(S) v10: needs to be reloaded to operate on website w/ PDF.

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: (S) v10: needs to be reloaded to operate on website w/ PDF.

Re: (S) v10: needs to be reloaded to operate on website w/ P

by Giorgio Maone » Fri Jul 20, 2018 10:09 pm

Please check latest development build, thanks.
v 10.1.8.9rc2
=============================================================
x Fixed externally handled resources opened in popups broken
by dynamic script injection (thanks rpr and paulmcg for
reporting)

x [Tor Browser, Linux] Replaced unicode glyphs not being
rendered on some browsers / platforms
x Prevent multiple canScript content messages during the same
page load

Re: (S) v10: needs to be reloaded to operate on website w/ P

by Giorgio Maone » Fri Jul 20, 2018 8:06 pm

paulmcg wrote:
Giorgio Maone wrote:Could you also check with Firefox's developer console
I had to upload the Firefox console log, since this site's spam filter wouldn't let me upload here.
https://drive.google.com/open?id=1QiTKY ... ectNupKlkD

The problem doesn't happen if I disable NoScript. The pages that cause the problem are not publicly accessible on one of our servers (myife.panasonic.aero).
Let me guess: when you click on the PDF, a new tab is opened for a microsecond, then you get the error message, correct?
If so, it's a Firefox bug and I'm already working on a work-around, thanks.

Re: (S) v10: needs to be reloaded to operate on website w/ P

by paulmcg » Fri Jul 20, 2018 3:49 pm

Giorgio Maone wrote:Could you also check with Firefox's developer console
I had to upload the Firefox console log, since this site's spam filter wouldn't let me upload here.
https://drive.google.com/open?id=1QiTKY ... ectNupKlkD

The problem doesn't happen if I disable NoScript. The pages that cause the problem are not publicly accessible on one of our servers (myife.panasonic.aero).

Re: (S) v10: needs to be reloaded to operate on website w/ P

by Giorgio Maone » Thu Jul 19, 2018 5:52 pm

paulmcg wrote:I am having problems downloading .pdf and .tgz archives on some of our company Web sites, even though I whitelisted our sites.[/url]
Could you also check with Firefox's developer console (ctrl+K), Network tab, which HTTP headers is the server sending exactly (or give me a public server where this problem can be reproduced)?
Might Firefox's popup blocker be interfering (i.e., does the link work if you disable NoScript)?

Re: (S) v10: needs to be reloaded to operate on website w/ P

by paulmcg » Thu Jul 19, 2018 5:14 pm

I am having problems downloading .pdf and .tgz archives on some of our company Web sites, even though I whitelisted our sites.

The PDF download problem occurs in NoScript10.1.8.9rc1 with Firefox 61.0.1. It seems to occur when a Web page opens a window with JavaScript for the PDF URL instead of just giving you the URL.

I uploaded a .zip file with the HTML, JavaScript and CSS files from when the problem occurs plus a screen shot of the Firefox error.
https://drive.google.com/file/d/1cUv_PC ... sp=sharing

Re: (S) v10: needs to be reloaded to operate on website w/ P

by fenix » Wed Jul 18, 2018 4:13 pm

Hello.

It seems, that v10.1.8.8 version fixed issue with reloading NoScript on websites with .PDF files etc. I've checked one site and after clicking on the main icon, there was not an information, mentioned in my first post, but all preset available in NoScript. Mentioned site has been set with a "DEFAULT" preset (domain was: …semanticscholar.org) etc. So, it seems everything is okay. However, I didn't do any tests like, for example, change presets, add some options ('script', 'frame' and so on).

One more thing to note. When I moved a mouse cursor on NoScript icon, but without clicking, a small window appeared with such an informations (the same thing has happened in my first post):

Code: Select all

NoScript 10.1.8.8
Blocked 0 of 0 items
Here is a tested website: https://pdfs.semanticscholar.org/5d9b/6 ... 305fc5.pdf If someone will have some free time, please make more tests.

Thanks.

Re: (S) v10: needs to be reloaded to operate on website w/ P

by fenix » Thu May 24, 2018 10:57 am

Hello.

