality of the CSRF ones.

By: tlu

tlu — Thu, 15 Jan 2009 16:18:51 +0000

Very good work, Giorgio, as usual.

What do you think about adding

user_pref("dom.disable_cookie_get",true);
user_pref("dom.disable_cookie_set",true);

to user.js as a CSRF countermeasure?

By: Giorgio

Giorgio — Sat, 10 Jan 2009 17:06:05 +0000

@botted:
Current NoScript in its default configuration (without ABE) is enough to easily defeat JavaScript-based malware.
Notice that script files aren’t even requested by Firefox if blocked by NoScript, therefore an external firewall shouldn’t complain (opposite to what suggested by one poster on that thread) unless the detected sample is inlined in an HTML file.