InformAction Forums

Can NoScript block any website from silently adding unnecessary frames/iframes (even more evil, invisible frames/iframes) when I leave the website?

A famous example would be to browse about.com. For example: http://pcworld.about.com/od/softwareser ... e-Tool.htm
Click on any external link of this page. A big top frame will be added even if you are browsing other websites.
It doesn't help at all even if you enabled Forbid FRAME.

I realize it offers an option to remove the frame, but a bad guy who want to spy you can use the same trick to add an invisible frame with no option of removal.
Is there anything NoScript can do to block a website from adding FRAME or IFRAME when I'm leaving its website?

Confirmed FRAMES not blocked in 3.0.12 as well as 3.5.1
Perhaps Giorgio recognises this form of complicated "keep the customer in the shop as long as you can" scripting as benign?
The about.com people don't want you to go if FRAMES are forbidden: pfft. I just noticed it's a NYTimes site. I'm not a fan of their use of active content.

It's been fixed yesterday in latest development build 1.9.7.3

Testing with 1.9.7.3 and the frames are still happening - reset to all defaults, then forbid <FRAMES> :?:

What do you mean by "happening"? Aren't they blocked with placeholder?

Sorry, poor choice of word.
The frames are not being blocked. No placeholder shows, and the content is getting fully displayed - that is both the about.com top frame, including the "turn off this frame" notice, as well as the third party page.

Going to check with 3.5.1. again in XP

Same bug in XP. 1.9.7.3
FRAMES still not blocked.

Really weird. It's working fine for me. Does it happen on a clean profile?

Doing all this support thread with a clean profile. Easier :-)

Forbidding both <IFRAME> and <FRAME> - all other default settings - gives the desired blocking of the third party page.
Placeholder has <IFRAME> label.

EDIT: But I'll go now and create a new profile, just to be sure.

Before going on, have you got both forbid IFrames and forbid Frames checked?
I know it's an implementation detail which would need to be better documented or directly fixed, but for legacy Frame blocking to be effective, you need to block IFrames as well.
Checking if I can remove this caveat in 1.9.7.4...

Giorgio Maone wrote:Before going on, have you got both forbid IFrames and forbid Frames checked?

Yes boss :-)
That's the problem. I was being very literal and only checking <FRAMES> (as I guess is the OP)
My daily profile has both checked all the time, so I've never seen this apparent anomaly.

This new profile confirms that blocking works when both FRAMES and IFRAMES are checked.

I still don't like NYT sites though ;-)

Giorgio Maone wrote:It's been fixed yesterday in latest development build 1.9.7.3

Installed it in a new profile. I have both forbid IFRAME and FRAME checked.
It works but with some problems. The big top frame is blank but still occupies large space.
No way you can delete the frame and reclaim the space.

I once visited a site which is so aggressive that it adds the top frame and encoded all external links.
It won't go away even if you middle click to open a new page.
The link on the URLbar is also encoded and has something like %3A%3F.

Would you add a feature that can remove the frame completely and reclaim the space?
I think it should be pretty easy by simply calling a function to remove/hide anything within <noframe> ... </noframe>.
Tell me if I'm wrong. Thanks.

Paranoid User wrote: Would you add a feature that can remove the frame completely and reclaim the space?
I think it should be pretty easy by simply calling a function to remove/hide anything within <noframe> ... </noframe>.
Tell me if I'm wrong. Thanks.

Sorry, you're wrong (the content of <noframe>...</noframe> is irrelevant here, since it would be evaluated only if your browser did not support frames, which is not the case).
And such a feature is out of NoScript's scope: blocking frames (i.e. preventing them from loading, like NoScript does) is very different than taking the content of one of the frames currently displayed (the bottom one, in your case, but how to tell which generally?) and placing it on the top level.
The best approach to something like that is using a GreaseMonkey script ad-hoc for the site you want to "deframeize".

While we're here, & as kind of pointed out already, if you were to open the (lower) IFRAME into a new tab (whilst blocked, placeholder still visible), the location bar shows something like this:
I suppose that is to be expected because it is actually the IFRAME that you are opening rather then the (expected) web page itself - as the web page has yet to load.

Also, if you were to center-click the IFRAME (prior to clicking the placeholder), it would open in a new tab - void of the About.com (header) FRAME. If you had already clicked the placeholder, then you can Open Frame in New Tab - again void of the About.com (header) FRAME.

therube wrote:

Code: Select all

data:text/html;charset=utf-8,%3Chtml%3E%3Chead%3E%3C%2Fhead%3E%3Cbody%20style%3D%22padding%3A%200px%3B%20margin%3A%200px%22%3E%3Ciframe%20src%3D%22http%3A%2F%2Fwww.quickbooks.intuit.com%2F%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C%2Fiframe%3E%3C%2Fbody%3E%3C%2Fhtml%3E

Yes I sometimes see URL like this. Actually what are all those %3A%2F, %2F%22%20?
Do they have a name?
How can I turn the gibberish URL back into normal readable URL?
Is there any tool on the web which can do this?

Also, if you were to center-click the IFRAME (prior to clicking the placeholder), it would open in a new tab - void of the About.com (header) FRAME. If you had already clicked the placeholder, then you can Open Frame in New Tab - again void of the About.com (header) FRAME.

Links is usually re-coded (like in about.com). Middle click on the link doesn't remove the frame.
But once you are in the page with frame right click the content frame | this frame | show only this frame. It's the easiest way to bypass all restrictions added by the offending website.