data: URI & NoScript Icon Indicator

[therube]

data: URI & NoScript Icon Indicator

"URL:" http://pastebin.com/pdkzuPjJ

NoScript shows the top level domain to be wikimedia.com
Allow wikimedia.com

NoScript icon unchanged, still shows all to be blocked

Allow http://http

NoScript icon now shows nothing blocked

[Thrawn]

Yeah, I can confirm the behaviour (after overriding the warning), but I'd say it's probably not worth fixing. Data uris aren't normal...

[therube]

Data uris aren't normal

Precisely the reason why it is even more important.
Plus, not normal for who, you or I perhaps, but for a browser it is as normal as html.

[Thrawn]

It's just cosmetic, though, isn't it? NoScript being a bit confused about what constitutes the top-level document? And NoScript blocks you from entering a data URI unless you edit about:config.

Is there an actual security hole here? If so, please elaborate.

[therube]

> It's just cosmetic

Not at all.

> NoScript blocks you from entering a data URI

True (with exceptions).
But the data: URI need not be necessarily be "added" by you, it could be in a link you clicked.

And just what site are we looking at here?
Take a look. It is not wikipedia.

[Thrawn]

And just what site are we looking at here?
Take a look. It is not wikipedia.

No, but it tries to import a script from bits.wikimedia.org, which is why NoScript blocks & reports that. The inline scripts (of which there are several) are presumably represented by the

Code: Select all

http://http

entry. So, that looks a bit funky, and even when you allow one or the other of the two script sources, the icon still reports that the top-level document is blocked, but NoScript is still apparently detecting and blocking everything.

Btw, I had spam filter trouble when posting this, even when I disabled automatic URL parsing and wrapped URLs in code tags, so I removed most of them. Not sure whether the angle brackets also contributed?