noscript xss issues with bookmarklets

[pinboarder]

Hello,

I have 2 bookmarklets from pinboard (here - popup and popump with tags.in that I am having problems using with noscript.

If I use noscript with script blocking enabled the bookmarklets works

If I disable noscript script blocking but keep other protections the bookmarklets do not work until I either disable XSS protections or reset noscript to defaults.

is there a way to work around this so I can use the bookmarklets and noscript with script blocking disabled?

[Thrawn]

If I disable noscript script blocking

What do you mean by this? "Scripts Globally Allowed"? There isn't a checkbox to switch off script-blocking.

[therube]

What happens if you only Allow pinboard.in ?
Or both pinboard.in & the domain you run the bookmarklet from?
Guessing that is what is needed?

[barbaz]

If I disable noscript script blocking

What do you mean by this? "Scripts Globally Allowed"? There isn't a checkbox to switch off script-blocking.

I'm guessing yes, that they disabled NoScript from the Add-ons Manager and instead of confirming at NoScript's warning, selected the "No, just stop blocking scripts" option.

[pinboarder]

If I disable noscript script blocking

What do you mean by this? "Scripts Globally Allowed"? There isn't a checkbox to switch off script-blocking.

I'm guessing yes, that they disabled NoScript from the Add-ons Manager and instead of confirming at NoScript's warning, selected the "No, just stop blocking scripts" option.

What happens if you only Allow pinboard.in ?
Or both pinboard.in & the domain you run the bookmarklet from?
Guessing that is what is needed?

Barbaz: yes this is what I meant sorry if not clear.

[pinboarder]

What happens if you only Allow pinboard.in ?
Or both pinboard.in & the domain you run the bookmarklet from?
Guessing that is what is needed?

Pinboard.in is whitelisted already. I have tried whitelisting a page and testing a bookmarklet but it still does not work. It would not be a great solution though if it did as the idea of pinboard is it is an online bookmark service so i could be bookmarking for any site on internet

[therube]

"No, just stop blocking scripts"

Is that the same as 'Allow Script Globally'?

What is "popup" supposed to do?
With scripts Allow Globally, popup bookmarklet pops up a window asking me to login.


(It may have been that after first "No, just stop blocking scripts", that at that point, the popup did not work ? not sure, but there was one point in time when it did not. Possible that either a new window or browser restart was required?)

until I either disable XSS protections or reset noscript to defaults.

If you Reset NoScript, then XSS is enabled, so I'm not quite following?


You've tested with a new, clean Profile?
Only change is to install NoScript, then set "No, just stop blocking scripts".

[pinboarder]

"No, just stop blocking scripts"

Is that the same as 'Allow Script Globally'?

Yes as far as I can tell

What is "popup" supposed to do?

popup = opens a window, adds a bookmark of the current page to my pinboard.in account, closes window. No user action needed for this
popup with tags = opens a window as above but stays open until you add tags for the bookmark and save


With scripts Allow Globally, popup bookmarklet pops up a window asking me to login.

(It may have been that after first "No, just stop blocking scripts", that at that point, the popup did not work ? not sure, but there was one point in time when it did not. Possible that either a new window or browser restart was required?)

Yes this does seem to be the case, some times even a few times it will work before breaking again.

until I either disable XSS protections or reset noscript to defaults.

If you Reset NoScript, then XSS is enabled, so I'm not quite following?

The problem with the bookmarklet can be resolved by either

1. disabling XSS protection when "Allow Scripts Globally" is set
2. resetting noscript to defaults; which enables XSS protection and Blocks Scripts (I need to whitelist pinboard.in after reset)

You've tested with a new, clean Profile?
Only change is to install NoScript, then set "No, just stop blocking scripts".

Yes, I've tried this, always one I allow scripts globally it will shortly fail and stay broken until either xss protection is turned off or script blocking is turned back on (with

[barbaz]

XSS protection should log InjectionChecker and/or XSS messages.
Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

[pinboarder]

Error I get in console CSS

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'unsafe-eval' *").

[pinboarder]

I should say that there are no other errors in the console. just that