JavaScript is not blocked on untrusted site

[Alice0775]

In case of changing location from trusted site to untrusted site by bookmarklet, JavaScript is not blocked on the untrusted site.
This issue happens on NoScript 1.9.9.61 and more. And the issue does not happens version 1.9.9.57.

I checked Clean profile with NoScript 1.9.9.61 and 1.9.9.63 + Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 ID:20100401080539.

[STR]
1. Start Firefox with clean profile+ NoScript 1.9.9.63
2. Open http://pc12.2ch.net/test/read.cgi/software/1269544389/
3. Confirm "Forbid bookmarklets" is unchecked in NoScript options.
4. Input the following JavaScript code to the Location Bar and ENTER
javascript:q=location.href;if(q)location.href='http://www.geocities.jp/mirrorhenkan/ur ... codeURI(q)
[Actual result]
JavaScript on untrusted site http://www.geocities.jp will be executed.
[IMG=http://img695.imageshack.us/img695/7262/99006018.th.jpg][/IMG]
[Expected]
JavaScript on untrusted site http://www.geocities.jp should not be executed.
[IMG=http://img406.imageshack.us/img406/3150/91945143.th.jpg][/IMG]

[al_9x]

Confirming, in my test, going from about:blank to a non white listed localhost page with javascript:location='url', causes onload to execute, even in .57

[Giorgio Maone]

Yes, this is by design, and NoScript actually put great efforts in ensuring that this works (otherwise lots of bookmarklets would simply fail).

If you don't like this, check "Forbid bookmarklets" (which means exactly that bookmarklets will run exclusively on trusted sites).

[Alice0775]

Yes, this is by design, and NoScript actually put great efforts in ensuring that this works (otherwise lots of bookmarklets would simply fail).

If you don't like this, check "Forbid bookmarklets" (which means exactly that bookmarklets will run exclusively on trusted sites).

Sure?
The issue happens only open javascript:.... from the "Location Bar".
If i created "bookmark item" which contained javascript:... url , and open from "bookmark item", the issue does not happen.

[Giorgio Maone]

Yes, this is by design, and NoScript actually put great efforts in ensuring that this works (otherwise lots of bookmarklets would simply fail).

If you don't like this, check "Forbid bookmarklets" (which means exactly that bookmarklets will run exclusively on trusted sites).

Sure?

Yes, I'm sure. A bookmarklet whose content is

Code: Select all

javascript:q=location.href;if(q)location.href='http://www.geocities.jp/mirrorhenkan/url.html?u='+encodeURI(q)

will let the inline (synchronous) JavaScript on the http://www.geocities.jp/mirrorhenkan/url.html page run.
Just tested with Fx 3.6.3. Please double check that your bookmarklet is correct. Also check whether you've got any extension hacking the Places system which may interfere with bookmarklet interception (i.e. test on a clean profile with NoScript only).

P.S.: the location bar parsing is hooked by NoScript with the same emulation framework used for bookmarklets, quite logically otherwise bookmarklet development/testing and other power user / JavaScript hacker activities would be very impractical.

[al_9x]

Yes, this is by design, and NoScript actually put great efforts in ensuring that this works (otherwise lots of bookmarklets would simply fail).

If you don't like this, check "Forbid bookmarklets" (which means exactly that bookmarklets will run exclusively on trusted sites).

Please explain in more detail. Why does allowing a bookmarklet to run on an untrusted site have to imply that if this bookmarklet navigates to another untrusted site, its script should execute?

[Alice0775]

@Giorgio Maone"]
>Just tested with Fx 3.6.3.
Yes
>Please double check that your bookmarklet is correct.
Yes
>Also check whether you've >got any extension hacking the Places system which may interfere with >bookmarklet interception (i.e. test on a >clean profile with NoScript only).
Yes, As i mentioned in comment#0

The behavior of execution javascript:.... between location bar and bookmarklet is different same.
Execute javascript: from Location bar : Javascript is not blocked on newly loaded site.
Execute javascript: from bookmark : Javascript is not blocked on newly loaded site.

and However I mentioned in comment#0, version 1.9.9.57 blocks both.

Edit:

[Giorgio Maone]

Please explain in more detail. Why does allowing a bookmarklet to run on an untrusted site have to imply that if this bookmarklet navigates to another untrusted site, its script should execute?

First of all, a bit of wording. Scripts on untrusted (i.e. "marked as untrusted") sites never run, period.

