InformAction Forums

by **ATKoerner** » Thu May 31, 2012 7:40 am

Giorgio Maone wrote:Fixed in latest development build 2.4.4rc1, thank you.

Thanks for fixing. I've had the same problems with local xslt style sheet transformations not working any longer with NoScript 2.4.3

by **Giorgio Maone** » Tue May 29, 2012 12:04 pm

Fixed in latest development build 2.4.4rc1, thank you.

by **Giorgio Maone** » Tue May 29, 2012 10:32 am

Looks like a regression from

http://noscript.net/changelog wrote:v 2.4.3rc3
=========================================================================
[...]
x Fixed exception raised by inclusion type checks when parent document's
URI has no host

Investigating, thanks.

by **hanfi** » Tue May 29, 2012 9:58 am

dhouwn wrote:
hanfi wrote:Well, first, this is not actually cross-hosted and second, the xsl stylesheet IS xml.
Maybe it expects the precise content type, see:
http://www.w3.org/TR/xslt20/#xslt-mime-definition wrote:This appendix registers a new MIME media type, "application/xslt+xml".

I added the xslt+xml type to my webserver, now i get a similar error....

Code: Select all: [NoScript] Blocking cross-site CSS served from https://spahan.ch/mail.xsl with wrong type info application/xslt+xml and included by https://spahan.ch/aliasManager.php

dhouwn wrote:Also XSLT is still blocked per default on untrusted pages (since it's pretty powerful, Turing-complete), which can be toggled in the "Untrusted" section of the "Advanced" options.

Yes, i always have to allow the site, that is expected.

I too tried disable NoScript and then the page works without problems.
I created a test case (by simply using a static xml instead the php script) one can find here: https://spahan.ch/test.xml (please ignore ssl errors, i fix that when i get some spare time :-p)

by **dhouwn** » Tue May 29, 2012 9:29 am

hanfi wrote:Well, first, this is not actually cross-hosted and second, the xsl stylesheet IS xml.

Maybe it expects the precise content type, see:

http://www.w3.org/TR/xslt20/#xslt-mime-definition wrote:This appendix registers a new MIME media type, "application/xslt+xml".

Also XSLT is still blocked per default on untrusted pages (since it's pretty powerful, Turing-complete), which can be toggled in the "Untrusted" section of the "Advanced" options.

But indeed, it's not cross-site.

by **hanfi** » Tue May 29, 2012 9:11 am

Hi,

I got a similar problem today (well, maybe it was there before, but i did not hit it).
The page in question is a php script returning a xml-page which is then rendered using xslt-stylesheet (not css!)

Now i find these lines in the error console of firefox:

Code: Select all: [NoScript] Blocking cross-site CSS served from https://spahan.ch/mail.xsl with wrong type info application/xml and included by https://spahan.ch/aliasManager.php

Well, first, this is not actually cross-hosted and second, the xsl stylesheet IS xml.
So i think something is wrong here.

NS-Version in use is 2.4.3rc3

by **Tom T.** » Sat May 26, 2012 2:06 am

I haven't had any trouble with any of those sites, either.

CJax wrote:Q: Sure?
A: Absolutely, I singled out Noscript to be the cause by deactivating all Addons except Noscript and then allowing scripts globally... it wouldn't work. On the other hand only disabling Noscript while having every thing else enabled makes all these sites load their stylesheets correctly.

Doesn't eliminate the possibility of a corrupt profile, as Thrawn suggested.
Also, if "absolutely", why can't we reproduce it? Can you borrow another machine that has NS, and see if it's reproducible on that one?

Q: culprit?
A: XSS-filter:
a) It's been tweaked the most lately

Irrelevant and illogical.

b) It doesn't work with all scripts and objects allowed, so that can't be it.

If it were the XSS filter, you would receive various XSS notifications. Since you haven't reported any, that actually *eliminates* the XSS filter as a culprit.
See XSS FAQ

by **Thrawn** » Wed May 23, 2012 11:22 pm

Hmm...I can't reproduce this, but:

XSS filter couldn't really be it, since you're talking about stylesheets, which aren't active content. Even a sanitised request should still be able to retrieve them.
Have you used any custom ABE rules? Options-Advanced-ABE to see them.
Any messages in Tools-Error Console?
Have you tried a new profile with nothing installed except NoScript?

by **CJax** » Wed May 23, 2012 10:57 pm

Q: problem?
A: Since Noscript 2.4.2 (newewst RC was tested, nothing changed) cross-hosted stylesheets (and probably some scripts to) are not loading at all anymore, breaking websites like AMO, Youtube, Wikipedia and others who use stylesheets hosted on other servers.

Q: Sure?
A: Absolutely, I singled out Noscript to be the cause by deactivating all Addons except Noscript and then allowing scripts globally... it wouldn't work. On the other hand only disabling Noscript while having every thing else enabled makes all these sites load their stylesheets correctly.

Q: Only Stylesheets?
A: Could be more, but not having stylesheets makes today's webpages unusable anyway.

Q: culprit?
A: XSS-filter:
a) It's been tweaked the most lately
b) It doesn't work with all scripts and objects allowed, so that can't be it.

Q: Versions?
A: You can see, but it also doesn't work with the Stable Friefox 12 release.

Thanks in advance

InformAction Forums

[RESOLVED] Newest NS versions break cross-hosted stylesheets

Post a reply

Expand view Topic review: [RESOLVED] Newest NS versions break cross-hosted stylesheets

Re: Newest Noscript versions break all cross-hosted styleshe

Re: Newest Noscript versions break all cross-hosted styleshe

Re: Newest Noscript versions break all cross-hosted styleshe

Re: Newest Noscript versions break all cross-hosted styleshe

Re: Newest Noscript versions break all cross-hosted styleshe

Re: Newest Noscript versions break all cross-hosted styleshe

Re: Newest Noscript versions break all cross-hosted styleshe

Re: Newest Noscript versions break all cross-hosted styleshe

[RESOLVED] Newest NS versions break cross-hosted stylesheets