InformAction Forums

Do not allow scripts globally on rc4. There is a bug that hopefully gets fixed soon.

Trying to submit PM message will error out with "You must specify a subject when composing a new message.".

Can confirm. Need to have pdf content type action set to "ask" and scripts allowed for anpost.ie to reproduce. Definitely something in the RequestUtil. Again...

What exactly are you doing when the error happens and what does not work afterwards?

You can add ip-address manually in the NoScript-Options -> Per-Site Permissions -> Search or add a web site

Adding media permission to the TRUSTED is quite fine. It should be there by default in any case. But using CUSTOM is fine too.

When doing testing, always install the latest version, no matter if it's RC or stable.

If I allow only lenta.ru script eagleplatform.com script fetch I do see the player, but get an error and no video. Just what is Fetch? Fetch is for XHR requests. Used to "fetch" content (any data: text, html, scripts, media, streams, etc.) from a server. When you allow "fetch" fo...

Do not allow "media" on eaglecdn.com (or just remove all rights from any domain starting with "eagle"). Does that work for you?

If XSS was that serious and common, surely there would be more browser addons or built-in browser options to deal with it. The current chosen approach by most browsers is CSP (Content Security Policy), which lets web pages to define a set of rules for scripts and content that is supposed to be on t...

Can confirm. Needs sanitation of single quotes out of the url if present.

Thanks for clarification. The current design clearly expects that the XSS warnings are few and far between. I assume you encounter them slightly more often? The visual popup does have the advantage that, since false positives are likely going to break something, you will at least instantly know what...

If you mean you do not wan't XSS protection anymore, there is a option to disable it in the NS-Settings/Advanced. If you wan't the XSS protection to work but wish you didn't need to allow/block the same popup every time, there is the "Always allow/Always block" option in the popup, which w...

How about adding class="noscript" (or something like that), so everyone can style them as they see fit?

It would NOT be good idea to disable CSP as that is what NoScript uses to block inline javascript. For anything fetched with network request, NoScript is able to block in webRequest event, but scripts that come embedded in the main document need to be blocked with CSP as that is the only way availab...