NoScript brings up XSS and ABE bugs; blocking U1 'Confirm Device Access'---document workaround rule

The specific reason this is happening is that page retrieves the local hostname in order to present a human readable default name for the machine that is being added. Previously we used non-intuitive guid strings, which were not terribly easy to tell apart.

I'm not quite sure how either piece of software works (Ubunet or NoScript) but it seems logical enough that if the hostname-fetching script fails, or is blocked, the Confirm Device Access page should gracefully recognize what is happening, and to at least attempt to inform the user of the situation. Creating an exception in NoScript would be illogical because blocking this kind of thing is its entire purpose.

Also, I just checked my account information, and the computer on my account that is listed (the one used in discovering this problem) was listed as what appeared to be a UUID-type string.

We definitely need to investigate whether we can show a more useful
error, and show a friendlier name for the computer.

The best I can tell, NoScript is breaking correctly functioning OAuth
token exchange, and I consider NoScript to be a suspicious piece of
software. However, we should do our best to give the user enough
information to figure out that they need to remove or temporarily
disable NoScript, because hitting this bug will be very frustrating for
users.

--
Elliot Murphy | https://launchpad.net/~statik/

Elliot Murphy wrote:
> We definitely need to investigate whether we can show a more useful
> error, and show a friendlier name for the computer.
>
> The best I can tell, NoScript is breaking correctly functioning OAuth
> token exchange, and I consider NoScript to be a suspicious piece of
> software. However, we should do our best to give the user enough
> information to figure out that they need to remove or temporarily
> disable NoScript, because hitting this bug will be very frustrating for
> users.
>

I've encountered this and mentioned it in a previous bug report.

a new Noscript feature, Application Boundary Enforcer (ABE) takes issue
with our collection of the local host name for the confirm Device Access
page. Turning that feature off solves the issue. No other aspect of
Noscript needs to be removed or turned off to make it work.

So the solutions are:

  (a) Get a hardcoded exception in no-script;
  (b) Cope with failing to get a pretty hostname and just fallback to the long hashes used before (or ask for a nickname)

From Bug 411477:

Host: Ubuntu 9.04

NoScript 1.9.7.9

When installing Ubuntu One, if people have the NoScript extension installed (and everyone should), there are some issues.

One is an XSS notice between UbuntuOne and LaunchPad. That is easy to get around.

Another happens when trying to Add Computer. To get around that, you need to temporarily disable the Application Boundaries Enforcer (NoScript->Options->Advanced->ABE, clear the Enable ABE checkbox).

This might be to simple, but I would rather you just ask me what I want to call the computer, then you take that name and display it to me, and use the guid internally if you need to.

I think you could just use the name I give you and check its unique within my account, by all means if there is no error suggest the machine name to me in the dialog box, however warn me before you potentially set off the SW I rely on to catch bad sites I stumble on, I immediately don't trust Ubuntu-one once noscript flags it.

Personally I would much rather have no-script than UbuntuOne if I have to chose.

Change your SYSTEM ABE rules to this:

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Site one.ubuntu.com
Accept
Deny

It'll fix your problem.

Instead of throwing out the baby with bath water, the following SYSTEM ABE rule can be a bit more fine grained:

Site LOCAL
Accept from LOCAL
Accept GET from one.ubuntu.com
Deny

Abel, what difference between the 2 rule syntaxes? Maone gives the former on his forum see [1]

[1] http://forums.informaction.com/viewtopic.php?f=7&t=3156

@nomnex
Mine only allows GET requests from one.ubuntu.com to local private IP, instead of allowing all kinds of requests.

On Thu, 2010-02-04 at 20:58 +0000, Abel Cheung wrote:
> Mine only allows GET requests from one.ubuntu.com to local private IP

Wise, thanks Abel.

Thank you Abel for the ABE rule! I created a new FAQ for this: https://answers.edge.launchpad.net/ubuntuone-client/+faq/957 As a result, I'm marking this bug as Won't Fix, as this bug is specific to NoScript users and there is a good workaround.

Thanks MG, nommex, and Abel Cheung. That did the trick.

Status changed to 'Confirmed' because the bug affects multiple users.