search

RequestPolicyContinued / requestpolicy

a web browser extension that gives you control over cross-site requests. Available for XUL/XPCOM-based browsers.
https://github.com/RequestPolicyContinued/requestpolicy/wiki
Other
252 stars 35 forks source link

take a look at NoScript's ABE #534

Open myrdd opened 9 years ago

myrdd commented 9 years ago

NoScript's ABE (Application Boundaries Enforcer) looks very interesting and RequestPolicy could at least be inspired by its specification – maybe even some kind of integration is possible. If you have any ideas regarding ABE, post them here.

Thanks @ansell for mentioning ABE (https://github.com/RequestPolicyContinued/requestpolicy/issues/522#issuecomment-65001071)

Btw I've found an inofficial repository of NoScript's source code: https://github.com/avian2/noscript. There's no official public repository afaict.

ThrawnCA commented 9 years ago

Idea _#_1 from me is that if you're going to integrate, you can make extra ABE rulesets as 'noscript.ABE.rulesets.xxx' preferences, which allows you to make whatever rules you want without having to interact with the regular rulesets. And would make uninstallation much cleaner.

grumpygeek commented 9 years ago

NoScript's ABE rules are really awkward and difficult to set properly IMO. RP's rules OTOH seem straightforward when added through the RP UI. NoScript should copy RP, not the other way around.

ansell commented 9 years ago

RP is functionally a subset of ABE (not implemented that way though), so it wouldn't really be appropriate for NoScript to downgrade to the RP subset at this point given how long ABE has been around. What NoScript could definitely do is to offer an interface for setting up ABE that isn't just a text file editor.

The main differences for ABE compared to RP is that it supports anonymous queries (ie, stripping cookies/etags/etc. and/or query parameters) and rules based on object types. Anonymization isn't an issue that RP users have brought up yet from my recollection, but it should be fairly easy to tick a box to tell RP to anonymize particular rules if we want to go down that route. RP treats all object types the same way, and it isn't clear what value is attached to treating them differently in each rule given the extra complexity.

Interestingly, AdBlockPlus (ABP) supports rules based on object types, so you could use RP alongside ABP to customise that area for either whitelisting or blacklisting if you didn't want to use ABE.

ThrawnCA commented 9 years ago

ABE also supports URL matching with regex support, which allows it to define rules that RP can't, eg "allow all HTTPS subdomains of example.com to send requests to each other", or "allow any part of my bank's website to redirect to the login page (anonymous GET), but only allow the secure subdomain to send POST requests or cookies to itself."

myrdd commented 9 years ago

Thank you for your comments so far!