[ext] NoScript 1.9 - Your Friendly Web Cop

[al_9x]

Giorgio,

1) Quicktime activation in FF3 requires two clicks on the placeholder. FF2 is ok.

2) The following is not a proper bug report, unfortunately, but you should know. Occasionally, when I open the NoScript menu in FF3, a random domain in the list is somehow automatically allowed. When it happens, the only pattern I seem to detect is that the list is large and perhaps the page has not finished loading. I am not able to reproduce it even on the same page after it happens, so it's timing related or maybe some unusual mouse twitch or jerk during the click causes it. This never happens with native menu rendering in ff2. There should be a configurable native menu mode in ff3 where you can count on this never happening.

[fswl1234]

i'm seeing *red diamond* with 1.9.0.4 but normal before the update (1.9)
test link --> https://bug272534.bugzilla.mozilla.org/ ... ?id=167513

it seems every now and then an update (of noscript) causes this problem with image placeholder, and then likely with the next one it goes away
but it's always been on and off, anyone else can confirm?

[mzfuser]

When I go to about:config, some of the NoScript preferences are in bold (user set) but they are already at the default value. Why is this?

[Alan Baxter]

When I go to about:config, some of the NoScript preferences are in bold (user set) but they are already at the default value. Why is this?

Which prefs? I have four that are like that, but they are all null string prefs which have been modified by me or NoScript to something else and then programatically set back to the null string, which coincidentally happens to be the default. Curious, but not too surprising if you think about it, eh?

[nagan]

An inconsequential bug "Click jack " I suppose. http://search.utorrent.com/search.php?q ... 3fq%3d&u=1





Just roll the cursor on the right so that some menu elements are partially hidden.Then press pirate search.

[gOdisOnyOuRsIDe]

http://home.att.net/~v_spec/Zalman.JPG

I am receiving a ClickJacking notification whenever I visit zalmanusa.com. Zalman is on my whitelist but this started to occur after the recent updates. I've been receiving this warning. Can someone verfiy this?

[zalewr]

Hi!

I have a problem with NoScript where the primary site I am visiting is always forbidden [e.g. Allow TV.com is bold and grayed out at the bottom of the options rollup menu even if added to the whitelist].

FYI : Did a reset of options w/i NoScript and the restriction seems to have gone away.

Thanks
Z

[Talion]

The following issue appears on a clean firefox install (Ubuntu 8.10 as well as Windows XP) with Noscript beeing the only addon.

This html page tries to open a popup window, which is blocked by Firefox. (Noscript must be configured to allow javascript for this page of course.) Firefox notifies the user that it has been blocked and gives the user an option to open it anyway ("Show test.htm", see screenshot). This is the expected behaviour.

Code: Select all

<html><head><title>PopupTest1</title></head><body>
<script type="text/javascript">
window.open("test.htm");
</script></body></html>

Same situation as above, but an additional source is loaded by an iframe. Firefox blocks the popup, but doesn't give an option to open the popup ("Show test.htm" is missing, see screenshot). Without Noscript, Firefox behaves as expected, ie. "show test.htm" is available as in the first example.

Code: Select all

<html><head><title>PopupTest2</title></head><body>
<script type="text/javascript">
window.open("test.htm");
</script>
<iframe src="test.htm">
</body></html>

[esquifit]

:
Regarding the thing you're trying to do with CAPS, NoScript provides abetter method, called Script Surrogates, which is less likely to break things and is obviously compatible.

Code: Select all

user_pref("noscript.surrogate.noframebreak.sources", "@*.example.org http://another.site.org");
user_pref("noscript.surrogate.noframebreak.replacement", "window.top = {};");

Notice that the "@" before URL patterns is important to tell the Surrogate engine that replacements are page-level, rather than for 3rd party scripts.

Unfortunately this doesn't seem to work. You can try it yourself at "http://esquifit.googlepages.com/Frame.html" which includes "http://www.wiadomosci24.pl/" as a subframe. The subframe contains a framekiller line

Code: Select all

if (self != top) { top.location = self.document.location; }

I've also tried to override the location object by setting "noscript.surrogate.noframebreak.replacement" to "window.location = {}"
or "location = {}" and some other variations. In all cases this causes an endless loop, which makes sense, since what NS is doing here is effectively executing a redirection to "{}".

Anyway, "preventing access" to the Location object and "setting" the Location object to anything are two completely different things. What we need here is a way to 'prevent access' to the location object, and this is just what CAPS does.

I think that avoiding conflicts due to a domain being included in two policies could be solved in this way:
At browser start-up and each time the user changes (either permanent or temporarily)something in the white list:
IF
a domain is listed in a capability.policy.<user_policy>.sites in user.js AND in "capability.policy.maonpscript.sites"
THEN
1) temporarily remove the domain from "capability.policy.maonpscript.sites", AND
2) add a preference "capability.policy.<user_policy>.javascript.enabled" with value "allAccess"

The effect would be that javascript is still enabled for the domain in question AND the user defined policies would be honoured.

Would this be an option?

[mzfuser]

When I go to about:config, some of the NoScript preferences are in bold (user set) but they are already at the default value. Why is this?

Which prefs?

noscript.badInstall
noscript.filterXExceptions
noscript.forbidJarDocumentsExceptions
noscript.notify.hideDelay
noscript.opacizeObject
noscript.sound.block

[Alan Baxter]

@mzfuser:
That is surprising, especially for the non-string prefs.
1) You're saying that noscript.badInstall has a Value of false but a Status of user set, for example. Right?
2) Does the user set indication in about:config persist across Firefox restarts?
3) Are the noscript prefs the only ones that ever have this issue, i.e. are any of your other user set prefs actually at their default value?
4) Has anyone reported this issue in bugzilla yet?

[mzfuser]

1. Correct.

2. only the noscript.badInstall pref seems to persist. For the rest I discovered that opening the NoScript options will change those preferences to User Set, even if I dont modify anything.

3. AFAIK, yes.

[Alan Baxter]

3) AFAIK too. I wasn't about to carefully examine the value of every user set pref in about:config to verify its value wasn't the default. Too tedious!

4) I couldn't find any corresponding bugzilla report.

[Giorgio Maone]

@al_9x:
Looks like something specific to that page. Can you reproduce it on other sites?

@redhat71:
Thanks for reporting, but I cannot reproduce it.

@nagan:
are you sure you can reproduce on 1.9.0.4? I can't

@gOdisOnyOuRsIDe:
it's quite a tricky situation, with Flash movies overriding each other.
I'm checking it, in the meanwhile you can add zalman.co.kr to the noscript.clearClick.exceptions about:config preference.

@Talion:
Investigating, thanks.

@esquifit:
it's surely desirable, but low priority since almost nobody uses CAPS these days (NoScript aside) and there's lot of stuff to do yet.
Thanks for the neat idea, anyway.

[zlee1]

I found a new problem with Noscript. When going to abc.com, to watch a "free episode", the new window opens, but even with temporary permission granted, the episode does not load. It just seems to be downloading indefinitely. When I disable Noscript, the episode loads right away. The site worked fine with Noscript about 3 weeks ago. It would be great if support would look into it.