Archive for February 17th, 2022

ABE Quantum is the combination of Contextual Policies, one of the most requested features in NoScript's history, and LAN protection, an important "Classic" defense lost in the 2017 Quantum migration.

After years of waiting and months of hard work, this good stuff (which I personally missed a lot, too) is finally in the hands of all NoScript 11.3 users*, thanks to the precious support by the NLNet Foundation and the Next Generation Internet programme (more specifically the NGI0 PET fund).

The "ABE Quantum" nickname comes, of course, from the Application Boundary Enforcer module of NoScript Classic, which both Contextual Policies and LAN protection are in a sense a "modernized" descendant of, sacrificing some of the extreme flexibility of the original's firewall-inspired policy definition language in order to provide a simpler, more accessible and more intuitive user experience directly integrated in NoScript's main CUSTOM UI.

ABE Quantum Screenshot

Contextual Policies

Contextual policies let you assign different permissions (or "enable different capabilities", in NoScript's parlance) to a certain site depending on its context, i.e. which is the top level site (the address currently shown in the navigation bar).

For instance, you might want to enable scripts from twitter.com only if you're visiting maone.net - intrigued by Maone's awesome embedded tweet feed ;) - but not elsewhere, because you don't like Twitter to track you everywhere you go:

  1. While on maone.net, open NoScript's popup and select CUSTOM as the policy for twitter.com. You'll see a new drop down box, initially set to ANY SITE.
  2. Remove all the capabilities (e.g. script) you don't want Twitter to use on ANY SITE (notice that when CUSTOM is selected first time, the capabilities from the previously selected preset get copied, so if it was DEFAULT you can probably leave them that way).
  3. Then select ...maone.net from the drop down, and switch script, fetch and frame (the capabilities outlined in red, meaning they're are needed by twitter.com) on.

You're done: scripts from twitter.com are allowed to run only when the main site displayed is maone.net.
You can repeat this on any website (including twitter.com itself) where you want Twitter scripts and subdocuments to work normally.
If you change your mind, you can reset some or all the contextual policies you previously set in the CUSTOM permissions deck, either on from the popup (only for the current context) or from the Options>Per-site permissions panel, where all the context sites you had configured plus the ANY SITE default are listed in the Enable these capabilities when top page matches... dropdown.

LAN Protection

Simply put, the LAN capability lets documents coming from the public Internet (AKA World Area Network / WAN) to link / send requests to hosts inside your Local Area Network (LAN), which is pretty what they can do now, allowing so called cross-zone CSRF/XSS attacks.
By keeping it disabled (the factory setting in the DEFAULT and UNTRUSTED presets), you're replicating this feature from "Classic" NoScript, without the hassle of going through ABE's firewall-like rules when you need to set an exception, which now is just a matter of checking the LAN capability box.

The Contextual Policies & LAN Protection (ABE Quantum) project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.

* already available in auto-update from AMO, still waiting for review at the Chrome Store while writing this post.

Bad Behavior has blocked 576 access attempts in the last 7 days.