possible bug?

[gazzawazza]

hi all

I have searched for how to report possible NoScript conflicts with websites but couldn't find anything in FAQ, etc, so sorry if I've gone about this the wrong way.

NoScript 29.0.11 appears to affect the functionality of this webpage:

http://www.omiod.com/games/fastkat.php

I'm using firefox 46.0 (public release) on win 7 64bit home premium.

What's interesting is that "allow scripts globally (dangerous)" option doesn't fix problem but disabling NoScript entirely does. I've tested this by disabling all add-ons except NoScript, then disabling it (as well as just disabling NoScript while leaving all add-ons active).

I've tested with dev build 2.9.0.11rc1 as well (although I'd have thought this version proceeds the current public release of 29.0.11).

I did try to do some further troubleshooting and explored elsewhere on the domain. I tested the rest of the dev's browser games (http://www.omiod.com/games/) and may have found a common denominator. The only two which don't work both require something called "canvas". One also requires something called "leapmotion". I allowed "leapmotion" to run via NoScript but this still didn't help getting the non-functioning games to work.

EDIT: I've checked and found that leapmotion is hardware dependent, so please ignore that. I've checked and the original http://www.omiod.com/games/fastkat.php works 100% when I disable NoScript.

Finally, I must stress I'm not fussed about getting the games working for their own sake. I'm reporting the problem in case it affects other sites.


Thanks,

Gary

[therube]

Code: Select all

[NoScript] Blocking cross-site Javascript served from http://uvl.googlecode.com/files/Three.js with wrong type info text/plain, attachment; filename="Three.js" and included by http://www.omiod.com/games/fastkat.php

[barbaz]

For starters, they're including script from googlecode, which has been shut down. Contact the webmaster(s), point them to this thread, and ask them to self-host the script(s) they're currently attempting to including from googlecode. For more information on the subject, see e.g. viewtopic.php?f=7&t=21586

Let us know if that doesn't fix it.

EDIT oops, posting at the same time as therube.
The including script directly from googlecode *is* the problem, and the fix would need to happen on the site's end.

[gazzawazza]

thank you @barbaz and @therube for the quick reply and explanation.

I might drop the omiod dev a line. Not convinced I'll get a response but it's useful to know that it's intended behaviour of NoScript.

Just something I'm not clear about (so please excuse me for asking and thanks for humouring my ignorance):

The game code in question appears to be be looking for "three.js" located on googlecode.com. The author then presumably calls functions from this library. NS is blocking the retrieval of this library or the reading/running of code from this library because it's bad practice. I've gone through the game code and found other remote .js modules (not hosted at googlecode though), which are referenced before the "three.js" line but NS didn't presumably have a problem with them. Is it basically that certain domains are permanently blacklisted?

What's different about googlecode, as compared to say github or jquery? I've done some digging and according to the NS changelog it looks like googlecode is specifically targeted.



Thanks,

Gary

[barbaz]

Script included directly from Github repos should be blocked same as from googlecode, for the same reasoning. Do you have an example where this isn't the case?

jquery is different because that's a proper CDN, the files there are intended to be directly included as scripts.

[barbaz]

To put it more generically, NoScript's inclusion type checking feature enforces the intentions of the hosting website so that files don't be misused/abused. It doesn't care the site.

[gazzawazza]

Thanks again for the reply.

Script included directly from Github repos should be blocked same as from googlecode, for the same reasoning. Do you have an example where this isn't the case?

No mate. Was just wondering.

jquery is different because that's a proper CDN, the files there are intended to be directly included as scripts.

Ah OK. Is the end-problem that anyone can deposit code in places like github, which makes them unsafe and therefore blocked by NS (even though the code is open-source)? Or is it literally to do with the way files are stored/managed? I've done some quick research and some sites claim to 'serve' material from github but through a CDN mechanism with proper content headers.

In all honestly, although I've got an IT background (desktop support), I might as well know nothing about webcode, which is why I'm asking these questions. I'm always trying to learn

[barbaz]

Is the end-problem that anyone can deposit code in places like github, which makes them unsafe and therefore blocked by NS (even though the code is open-source)? Or is it literally to do with the way files are stored/managed?

Sort of both actually. You could say Github has good safe practice storing/managing the files on their end in sending code files with MIME type text/plain, since theoretically anyone can deposit pretty much any code to repository (and most likely unstable code at that).

[gazzawazza]

Is the end-problem that anyone can deposit code in places like github, which makes them unsafe and therefore blocked by NS (even though the code is open-source)? Or is it literally to do with the way files are stored/managed?

Sort of both actually. You could say Github has good safe practice storing/managing the files on their end in sending code files with MIME type text/plain, since theoretically anyone can deposit pretty much any code to repository (and most likely unstable code at that).

thanks @barbaz

I had written lots more questions but some research has I think cleared things up.

Basically, github (and others like them) are simply repositories for code. They exist to facilitate the development of code. Content headers are set to plain, which will potentially cause problems when browsers read the header. This is done so deliberately because they exist to store code, not to distribute and cache for webpage loading/bandwidth efficiencies. Also, since repository code is potentially alpha, preventing its use potentially stops sites breaking from calling that code.

So NS is enforcing best practice and appropriate use of repositories. A side benefit is blocking code which may not be stable.

So, any script with content header set to plain/text will be blocked by NS?

Are CDNs (e.g. rawgit) treated in the same way as any other domain by NS?


Cheers,

Gary

[barbaz]

@gazzawazza Remember to log in before posting so that you don't have to repeatedly solve the CAPTCHA. (I've fixed it for you this time)

So, any script with content header set to plain/text will be blocked by NS?

Yes. More generally, any script included as Javascript that doesn't have a MIME type of Javascript (for example, application/javascript or text/javascript or text/javascript;version=1.8) will be blocked.

Are CDNs (e.g. rawgit) treated in the same way as any other domain by NS?

Inclusion type checking doesn't care the site, it only checks the content type header.

[gazzawazza]

@gazzawazza Remember to log in before posting so that you don't have to repeatedly solve the CAPTCHA. (I've fixed it for you this time)

So, any script with content header set to plain/text will be blocked by NS?

Yes. More generally, any script included as Javascript that doesn't have a MIME type of Javascript (for example, application/javascript or text/javascript or text/javascript;version=1.8) will be blocked.

Are CDNs (e.g. rawgit) treated in the same way as any other domain by NS?

Inclusion type checking doesn't care the site, it only checks the content type header.

Thanks very much for all of this.

Sorry about not logging in - I was actually trying to preview and hadn't seen that I needed to do the CAPTCHA. I did wonder why the CAPTCHA was appearing!


Cheers,

Gaz

[barbaz]

You're welcome

[Thrawn]

By the way, it's possible to tell NoScript to ignore this misbehavior, but since it's Google Code, that might not help much...

[gazzawazza]

By the way, it's possible to tell NoScript to ignore this misbehavior, but since it's Google Code, that might not help much...

Hi @thrawn

could you explain your post?

How do you get NS to ignore this misbehaviour?

Also, why does it not help much, since it's Google code?



Thanks,

Gary

[Thrawn]

Google Code is going away, there's still an archive but that's all.

In other cases, if you're really sure that a code repository isn't going to be misused, then there's a setting in about:config that can specifies websites to ignore.