Noscript puts FF in a reload loop

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Noscript puts FF in a reload loop

Re: Noscript puts FF in a reload loop

by Giorgio Maone » Sat Aug 22, 2020 11:20 pm

It's a very different issue in Tor Browser, unfortunately, even though the effect is the same.
The Tor Browser erases window.name on each load, therefore completely screwing up current persistence hack.
It got very complicated at this point and I've been working for several hours on a further work-around, but I hope to have something by Monday.

Re: Noscript puts FF in a reload loop

by musonius » Sat Aug 22, 2020 9:10 pm

FranL wrote:
Sat Aug 22, 2020 6:49 pm
with NoScript 11.0.39 in Tor Browser 9.5.3 (64-bit)
Yes indeed. I have the issue as well (Tor Browser: Safer Security Level).

Firefox 79 (fresh profile + NoScript 11.0.39 + everything default): no issue.

Firefox 79 (fresh profile + NoScript 11.0.39 + NoScript configuration like Tor Browser with Safer Security Level): no issue.

I am running Windows 10 2004 and I use the test file with Windows line endings like before.

Re: Noscript puts FF in a reload loop

by Guest » Sat Aug 22, 2020 8:55 pm

Giorgio Maone wrote:
Fri Aug 21, 2020 7:50 pm
This seems to be fixed to me now (tested on 39rc8 and 40rc1). Please confirm, thanks.
Issue still persists on both 39rc8 and 40rc1 for me.

Re: Noscript puts FF in a reload loop

by FranL » Sat Aug 22, 2020 6:49 pm

v 11.0.39rc6
============================================================
x Fix reload loops on broken file: HTML documents (thanks
bernie for report)
Is 11.0.39rc6 earlier or later than 11.0.39? I ask, because with NoScript 11.0.39 in Tor Browser 9.5.3 (64-bit) on Windows 10 1909, I see the rapid page re-load issue when opening local TXT and HTML files. It goes away if I disable NoScript.

Re: Noscript puts FF in a reload loop

by Giorgio Maone » Fri Aug 21, 2020 7:50 pm

TiddlywikiUser wrote:
Thu Aug 20, 2020 2:34 pm
This issue seems related to one I've been having with local files.

Downloading an empty copy of Tiddlywiki (blue "Download Empty" button at https://tiddlywiki.com/static/GettingStarted.html) and running it locally (with javascript enabled) in Firefox 79, then editing the GettingStarted entry by clicking the pencil icon causes the entire page to be reloaded within the editing frame. Clicking any editing/pencil icon on the Tiddlywiki main site with Javascript enabled displays expected behaviour. It only occurs when 11.0.38 and 11.0.39rc6 are running, all prior versions seem to behave normally.
This seems to be fixed to me now (tested on 39rc8 and 40rc1). Please confirm, thanks.

Re: Noscript puts FF in a reload loop

by Giorgio Maone » Fri Aug 21, 2020 7:48 pm

skriptimaahinen wrote:
Fri Aug 21, 2020 6:25 am
.39rc8 does fix the beforeunload problem, but the problem with alert (blocked DOM) still persists.
Please check latest development build:
v 11.0.40rc1
============================================================
x Handle edge case in file:// pages: policy change and
reload before DOMContentLoaded

Re: Noscript puts FF in a reload loop

by skriptimaahinen » Fri Aug 21, 2020 6:25 am

staticNS.js:104

Code: Select all

documentCSP.apply(new Set()); // block everything to prevent leaks from page's event handlers
Is the above actually necessary? The root attributes are already removed in the beginning of this file. Sure, they are put back in the setup(), but they should be subject for the CSP now.

.39rc8 does fix the beforeunload problem, but the problem with alert (blocked DOM) still persists.

Re: Noscript puts FF in a reload loop

by TiddlywikiUser » Thu Aug 20, 2020 2:34 pm

This issue seems related to one I've been having with local files.

Downloading an empty copy of Tiddlywiki (blue "Download Empty" button at https://tiddlywiki.com/static/GettingStarted.html) and running it locally (with javascript enabled) in Firefox 79, then editing the GettingStarted entry by clicking the pencil icon causes the entire page to be reloaded within the editing frame. Clicking any editing/pencil icon on the Tiddlywiki main site with Javascript enabled displays expected behaviour. It only occurs when 11.0.38 and 11.0.39rc6 are running, all prior versions seem to behave normally.

Re: Noscript puts FF in a reload loop

by skriptimaahinen » Thu Aug 20, 2020 10:45 am

11.0.39rc6 on linux. Can't reproduce the original bug with any config, so not able to say anything about how the fix handles that, BUT...

While changing permissions on any file, the permissions are not always actually changed after the reload.

This would appear to be caused by the onBeforeUnload not being removed correctly on DOMContentLoaded, which will cause the old permissions to be set after reloading.

But before you rush to fix it, consider also this example:

Code: Select all

<!doctype html>
<html>
  <head>
    <script>
      alert("Blocking DOM so that DOMContentLoaded will not happen unless the alert is dismissed!");
    </script>
  </head>
</html>
User could allow scripts, get the popup and immediately decide to disallow them again, which would result in a reload happening before DOMContentLoaded, onBeforeUnload running, the old permissions being set again and another popup, even if the removing of onBeforeUnload is fixed in DOMContentLoaded.

Also the timestamp in the key will eventually (with some bad luck or persistence) cause the policy to be left in the window.name. Is the timestamp necessary?

Re: Noscript puts FF in a reload loop

by musonius » Thu Aug 20, 2020 5:36 am

No reload loop anymore!

Re: Noscript puts FF in a reload loop

by Giorgio Maone » Thu Aug 20, 2020 5:28 am

barbaz wrote:
Thu Aug 20, 2020 2:16 am
Giorgio Maone wrote:
Wed Aug 19, 2020 10:28 pm
Please check latest development build:

v 11.0.39rc6
============================================================
x Fix reload loops on broken file: HTML documents (thanks
bernie for report)

x [XSS] Updated HTML event attributes
(These changes and the 11.0.39rc6 tag are missing from Github, and the master branch is outdated.)
Fixed, thanks.

Re: Noscript puts FF in a reload loop

by barbaz » Thu Aug 20, 2020 2:16 am

Giorgio Maone wrote:
Wed Aug 19, 2020 10:28 pm
Please check latest development build:

v 11.0.39rc6
============================================================
x Fix reload loops on broken file: HTML documents (thanks
bernie for report)

x [XSS] Updated HTML event attributes
(These changes and the 11.0.39rc6 tag are missing from Github, and the master branch is outdated.)

Re: Noscript puts FF in a reload loop

by bernie » Wed Aug 19, 2020 11:14 pm

Works like a charm. Thanks!!

Re: Noscript puts FF in a reload loop

by Giorgio Maone » Wed Aug 19, 2020 10:28 pm

Please check latest development build:

v 11.0.39rc6
============================================================
x Fix reload loops on broken file: HTML documents (thanks
bernie for report)

x [XSS] Updated HTML event attributes

Re: Noscript puts FF in a reload loop

by barbaz » Wed Aug 19, 2020 8:37 pm

I can reproduce this with NoScript 11.0.39rc5 + Firefox 79.0 on Windows 10, with that exact sample file. Completely default settings for both Firefox & NoScript here.

Not reproducible on Linux.

EDIT Oops, collided posting with Giorgio. Yes when pasting in Windows it used CRLF for line endings.

Top