NoScript prevents allowed site from making API calls

Bug reports and enhancement requests

NoScript prevents allowed site from making API calls

Postby Hyena » Wed Sep 20, 2017 7:40 am

I have a real example here: http://cryptograffiti.info/

When I go to that page with NoScript enabled, the NoScript bar appears as expected. When I choose to allow all on that site then the bar disappears but the site remains broken. Turns out that API requests to 3rd party services get blocked by NoScript. I would say that this is a bug in NoScript, but perhaps there is a good reasoning behind it? In that case I would like to know what to do.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Hyena
 
Posts: 5
Joined: Wed Sep 20, 2017 7:34 am

Re: NoScript prevents allowed site from making API calls

Postby barbaz » Wed Sep 20, 2017 4:24 pm

Works for me with -
Code: Select all
+blockexplorer.com
+blockchain.info
+btc.blockr.io
+cryptograffiti.info
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript prevents allowed site from making API calls

Postby Hyena » Thu Sep 21, 2017 7:44 am

barbaz wrote:Works for me with -
Code: Select all
+blockexplorer.com
+blockchain.info
+btc.blockr.io
+cryptograffiti.info


I just tested this on another computer. I installed the NoScript 5.0.10 on Firefox 55.0.2 (64-bit) and the issue is still there. When I first go to the named page it asks me whether I want to allow scripts. When I choose to allow scripts on all of the page then the page refreshes and starts making API calls to those 3rd party sites. However, all those calls fail. NoScript does not ask me again whether I want to allow access to the named 3rd party sites. And this does not make any sense to ask it because I already allowed NoScript to run scripts on all of the page. API calls are not scripts, they are just API calls to 3rd party services. NoScript should not block these. And to make matters worse, NoScript does not give me a warning that some resources are blocked by it, it does not ask me to allow access to those services. Only when I switched tabs and returned to the cryptograffiti tab then NoScript asked me to enable access to those 3rd party services. I think this is a bug.

Image
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Hyena
 
Posts: 5
Joined: Wed Sep 20, 2017 7:34 am

Re: NoScript prevents allowed site from making API calls

Postby barbaz » Thu Sep 21, 2017 4:06 pm

Blocking of "API calls" (normally called XMLHttpRequest) is a security feature, not a bug. If you don't want that security, go to about:config and set noscript.forbidXHR to 0.

Hyena wrote:NoScript does not ask me again whether I want to allow access to the named 3rd party sites. [...] And to make matters worse, NoScript does not give me a warning that some resources are blocked by it, it does not ask me to allow access to those services. Only when I switched tabs and returned to the cryptograffiti tab then NoScript asked me to enable access to those 3rd party services. I think this is a bug.

I'm not so sure. I didn't have this trouble.

Please create a clean profile from scratch. Install only NoScript latest development build, leaving all the defaults.
Does the problem still exist?
If not, what if you then import your NS settings into the clean profile using the Import and Export buttons *on the very bottom* of NS Options?
If that still doesn't reproduce the problem, it's not a NoScript issue... try Standard Diagnostic (leaving NS enabled) to isolate and correct the real cause.

Let us know, thanks.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript prevents allowed site from making API calls

Postby Hyena » Fri Sep 22, 2017 7:00 am

Being the dev of the named site, I think it's just easier for me to include some small resource from all of these APIs statically to the cryptograffiti's index.html, which would (hopefully) force NS to spawn the dialogue for allowing the named services immediately after the user has allowed scripts for the main site itself.

I have reproduced the issue on two separate and independent Linux machines already. If you're not willing to fix this then developers need to build a workaround, obviously. This is pretty bad bug because it leaves the user with absolutely no information whether it is caused by NS or if the site itself is broken.

I also made a screen recording of the bug.
You can see that first when you go to the site there is absolutely no NS dialogue and the site is not working. Only when I temporarily switch to some other random tab and then back then NS dialogue appears.
Expected behavior: the dialogue should start immediately

By the way, this forum has an intolerable "spam filter". It does not allow me to post anything and it says:
Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry.


