InformAction Forums

Looks like special handling of onload in body needs to be done a bit later, so that it's certain the body has been parsed. DOMContentLoaded seems a good candidate. Doing it in a mutationobserver is also a possibility. But it's not just onload. Also onunload and onpagehide share the same problem. The...

Noticed that onload event attribute on body was not getting caught by the eventSuppressor. document.addEventListener() didn't even catch the event. Using plain addEventListener() did, but turns out load is non-cancelable. (https://developer.mozilla.org/en-US/docs/Web/API/Window/load_event) That's no...

This approach (document.write) does not work with XHTML or XML(SVG) files.

I suspect that's because you forgot to change to document also the removeEventListener() call in finalize(), therefore bodySuspender gets called after finalization. :oops: Interestingly, if I use the original plain addEventListener() and remove the removeEventListener() from finalize(), I get prett...

Event attribute suppression looking good. And to test the suspending on DOMContentLoaded: Document used for testing: <!DOCTYPE html> <html> <head> <meta charset='UTF-8'> </head> <body> <script src="script.js"></script> </body> </html> script.js: console.log("External script hello!&quo...

Pointed this problem out in my 11.0.41 thread already.

Giorgio is working on it, but I'm afraid it's not a easy one.

It's not, actually. We remove the event suppression as soon as we install the CSP (in order to avoid unespected side effects in the "normal" user interaction with a scriptless page), and this could be abused by including a very slow loading script / stylesheet / whatever in the head causi...

Interesting update again. Some remarks. The event attribute removal would appear to be redundant now that there is a method to "suppress" them. However, the list of the eventTypes is not complete. For example beforescriptexecute is a valid event, that could be put e.g. in head and would cu...

staticNS.js:104 documentCSP.apply(new Set()); // block everything to prevent leaks from page's event handlers Is the above actually necessary? The root attributes are already removed in the beginning of this file. Sure, they are put back in the setup(), but they should be subject for the CSP now. .3...

11.0.39rc6 on linux. Can't reproduce the original bug with any config, so not able to say anything about how the fix handles that, BUT... While changing permissions on any file, the permissions are not always actually changed after the reload. This would appear to be caused by the onBeforeUnload not...

Can confirm. Problem is in Policy.js: Sites.parse() let path = url.pathname; siteKey = url.origin; if (siteKey === "null") { siteKey = site; } else if (path !== '/') { siteKey += path; } Since origin is null for file:, the fragment (hash) ends up in the siteKey and the url is not matched. ...

Looks good now. Thanks!

Synchronous XHR suspends the current JS execution flow by pushing the current state into a kind of stack. Oh, I knew about that. Should have realized it would be a problem. :oops: Why does NoScript need to do any suspending at all in Firefox? Also "Disable restrictions for this tab" relie...

Of course there is another problem with the above. <html onclick="console.log('CLICK')"></html> Any event attribute in element that gets parsed before the CSP is inserted, is not blocked. For documentElement (<html>) this happens by default as it exists already when contentscripts run. How...

Problem with 11.0.37 Since no more beforescriptexecute safety net, the script in the next sample will not be blocked on file: protocol. Does not appear to cause problems on http:. <html> <head> <script src="notblocked.js"></script> </head> <body></body> </html> After doing some testing, it...