This topic has as far as I know already been raised by the Clipperz developers, but I would like some public feedback/explanation.
Clipperz, a free and anonymous online password manager, has a nice feature called "Direct login". This means that you can just click a link (in your password database) and Clipperz will log you in - quite obvious I guess. This plays very well with NoScript, but now Clipperz is working on a new version which uses a different implementation of the direct logins. Basically a new window is opened and the address bar filled with the HTML source for the login form encoded - "data:text/html;charset=utf-8;base64 ...". This is blocked by NoScript with a warning in the consol:
I'm sorry it's in Norwegian, but I guess the message is quite clear: The upload/submit was cleaned and turned into a GET request, because it came from moz-nullprincipal.[NoScript XSS] Rengjorde en mistenkelig opplasting til [http://forum.pivotx.net/ucp.php?mode=login] fra [moz-nullprincipal:{189449de-a084-426a-bb38-ed1ca9624d9f}]: omgjort til en kun-nedlasting GET forespørsel.
Why can't I white-list moz-nullprincipal? What are the security issues that I don't see? (I must admit that I don't really know what moz-nullprincipal is, but I guess it's something local.) Any feedback would be appreciated? Either how Clipperz could avoid this problem or how NoScript could be changed/configured to work. I'm not prepare to drop any of these applications ...