Here's what happens exactly, provided that "Forbid bookmarklets" is not checked and the noscript.allowBookmarkletImports about:config preference is set to true (default), when either a bookmarklet or a location bar JS snippet is executed:

1. Scripts are allowed globally (if allowBookmarkletImports is false, just the current site is allowed; if "Forbid bookmarklets" is checked, no permission is changed).
2. window.setTimeout/setInterval calls get temporarily patched so that they're executed synchronously, even though in the correct order if possible
3. Script file inclusions are temporarily patched so that they can happen synchronously (i.e. network I/O for them is forced to be synchronous)
4. The JavaScript code of the bookmarklet/location bar runs in the context of the page
5. The event loop gets spun until there are no pending events
6. Permissions are restored to their previous values

The net effect of all the above is that scripts and pages which can be loaded synchronously or semi-synchronously (i.e. because of events posted in the event loop by the bookmarklet script itself) run unless they're explictly marked as untrusted.

This usually means just script inclusions and iframes built by the bookmarklet through document.write() can run, but if a page is navigated by the bookmarklet and loads very fast (either because is cached or because is local) its synchronous (inline) scripts may run as well.

Such a machinery, over the years, has proven to be required for the correct operation of the most popular "complex" bookmarklets, and it's very unlikely to cause dangerous side effects unless the bookmarklet itself (or the JS code you typed in the location bar) is malicious.

@Alice0775:
As I explained above, it may or may not happen in both instance depending on your cache status (it's a borderline case).
If you're unconfortable with that, you can either set noscript.allowBookmarkletImports to false or disable bookmarklet execution entirely on non-whitelisted sites.

[al_9x]

1. I use keyworded bookmarklets to issue various searches in multiple tabs. Some of the sites I have whitelisted others not, deliberately. To have scripts still run in non whitelisted sites is very unexpected and unwelcome, it's a violation of the core NS principle, nothing runs unless allowed.
2. It looks like allowBookmarkletImports=false is what I want, would like to make sure I understand it.
3. What is the meaning of the phrase Allow Bookmarklet Imports? i.e. What are Bookmarklet Imports?
4. Why is allow globally (allowBookmarkletImports=true) a better default than allow only current? What does it make possible?
5. With allowBookmarkletImports=false, bookmarklets don't run from about:blank (whether whitelisted or not) Is that expected? Can it be made to run from about:blank (both whitelisted and not)?

[Alice0775]

@Giorgio Maone
I will set noscript.allowBookmarkletImports to false.
Thanks for your reply.

[Giorgio Maone]

I use keyworded bookmarklets to issue various searches in multiple tabs. Some of the sites I have whitelisted others not, deliberately. To have scripts still run in non whitelisted sites is very unexpected and unwelcome, it's a violation of the core NS principle, nothing runs unless allowed.

If you start a bookmarklet with "allowBookmarkletImports=true", you're allowing it and scripts loaded/initiated by it to run.
The rationale is that you've got much more chance to check what a bookmarklet (or the code you type) does in advance, than a random web page you land on.

It looks like allowBookmarkletImports=false is what I want, would like to make sure I understand it.

Yes it is.

What is the meaning of the phrase Allow Bookmarklet Imports? i.e. What are Bookmarklet Imports?

Are the scripts and the (sub)pages loaded by the bookmarklet during its execution. The (sub)pages not always have a chance to run, since they usually can't be loaded synchronously (depending on cache).

Why is allow globally (allowBookmarkletImports=true) a better default than allow only current? What does it make possible?

It is because the most popular bookmarklets are just a loader for a main script(s) which is/are located on a 3rd party server, and may depend on libraries such as jquery from google servers.
Rather than forcing user to figure out which imports are required and allowing them temporarily or permanently, this default grants them permissions as they're required and revokes them immediately after bookmarklet execution.

With allowBookmarkletImports=false, bookmarklets don't run from about:blank (whether whitelisted or not) Is that expected? Can it be made to run from non about:blank (both whitelisted and not?

Yes it is. It's a relatively recent Firefox bug, and it's very unlikely to be fixed any time soon since it is in a very risky area (XPCOM wrappers) and gives relatively sparse benefits (in a non-default setup of a few NoScript users only).

[al_9x]

So is it completely impossible to have a mode where simple bookmarklets work everywhere (including about:blank) without allowing navigated domains?

[Giorgio Maone]

So is it completely impossible to have a mode where simple bookmarklets work everywhere (including about:blank) without allowing navigated domains?

Unfortunately.