Page 1 of 1

10.1.7.5: data:text/html url's scriptable by default

Posted: Sat Apr 14, 2018 7:26 am
by juozas
Entering an arbitrary

Code: Select all

data:text/html
url in url bar, e.g.

Code: Select all

data:text/html, <html><head><title>Hello, World!</title><script>alert("This is scriptable by default");</script></html>
does not disable scripting in it by default. It appears to be like a privilleged page to noscript as shown in it's pop up, as there should be an option to toggle such scripting in settings or temporary in the page or something similar.

Firefox: 59.0.2
NoScript: 10.1.7.5

Re: 10.1.7.5: data:text/html url's scriptable by default

Posted: Sat Apr 14, 2018 3:34 pm
by barbaz
Not sure it's technically possible for a WebExtension to block scripts on data: URLs manually entered in address bar.

(NoScript Classic didn't disable scripts on such URLs either, it just blocked them loading and included a about:config pref to allow them.)

Re: 10.1.7.5: data:text/html url's scriptable by default

Posted: Sun Apr 15, 2018 1:32 pm
by therube
(NoScript Classic didn't disable scripts on such URLs either, it just blocked them loading and included a about:config pref to allow them.)
That (javascript: & data: URI blocking) does not look to be working in NoScript 5.x. (in SeaMonkey) ?
It does work with NoScript 2.9.x.