Why I Love ABE

19 Sep 2010

ABE, the Application Boundaries Enforcer which is included in NoScript is something I take advantage of. It allows you to define rules that prevent ClickJacking/UI redressing and CSRF. It allows you to restrict what sites can direct your browser (form/link/redirect) to a another site. You can also prohibit embedding certian sites (think ClickJacking/UI Redressing attacks).

So how can one take advantage of this? I offer a snippet of my ABE "USER" policy.

Protection for my internet banking, this still allows a JavaScript redirect from http://www.nab.com.au and then I check the EV cert to make sure it wasn't tampered with.

Site ib.nab.com.au
Accept ALL from SELF

Protection for Google Apps, allows me to load a bookmark to https://mail.google.com/a/stevenroddis.com which redirects to a login page on https://www.google.com. I have not included Google Sites, because I don't use it and I'm not sure if it can contain arbitrary JavaScript.

Site mail.google.com docs.google.com spreadsheets.google.com panel.dreamhost.com
Accept ALL from mail.google.com https://www.google.com docs.google.com spreadsheets.google.com panel.dreamhost.com

The next two rules allow me to click on links outside my site that bring me to my site, but it won't authenticate me for that request, so they can't do damage.

Site http://stevenroddis.com http://www.stevenroddis.com
Accept ALL from stevenroddis.com www.stevenroddis.com
Site https://www.stevenroddis.com
Accept ALL from SELF

After some tweaking with the Google Apps rule, I haven't had any false positives. So I'm continuing to enjoy enhanced proactive protection.