possible bug?
-
- Posts: 7
- Joined: Thu Apr 28, 2016 7:25 pm
possible bug?
hi all
I have searched for how to report possible NoScript conflicts with websites but couldn't find anything in FAQ, etc, so sorry if I've gone about this the wrong way.
NoScript 29.0.11 appears to affect the functionality of this webpage:
http://www.omiod.com/games/fastkat.php
I'm using firefox 46.0 (public release) on win 7 64bit home premium.
What's interesting is that "allow scripts globally (dangerous)" option doesn't fix problem but disabling NoScript entirely does. I've tested this by disabling all add-ons except NoScript, then disabling it (as well as just disabling NoScript while leaving all add-ons active).
I've tested with dev build 2.9.0.11rc1 as well (although I'd have thought this version proceeds the current public release of 29.0.11).
I did try to do some further troubleshooting and explored elsewhere on the domain. I tested the rest of the dev's browser games (http://www.omiod.com/games/) and may have found a common denominator. The only two which don't work both require something called "canvas". One also requires something called "leapmotion". I allowed "leapmotion" to run via NoScript but this still didn't help getting the non-functioning games to work.
EDIT: I've checked and found that leapmotion is hardware dependent, so please ignore that. I've checked and the original http://www.omiod.com/games/fastkat.php works 100% when I disable NoScript.
Finally, I must stress I'm not fussed about getting the games working for their own sake. I'm reporting the problem in case it affects other sites.
Thanks,
Gary
I have searched for how to report possible NoScript conflicts with websites but couldn't find anything in FAQ, etc, so sorry if I've gone about this the wrong way.
NoScript 29.0.11 appears to affect the functionality of this webpage:
http://www.omiod.com/games/fastkat.php
I'm using firefox 46.0 (public release) on win 7 64bit home premium.
What's interesting is that "allow scripts globally (dangerous)" option doesn't fix problem but disabling NoScript entirely does. I've tested this by disabling all add-ons except NoScript, then disabling it (as well as just disabling NoScript while leaving all add-ons active).
I've tested with dev build 2.9.0.11rc1 as well (although I'd have thought this version proceeds the current public release of 29.0.11).
I did try to do some further troubleshooting and explored elsewhere on the domain. I tested the rest of the dev's browser games (http://www.omiod.com/games/) and may have found a common denominator. The only two which don't work both require something called "canvas". One also requires something called "leapmotion". I allowed "leapmotion" to run via NoScript but this still didn't help getting the non-functioning games to work.
EDIT: I've checked and found that leapmotion is hardware dependent, so please ignore that. I've checked and the original http://www.omiod.com/games/fastkat.php works 100% when I disable NoScript.
Finally, I must stress I'm not fussed about getting the games working for their own sake. I'm reporting the problem in case it affects other sites.
Thanks,
Gary
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Re: possible bug?
Code: Select all
[NoScript] Blocking cross-site Javascript served from http://uvl.googlecode.com/files/Three.js with wrong type info text/plain, attachment; filename="Three.js" and included by http://www.omiod.com/games/fastkat.php
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 SeaMonkey/2.40
Re: possible bug?
For starters, they're including script from googlecode, which has been shut down. Contact the webmaster(s), point them to this thread, and ask them to self-host the script(s) they're currently attempting to including from googlecode. For more information on the subject, see e.g. viewtopic.php?f=7&t=21586
Let us know if that doesn't fix it.
EDIT oops, posting at the same time as therube.
The including script directly from googlecode *is* the problem, and the fix would need to happen on the site's end.
Let us know if that doesn't fix it.
EDIT oops, posting at the same time as therube.
The including script directly from googlecode *is* the problem, and the fix would need to happen on the site's end.
*Always* check the changelogs BEFORE updating that important software!
-
-
- Posts: 7
- Joined: Thu Apr 28, 2016 7:25 pm
Re: possible bug?
thank you @barbaz and @therube for the quick reply and explanation.
I might drop the omiod dev a line. Not convinced I'll get a response but it's useful to know that it's intended behaviour of NoScript.
Just something I'm not clear about (so please excuse me for asking and thanks for humouring my ignorance):
The game code in question appears to be be looking for "three.js" located on googlecode.com. The author then presumably calls functions from this library. NS is blocking the retrieval of this library or the reading/running of code from this library because it's bad practice. I've gone through the game code and found other remote .js modules (not hosted at googlecode though), which are referenced before the "three.js" line but NS didn't presumably have a problem with them. Is it basically that certain domains are permanently blacklisted?
What's different about googlecode, as compared to say github or jquery? I've done some digging and according to the NS changelog it looks like googlecode is specifically targeted.
Thanks,
Gary
I might drop the omiod dev a line. Not convinced I'll get a response but it's useful to know that it's intended behaviour of NoScript.
Just something I'm not clear about (so please excuse me for asking and thanks for humouring my ignorance):
The game code in question appears to be be looking for "three.js" located on googlecode.com. The author then presumably calls functions from this library. NS is blocking the retrieval of this library or the reading/running of code from this library because it's bad practice. I've gone through the game code and found other remote .js modules (not hosted at googlecode though), which are referenced before the "three.js" line but NS didn't presumably have a problem with them. Is it basically that certain domains are permanently blacklisted?
What's different about googlecode, as compared to say github or jquery? I've done some digging and according to the NS changelog it looks like googlecode is specifically targeted.
Thanks,
Gary
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Re: possible bug?