Turns out the spam filter does not like it if I quote other users. Better fix this, because it's not obvious at all. I thought it was my IP and it was not.
Last edited by Hyena on Mon Sep 25, 2017 8:31 am, edited 1 time in total.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Hyena
 
Posts: 5
Joined: Wed Sep 20, 2017 7:34 am

Re: NoScript prevents allowed site from making API calls

Postby barbaz » Fri Sep 22, 2017 5:43 pm

Sorry, I misunderstood what you were describing. The NoScript menu does update in real time for me. But the icon does not change state, nor is the notification bar shown again, until:
1) Switching tabs,
2) Waiting for the icon & notification bar to update to reflect the new tab,
3) Switching back.

This happens in Firefox 55.0.3. I do not see the bug in SeaMonkey '2.49.1pre' (based on Firefox 52.3.0).

Moving to NoScript Development. Thanks for the bug report.

Hyena wrote:If you're not willing to fix this th

This will be fixed. It may take a while, as Giorgio is the only NoScript developer, and he is currently very busy porting NoScript to WebExtensions.

Hyena wrote:I also made a screen recording of the bug. You can download it here: https://filetea.me/n3wbY4Td8DISkqJjoe8SXFoVQ

That link gives me a blank plain-text document.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript prevents allowed site from making API calls

Postby Hyena » Mon Sep 25, 2017 8:32 am

barbaz wrote:That link gives me a blank plain-text document.


Thanks for the reply, the video is now here: http://www.dailymotion.com/video/x61wdpb
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Hyena
 
Posts: 5
Joined: Wed Sep 20, 2017 7:34 am

Re: NoScript prevents allowed site from making API calls

Postby therube » Mon Sep 25, 2017 11:50 am

Firefox 55.0.2

Why not 55.0.3?

Seems to be working for me, 55.0.3 x64, Windows.

Load the site, notification bar shows up.
Allow cryptograffiti.info.
(A slight delay...)
Notification bar shows up again, this time showing 1/4 & once you Allow those, the site works.
(A slight delay...)
Notification bar shows up again, this time showing 4/5 (with coinbase.com being newly added).


(And SeaMonkey 2.49.1 reacts the same way.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 Lightning/5.4
User avatar
therube
Ambassador
 
Posts: 6703
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript prevents allowed site from making API calls

Postby Hyena » Mon Sep 25, 2017 12:23 pm

therube wrote:
Firefox 55.0.2

Why not 55.0.3?

Seems to be working for me, 55.0.3 x64, Windows.

Load the site, notification bar shows up.
Allow cryptograffiti.info.
(A slight delay...)
Notification bar shows up again, this time showing 1/4 & once you Allow those, the site works.
(A slight delay...)
Notification bar shows up again, this time showing 4/5 (with coinbase.com being newly added).


(And SeaMonkey 2.49.1 reacts the same way.)


Package manager has not yet provided me 55.0.3. good to know it's working on the latest though
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Hyena
 
Posts: 5
Joined: Wed Sep 20, 2017 7:34 am

Re: NoScript prevents allowed site from making API calls

Postby therube » Mon Sep 25, 2017 2:43 pm

I'm on Windows.
barbaz was able to duplicate your issue on a Mac (I guess it was).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1
User avatar
therube
Ambassador
 
Posts: 6703
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript prevents allowed site from making API calls

Postby barbaz » Mon Sep 25, 2017 4:23 pm

therube wrote:barbaz was able to duplicate your issue on

... the unbranded build of Firefox 55.0.3, on Ubuntu Linux 64-bit.

I haven't used Mac OS in years and have zero interest in switching back.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm


Return to NoScript Development

Who is online

Users browsing this forum: Majestic-12 [Bot] and 1 guest