ABE for Web Authors

One of the most interesting features of ABE is the possibility for web authors to specify site-specific rules, meant to protect a certain web application.

To do so, the needed rules must be listed in a file called rules.abe and placed at the root of the domain, which must be accessible through HTTPS for security reasons..

Therefore, if you want to specify rules protecting your site acme.com for all the NoScript/ABE users*, the ruleset file containing them must be accessible as https://acme.com/rules.abe.

The rules are written according to the specification, with one caveat: only rules whose Site element matches the domain where the rules.abe was downloaded for will be considered valid and checked by the ABE engine.

As an example, the following ruleset protects acme.com from any POST request coming from a different site, except if it is a callback from Paypal:

Site acme.com
Accept from SELF paypal.com

* For this feature to work, the NoScript Options|Advanced|ABE|Allow sites to push their own rulesets must be enabled. Current builds have it disabled by default, but it will be turned on as soon as this feature gets tested enough.

© Copyright 2009 Giorgio Maone - some rights reserved.