Script included directly from Github repos should be blocked same as from googlecode, for the same reasoning. Do you have an example where this isn't the case?
jquery is different because that's a proper CDN, the files there are intended to be directly included as scripts.
jquery is different because that's a proper CDN, the files there are intended to be directly included as scripts.
*Always* check the changelogs BEFORE updating that important software!
-
Re: possible bug?
To put it more generically, NoScript's inclusion type checking feature enforces the intentions of the hosting website so that files don't be misused/abused. It doesn't care the site.
*Always* check the changelogs BEFORE updating that important software!
-
-
- Posts: 7
- Joined: Thu Apr 28, 2016 7:25 pm
Re: possible bug?
Thanks again for the reply.
In all honestly, although I've got an IT background (desktop support), I might as well know nothing about webcode, which is why I'm asking these questions. I'm always trying to learn
No mate. Was just wondering.barbaz wrote:Script included directly from Github repos should be blocked same as from googlecode, for the same reasoning. Do you have an example where this isn't the case?
Ah OK. Is the end-problem that anyone can deposit code in places like github, which makes them unsafe and therefore blocked by NS (even though the code is open-source)? Or is it literally to do with the way files are stored/managed? I've done some quick research and some sites claim to 'serve' material from github but through a CDN mechanism with proper content headers.barbaz wrote:jquery is different because that's a proper CDN, the files there are intended to be directly included as scripts.
In all honestly, although I've got an IT background (desktop support), I might as well know nothing about webcode, which is why I'm asking these questions. I'm always trying to learn
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Re: possible bug?
Sort of both actually. You could say Github has good safe practice storing/managing the files on their end in sending code files with MIME type text/plain, since theoretically anyone can deposit pretty much any code to repository (and most likely unstable code at that).gazzawazza wrote:Is the end-problem that anyone can deposit code in places like github, which makes them unsafe and therefore blocked by NS (even though the code is open-source)? Or is it literally to do with the way files are stored/managed?
*Always* check the changelogs BEFORE updating that important software!
-
-
- Posts: 7
- Joined: Thu Apr 28, 2016 7:25 pm
Re: possible bug?
thanks @barbazbarbaz wrote:Sort of both actually. You could say Github has good safe practice storing/managing the files on their end in sending code files with MIME type text/plain, since theoretically anyone can deposit pretty much any code to repository (and most likely unstable code at that).gazzawazza wrote:Is the end-problem that anyone can deposit code in places like github, which makes them unsafe and therefore blocked by NS (even though the code is open-source)? Or is it literally to do with the way files are stored/managed?
I had written lots more questions but some research has I think cleared things up.
Basically, github (and others like them) are simply repositories for code. They exist to facilitate the development of code. Content headers are set to plain, which will potentially cause problems when browsers read the header. This is done so deliberately because they exist to store code, not to distribute and cache for webpage loading/bandwidth efficiencies. Also, since repository code is potentially alpha, preventing its use potentially stops sites breaking from calling that code.
So NS is enforcing best practice and appropriate use of repositories. A side benefit is blocking code which may not be stable.
So, any script with content header set to plain/text will be blocked by NS?
Are CDNs (e.g. rawgit) treated in the same way as any other domain by NS?
Cheers,
Gary
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Re: possible bug?
@gazzawazza Remember to log in before posting so that you don't have to repeatedly solve the CAPTCHA. (I've fixed it for you this time)
Yes. More generally, any script included as Javascript that doesn't have a MIME type of Javascript (for example, application/javascript or text/javascript or text/javascript;version=1.8) will be blocked.gazzawazza wrote:So, any script with content header set to plain/text will be blocked by NS?
Inclusion type checking doesn't care the site, it only checks the content type header.gazzawazza wrote:Are CDNs (e.g. rawgit) treated in the same way as any other domain by NS?
*Always* check the changelogs BEFORE updating that important software!
-
-
- Posts: 7
- Joined: Thu Apr 28, 2016 7:25 pm
Re: possible bug?
Thanks very much for all of this.barbaz wrote:@gazzawazza Remember to log in before posting so that you don't have to repeatedly solve the CAPTCHA. (I've fixed it for you this time)
Yes. More generally, any script included as Javascript that doesn't have a MIME type of Javascript (for example, application/javascript or text/javascript or text/javascript;version=1.8) will be blocked.gazzawazza wrote:So, any script with content header set to plain/text will be blocked by NS?
Inclusion type checking doesn't care the site, it only checks the content type header.gazzawazza wrote:Are CDNs (e.g. rawgit) treated in the same way as any other domain by NS?
Sorry about not logging in - I was actually trying to preview and hadn't seen that I needed to do the CAPTCHA. I did wonder why the CAPTCHA was appearing!
Cheers,
Gaz
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Re: possible bug?
You're welcome
*Always* check the changelogs BEFORE updating that important software!
-
Re: possible bug?
By the way, it's possible to tell NoScript to ignore this misbehavior, but since it's Google Code, that might not help much...
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
-
- Posts: 7
- Joined: Thu Apr 28, 2016 7:25 pm
Re: possible bug?
Hi @thrawnThrawn wrote:By the way, it's possible to tell NoScript to ignore this misbehavior, but since it's Google Code, that might not help much...
could you explain your post?
How do you get NS to ignore this misbehaviour?
Also, why does it not help much, since it's Google code?
Thanks,
Gary
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Re: possible bug?
Google Code is going away, there's still an archive but that's all.
In other cases, if you're really sure that a code repository isn't going to be misused, then there's a setting in about:config that can specifies websites to ignore.
In other cases, if you're really sure that a code repository isn't going to be misused, then there's a setting in about:config that can specifies websites to ignore.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0