NoScript ABE - allow a remote site to access local resources?

AlwaysLearning picture AlwaysLearning · Nov 21, 2013 · Viewed 8.9k times · Source

I'm having issues today in Firefox with NoScript's ABE (Application Boundaries Enforcer) versus FogBugz and our local source code control server. FogBugz case pages can contain links to checkins so that you can view source code changes via your local server's web service.

e.g.: https://SomeCompany.fogbugz.com/default.asp?1234 (the case page) might contain a link to http://SourceCodeControlServer/WebSVN/filedetails.php?...

Note that SourceCodeControlServer is not a fully-qualified domain name, just a local machine name.

Even after reading the ABE Rules Syntax and Capabilities PDF it doesn't seem to work as advertised, still displaying the "Filtered by ABE" advisories across the top of the page trying to be opened. Turning off ABE or, heavens forbid using MS-IE, isn't high enough on my priorities yet.

Can anyone provide some insight as to why the following rule is wrong?

# User-defined rules. Feel free to experiment here.
Site .SourceCodeControlServer
Accept from .SomeCompany.fogbugz.com
Deny

Answer

M.W. picture M.W. · Dec 17, 2013

NoScript logs the full details in the JavaScript console (Ctrl-Shift-J), but my best guess is that FogBugz links hit this higher priority default ABE SYSTEM rule.

# Prevent Internet sites from requesting LAN resources.
# This one guards the local network, like LocalRodeo
# LOCAL is a placeholder which matches all the LAN
# subnets (possibly configurable) and localhost
# Configure more in the about:config, noscript.abe.localExtras option.
Site LOCAL
Accept from LOCAL
Deny

Your WAN IP is also included in LOCAL by default to prevent a specific kind of DNS Rebinding attack. The ordering of the rules matters and the first match wins; thus, moving the Accept from action into the Site LOCAL SYSTEM rule might work:

# Allow links on https://SomeCompany.fogbugz.com/ to access internal services.
Site LOCAL
Accept from LOCAL
Accept from https://SomeCompany.fogbugz.com/
Deny

Caveat emptor; you're trusting web pages from an outside company (FogBugz) with access to your internal resources.