So, as skriptimaahinen has just written in his comment: "Not sure if NS should interfere with PDF handling (...)" maybe there should be a different information, instead of "In order to operate on this tab, NoScript needs to reload it. Proceed?" Something like:

1/ Permissions for websites with a .PDF files can not be changed, because of...
2/ Permissions for websites with a .PDF files can not be changed due to...

And then name the reason of such decision at the end (after: "because of/due to"? There can be [OK] button only. But that's just a naive and stupid idea... Sorry.

Thanks.

Re: (S) v10: needs to be reloaded to operate on website w/ P

by skriptimaahinen » Thu May 17, 2018 9:01 pm

I doubt the plugins work anymore except in 52, though last time used Adobe plugin was something like 15 years ago. :) And even if the plugins did work, NS could block them with the "object" option.

However, FF does offer option to open the PDF in external program.

Re: (S) v10: needs to be reloaded to operate on website w/ P

by therube » Thu May 17, 2018 6:20 pm

Can you still do 'external viewer', as in like via a Plugin in FF (Quantum)?
I thought all that was allowed was Flash.
(FF 52 should be able to do external viewer, via Plugin.)

Re: (S) v10: needs to be reloaded to operate on website w/ P

by skriptimaahinen » Thu May 17, 2018 5:17 pm

In that case I think it might be best to allow resource (and chrome|moz-extension|about) URIs regardless of the policy, maybe, or am I missing some important case?

Not sure if NS should interfere with PDF handling as FF itself offers plethora of user configurable ways to do it (pdf.js, external viewer, download).

Re: (S) v10: needs to be reloaded to operate on website w/ P

by Giorgio Maone » Thu May 17, 2018 5:45 am

skriptimaahinen wrote: @Giorgio: Do showing the resource-URIs (e.g. resource://pdf.js) benefit user in any way?
I do not think so, but maybe I could instead try to intercept the PDF load attempt before it gets to the viewer and block it outright, tying this behavior to a special "PDF" permission...

Re: (S) v10: needs to be reloaded to operate on website w/ P

by skriptimaahinen » Wed May 16, 2018 11:36 pm

Well, looks like FF 60 blocks content scripts from running in the PDF-viewer. This is what breaks NS. Not sure if intended, but it might be due to a fix for security vulnerability that allowed PDF-files to run scripts in the viewers context. (The very unhelpful and wrong popup message is NS bug though.)

@fenix: Unfortunately none of the NS settings really affect PDF security. That's purely the PDF-viewers responsibility.

@Giorgio: Do showing the resource-URIs (e.g. resource://pdf.js) benefit user in any way?

Re: (S) v10: needs to be reloaded to operate on website w/ P

by fenix » Mon May 14, 2018 8:48 am

Hello barbaz.

Thanks for checking this issue. Anyway, .PDF is a common target for malware attacks, right? So I think there should be a possibility to set/change NoScript's presets on such web sites etc. We already saw a few CVE's that allows remote attackers to cause a DoS or possibly have other malicious impact via a crafted .PDF document (an attacker could plant a malicious .PDF on website). I think NoScript should allow Users to make some changes on such websites: e.g. change preset from a Default to Custom etc.

Thanks.

Re: (S) v10: needs to be reloaded to operate on website w/ P

by barbaz » Sun May 13, 2018 10:11 pm

Confirmed in Firefox 60, NoScript 10.1.8.2rc2, new profile.
https://noscript.net/abe/abe_rules.pdf is also affected.

With Firefox 59 I get the expected behavior.

Re: (S) v10: needs to be reloaded to operate on website w/ P

by fenix » Sun May 13, 2018 7:12 pm

Hello therube.

You asked "what is expected in that situation?" Hmm, I think that there should be a possibility to change the trust levels etc. (By default, each domain is under the Default, right? So, I think that on a web sites, which display PDF files inside the browser window, there should be a possibility, for example, to explicitly set Trusted, Temp-Trusted or Untrusted and so on. Just like with other web sites such as youtube.com where User can allow only three domains to work properly and display videos etc. (the rest domains can be set as Untrusted).

Thanks, best regards.

fenix aka ragner

Top