NoScript ABE - 允许远程站点访问本地资源？ [英] NoScript ABE - allow a remote site to access local resources?

问题描述

我今天在使用NoScript的ABE（应用程序边界实施器）与FogBugz以及我们的本地源代码控制服务器的Firefox中遇到问题。 FogBugz案例页面可以包含到checkins的链接，以便您可以通过本地服务器的web服务查看源代码更改。
$ b 例如： https：// SomeCompany.fogbugz.com/default.asp?1234 （案例页面）可能包含指向 http：//SourceCodeControlServer/WebSVN/filedetails.php？...的链接

请注意，SourceCodeControlServer不是完全限定域名，只是本地机器名称。

即使阅读了 ABE规则语法和功能PDF 它似乎没有像广告一样工作，仍然在试图打开的页面顶部显示通过ABE筛选建议。关闭ABE或者天使禁止使用MS-IE，对于我的优先级来说还不够高。

任何人都可以提供一些见解，为什么下面的规则是错误的？

 ＃用户定义的规则。随意在这里试验。 
 Site .SourceCodeControlServer 
从.SomeCompany.fogbugz.com接受
拒绝
  

默认ABE系统规则。

 ＃防止Internet站点请求LAN资源。 
＃这个守护本地网络，就像LocalRodeo 
＃LOCAL是一个占位符，它可以匹配所有的LAN 
＃子网（可能是可配置的）和本地主机
＃配置更多：config，noscript.abe.localExtras选项。 
网站本地
接受本地
拒绝
  

您的WAN IP也默认包含在本地防止特定种类的DNS Rebinding 攻击。规则的排序很重要，第一场比赛胜出。因此，将 Accept从动作移动到 Site LOCAL SYSTEM规则中可能会起作用：

 ＃允许https://SomeCompany.fogbugz.com/上的链接访问内部服务。 
网站本地
接受本地
接受https://SomeCompany.fogbugz.com/ 
拒绝
  

警告emptor;您可以信任外部公司（FogBugz）的网页，并可以访问您的内部资源。

I'm having issues today in Firefox with NoScript's ABE (Application Boundaries Enforcer) versus FogBugz and our local source code control server. FogBugz case pages can contain links to checkins so that you can view source code changes via your local server's web service.

e.g.: https://SomeCompany.fogbugz.com/default.asp?1234 (the case page) might contain a link to http://SourceCodeControlServer/WebSVN/filedetails.php?...

Note that SourceCodeControlServer is not a fully-qualified domain name, just a local machine name.

Even after reading the ABE Rules Syntax and Capabilities PDF it doesn't seem to work as advertised, still displaying the "Filtered by ABE" advisories across the top of the page trying to be opened. Turning off ABE or, heavens forbid using MS-IE, isn't high enough on my priorities yet.

Can anyone provide some insight as to why the following rule is wrong?

# User-defined rules. Feel free to experiment here.
Site .SourceCodeControlServer
Accept from .SomeCompany.fogbugz.com
Deny

解决方案

NoScript logs the full details in the JavaScript console (Ctrl-Shift-J), but my best guess is that FogBugz links hit this higher priority default ABE SYSTEM rule.

# Prevent Internet sites from requesting LAN resources.
# This one guards the local network, like LocalRodeo
# LOCAL is a placeholder which matches all the LAN
# subnets (possibly configurable) and localhost
# Configure more in the about:config, noscript.abe.localExtras option.
Site LOCAL
Accept from LOCAL
Deny

Your WAN IP is also included in LOCAL by default to prevent a specific kind of DNS Rebinding attack. The ordering of the rules matters and the first match wins; thus, moving the Accept from action into the Site LOCAL SYSTEM rule might work:

# Allow links on https://SomeCompany.fogbugz.com/ to access internal services.
Site LOCAL
Accept from LOCAL
Accept from https://SomeCompany.fogbugz.com/
Deny

Caveat emptor; you're trusting web pages from an outside company (FogBugz) with access to your internal resources.

这篇关于NoScript ABE - 允许远程站点访问本地资源？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！