NoScript does not apply permissions correctly the first time an allowed page is visited in a tab when using the new contextual policies feature.
Steps to reproduce on Firefox 97.0.1 with NoScript 11.3.2
Starting from a fresh profile go to example.com (any page that uses scripts and is not already included in NoScript's default per-site permissions list)
Click the NoScript icon then click the custom icon for example.com
Change the "Enable these capabilities when the top page matches" drop down menu from "ANY SITE" to "...example.com"
Click the script check box to allow scripts
Click somewhere outside NoScript's menu and the page should reload
Note that the scripts on example.com will work as expected
Open a new tab
Go to example.com in the new tab
Despite having been set to allow scripts on example.com NoScript will incorrectly block scripts as well as any other capabilities that were enabled for example.com
Reloading the page will cause permissions to be applied correctly, but this needs to be repeated every time a new tab is opened or an allowed page is visited.
Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Thank you for your report.
I cannot reproduce on latest development build 11.3.3rc2, which might contain an accidental fix for this issue.
Could you confirm, and if that's not the case provide an actual URL where the issue is still reproducible?
Thanks!
I have done some more testing and can confirm that the bug is still present in NoScript 11.3.3rc3.
The behavior has been consistent for every URL I have tried, https://www.whatismybrowser.com/detect/is-javascript-enabled is one example.
I forgot to mention that Firefox 97.0.1 was installed via snap on Ubuntu 21.10.
It seems like the first time a page is loaded in a new tab NoScript does not accurately recognize the top site.
Since it does not know the top site it falls back to the permissions assigned to the "ANY SITE" context.
If the page is reloaded NoScript is then able to recognize the top site correctly and the permissions work as they should.
Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Not a snap related issue. I can confirm this bug in a normal tarball-based install of Firefox 97.0, with NoScript 11.3.3rc3 and that whatismybrowser link. Also, the NoScript icon shows despite that NoScript is actually blocking the page scripts.
*Always* check the changelogs BEFORE updating that important software!
v 11.3.3rc4
============================================================
x Fixed wrong label for http: sites in contextual policy UI
(thanks barbaz for reporting)
x Fix for first party context policy ignored on first load
in new tabs (thanks ayi for reporting)