It is possible for privileged pages to load unprivileged content. Most obvious example that comes to mind is a web page served over file protocol. It can contain anything so it can load unprivileged content. Noscript should be able to act on unprivileged content and notify the user that there is privileged content that is always enabled. As of v10.1.8.16 there is no way to enable unprivileged content on privileged pages via popup.
Sample testcase
Code: Select all
<html>
<head>
<title>JW Embedder</title>
<meta charset="UTF-8">
</head>
<body>
<script type='text/javascript' src='https://content.jwplatform.com/libraries/jEKBHz28.js'></script>
<div id="container"></div>
<script type='text/javascript'>
var jwparams={};
jwparams["file"]='https://pal1000.github.io/shared/tutorials/legacy-igpu-ogl-fix-win10.mov';
jwparams['width']='75%';
jwparams['height']='75%';
jwparams['ratio']='16:9';
jwparams['autostart']='false';
jwparams['mute']='false';
jwparams['volume']='100';
jwplayer("container").setup(jwparams);
</script>
</body>
</html>
If you save this in a html document and open it with Firefox, if
https://content.jwplatform.com and
https://ssl.p.jwpcdn.com are not trusted, the embedded player won't load and there is no easy way to unblock it because the popup doesn't offer a way to unblock unprivileged content. Interestingly enough for this testcase
https://pal1000.github.io can be unblocked via NoScript blocked object dialog so it looks this is fixable and it's not a Firefox webextension API hard limitation.