Search found 931 matches

by al_9x
Wed Oct 21, 2015 4:44 am
Forum: NoScript Development
Topic: top level built-in pdf.js viewer isn't blocked
Replies: 18
Views: 2352

Re: top level built-in pdf.js viewer isn't blocked

Evidently I am still not making myself clear. You've made yourself crystal clear, let's see if I can summarize. The latest pdfs.js vulnerability, https://www.mozilla.org/en-US/security/ ... sa2015-78/ http://www.welivesecurity.com/2015/08/1 ... ay-attack/ is only tangentially and superficially rela...
by al_9x
Tue Oct 20, 2015 5:14 am
Forum: NoScript Development
Topic: top level built-in pdf.js viewer isn't blocked
Replies: 18
Views: 2352

Re: top level built-in pdf.js viewer isn't blocked

pdf.js is not an extension, it is built in. However since plugins are on their way out, it would be reasonable for mozilla to enable a class of plugin-like extensions for rendering arbitrary mime types. Maybe this already exists, don't know. If/when it does, then noscript's embedding blocking functi...
by al_9x
Mon Oct 19, 2015 11:31 pm
Forum: NoScript Development
Topic: top level built-in pdf.js viewer isn't blocked
Replies: 18
Views: 2352

Re: top level built-in pdf.js viewer isn't blocked

Calling it a vector does not change the fact that simply loading a pdf compromised firefox in a way that a scriptless hml page could not. That is proof enough that pdf.js should still be treated more like a plugin rather than just web content, and therefore be blockable.
by al_9x
Mon Oct 19, 2015 4:57 am
Forum: NoScript Development
Topic: top level built-in pdf.js viewer isn't blocked
Replies: 18
Views: 2352

top level built-in pdf.js viewer isn't blocked

pdf.js has been exploited, so should be blockable
by al_9x
Sun Sep 06, 2015 9:38 pm
Forum: NoScript Development
Topic: youtube embed double activation (iframe, flash) problem
Replies: 11
Views: 3053

Re: youtube embed double activation (iframe, flash) problem

Investigating, thank you. are you able to repro? I did manage to reproduce, but its causes are very difficult to isolate. Are you going to stay with 31.x for long? This problem is present in fx 38.2.1esr and 40.0.3 with NS 2.6.9.37rc1 directions here In 38.2.1 the player is flash and it never loads...
by al_9x
Thu Aug 27, 2015 12:16 am
Forum: Web Tech
Topic: The Future of Developing Firefox Add-ons
Replies: 32
Views: 11124

Re: The Future of Developing Firefox Add-ons

Giorgio Maone wrote:Where is this discussion happening? Could you please post some links for me to partecipate?


http://forums.mozillazine.org/viewtopic ... #p14302067
by al_9x
Wed Aug 26, 2015 4:49 pm
Forum: Web Tech
Topic: The Future of Developing Firefox Add-ons
Replies: 32
Views: 11124

Re: The Future of Developing Firefox Add-ons

Classic Theme Restorer is probably the best canary in the coal mine for these changes, because it radically unfucks tweaks post australis ui, through xul, css and javascript hacks that mozilla is not likely to acknowledge as needed (that would mean admitting they've been making things worse for year...
by al_9x
Sun Feb 22, 2015 4:34 am
Forum: NoScript Development
Topic: youtube embed double activation (iframe, flash) problem
Replies: 11
Views: 3053

Re: youtube embed double activation (iframe, flash) problem

Giorgio Maone wrote:Investigating, thank you.


are you able to repro?
by al_9x
Sat Feb 07, 2015 2:54 pm
Forum: NoScript Development
Topic: youtube embed double activation (iframe, flash) problem
Replies: 11
Views: 3053

Re: youtube embed double activation (iframe, flash) problem

Please check latest development build 2.6.9.6rc3, thanks. This has regressed for the 31 ESR. Fx 31.4.0 ESR, NS 2.6.9.12, Flash 16.0.0.305, new profile ⋅  forbid iframe, apply to trusted ⋅  open ⋅  allow samsung.com ⋅  activate one of the videos (first the ifr...
by al_9x
Sat Nov 29, 2014 10:01 pm
Forum: NoScript Development
Topic: youtube embed double activation (iframe, flash) problem
Replies: 11
Views: 3053

Re: youtube embed double activation (iframe, flash) problem

I'm getting a "double" frame (placeholder). First click gets you youtube.com, then a second click gets you ytimg.com, after which the clip loads & plays. (I'm running from a less then clean Profile, but I'm not seeing anything odd.) > 3. allow samsung.com Not necessarily needed (for t...
by al_9x
Sat Nov 29, 2014 7:10 pm
Forum: FlashGot Development
Topic: downloaded dash streams should not be given m4a extensions
Replies: 5
Views: 2526

Re: downloaded dash streams should not be given mp4 extensio

it turns out it's a little more complicated, mp4 has many subtypes (ftyp)

the expected ftyp of an m4a file is M4A$20, but dash aufio streams are ftyp dash, so at least the m4a extension is wrong.
by al_9x
Sat Nov 29, 2014 6:13 pm
Forum: NoScript Development
Topic: youtube embed double activation (iframe, flash) problem
Replies: 11
Views: 3053

youtube embed double activation (iframe, flash) problem

Fx 33.1.1, NS 2.6.9.6rc1, new profile

  1. forbid iframe, apply to trusted
  2. open
  3. allow samsung.com
  4. activate one of the videos (first the iframe, then the flash embed), it won't play
by al_9x
Fri Nov 28, 2014 4:20 pm
Forum: FlashGot Development
Topic: downloaded dash streams should not be given m4a extensions
Replies: 5
Views: 2526

downloaded dash streams should not be given m4a extensions

it's not a mp4 container it does not have the m4a ftyp, and without m4a remuxing won't play in ios
by al_9x
Mon Jun 30, 2014 1:37 pm
Forum: NoScript Development
Topic: 2.6.8.29 tab opening bookmarklet regression
Replies: 9
Views: 1367

Re: 2.6.8.29 tab opening bookmarklet regression

Giorgio Maone wrote:Fixed in latest development build 2.6.8.30rc5, thank you.


Do you know why the window methods are no longer on the prototype?

Code: Select all

        if (!w || w.open && w.open._bypass)
          return null;


Shouldn't this return w?
by al_9x
Sat Jun 28, 2014 6:51 pm
Forum: NoScript Development
Topic: 2.6.8.29 tab opening bookmarklet regression
Replies: 9
Views: 1367

Re: 2.6.8.29 tab opening bookmarklet regression

so window methods are no longer in the prototype but in the instance, why did they do that?

fix

Code: Select all

      (function patchAll(w) {
        if (!w || w.open._bypass) return w;