(S) v10: needs to be reloaded to operate on website w/ PDF.

Ask for help about NoScript, no registration needed to post
fenix

(S) v10: needs to be reloaded to operate on website w/ PDF.

Post by fenix » Sun May 13, 2018 4:46 pm

Hello.

Firefox includes a built-in PDF viewer to display PDF files inside the browser window and is enabled by default. However, it seems, that there is a problem with a proper NoScript v10 operate on such websites. I've tried about 3, 4 websites with PDF files and clicking on a NoScirpt icon to make some changes in permissions etc., there is such message:

Code: Select all

In order to operate on this tab, NoScript needs to reload it. Proceed?

          [               OK              ]           [              Cancel              ]
Clicking on the [OK] button, reloads web page, but nothing changes if it's about NoScript normal functionality - possibility to change permissions etc. After clicking on the NoScript icon again, there is the same information mentioned above. After clicking on [Cancel] button, nothing happens. After hovering the mouse cursor on the NoScript icon, but without clicking, there is such information:

Code: Select all

Blocked 0 of 0 items
Here are an example links to reproduce this issue ("needs to reload" problem appears, on each of these web sites.):

https://spectreattack.com/spectre.pdf
https://www.usenix.org/system/files/con ... z-rola.pdf
https://pdfs.semanticscholar.org/5d9b/6 ... 305fc5.pdf

Is this a bug? Anyway, here are some technical informations:

✓ NoScript: v10.1.8.1
✓ Firefox: v60.0 (32-bit)
✓ Platform: Linux

Thanks, best regards.

User avatar
therube
Ambassador
Posts: 7234
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by therube » Sun May 13, 2018 5:00 pm

Not seeing any issue here.
Click the links & each pdf opens in a new tab - with no other interaction needed.

FF 60 x64
NoScript 10.1.8.2rc2
Oh, nevermind.

The pertinent part:
clicking on a NoScirpt icon
Confirmed.
Though I have no idea what is expected in that situation?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus

fenix

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by fenix » Sun May 13, 2018 7:12 pm

Hello therube.

You asked "what is expected in that situation?" Hmm, I think that there should be a possibility to change the trust levels etc. (By default, each domain is under the Default, right? So, I think that on a web sites, which display PDF files inside the browser window, there should be a possibility, for example, to explicitly set Trusted, Temp-Trusted or Untrusted and so on. Just like with other web sites such as youtube.com where User can allow only three domains to work properly and display videos etc. (the rest domains can be set as Untrusted).

Thanks, best regards.

fenix aka ragner

barbaz
Senior Member
Posts: 8788
Joined: Sat Aug 03, 2013 5:45 pm

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by barbaz » Sun May 13, 2018 10:11 pm

Confirmed in Firefox 60, NoScript 10.1.8.2rc2, new profile.
https://noscript.net/abe/abe_rules.pdf is also affected.

With Firefox 59 I get the expected behavior.
*Always* check the changelogs BEFORE updating that important software!

fenix

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by fenix » Mon May 14, 2018 8:48 am

Hello barbaz.

Thanks for checking this issue. Anyway, .PDF is a common target for malware attacks, right? So I think there should be a possibility to set/change NoScript's presets on such web sites etc. We already saw a few CVE's that allows remote attackers to cause a DoS or possibly have other malicious impact via a crafted .PDF document (an attacker could plant a malicious .PDF on website). I think NoScript should allow Users to make some changes on such websites: e.g. change preset from a Default to Custom etc.

Thanks.

skriptimaahinen
Senior Member
Posts: 127
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by skriptimaahinen » Wed May 16, 2018 11:36 pm

Well, looks like FF 60 blocks content scripts from running in the PDF-viewer. This is what breaks NS. Not sure if intended, but it might be due to a fix for security vulnerability that allowed PDF-files to run scripts in the viewers context. (The very unhelpful and wrong popup message is NS bug though.)

@fenix: Unfortunately none of the NS settings really affect PDF security. That's purely the PDF-viewers responsibility.

@Giorgio: Do showing the resource-URIs (e.g. resource://pdf.js) benefit user in any way?

User avatar
Giorgio Maone
Site Admin
Posts: 8650
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by Giorgio Maone » Thu May 17, 2018 5:45 am

skriptimaahinen wrote: @Giorgio: Do showing the resource-URIs (e.g. resource://pdf.js) benefit user in any way?
I do not think so, but maybe I could instead try to intercept the PDF load attempt before it gets to the viewer and block it outright, tying this behavior to a special "PDF" permission...

skriptimaahinen
Senior Member
Posts: 127
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by skriptimaahinen » Thu May 17, 2018 5:17 pm

In that case I think it might be best to allow resource (and chrome|moz-extension|about) URIs regardless of the policy, maybe, or am I missing some important case?

Not sure if NS should interfere with PDF handling as FF itself offers plethora of user configurable ways to do it (pdf.js, external viewer, download).

User avatar
therube
Ambassador
Posts: 7234
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by therube » Thu May 17, 2018 6:20 pm

Can you still do 'external viewer', as in like via a Plugin in FF (Quantum)?
I thought all that was allowed was Flash.
(FF 52 should be able to do external viewer, via Plugin.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus

skriptimaahinen
Senior Member
Posts: 127
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by skriptimaahinen » Thu May 17, 2018 9:01 pm

I doubt the plugins work anymore except in 52, though last time used Adobe plugin was something like 15 years ago. :) And even if the plugins did work, NS could block them with the "object" option.

However, FF does offer option to open the PDF in external program.

fenix

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by fenix » Thu May 24, 2018 10:57 am

Hello.

So, as skriptimaahinen has just written in his comment: "Not sure if NS should interfere with PDF handling (...)" maybe there should be a different information, instead of "In order to operate on this tab, NoScript needs to reload it. Proceed?" Something like:

1/ Permissions for websites with a .PDF files can not be changed, because of...
2/ Permissions for websites with a .PDF files can not be changed due to...

And then name the reason of such decision at the end (after: "because of/due to"? There can be [OK] button only. But that's just a naive and stupid idea... Sorry.

Thanks.

fenix

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by fenix » Wed Jul 18, 2018 4:13 pm

Hello.

It seems, that v10.1.8.8 version fixed issue with reloading NoScript on websites with .PDF files etc. I've checked one site and after clicking on the main icon, there was not an information, mentioned in my first post, but all preset available in NoScript. Mentioned site has been set with a "DEFAULT" preset (domain was: …semanticscholar.org) etc. So, it seems everything is okay. However, I didn't do any tests like, for example, change presets, add some options ('script', 'frame' and so on).

One more thing to note. When I moved a mouse cursor on NoScript icon, but without clicking, a small window appeared with such an informations (the same thing has happened in my first post):

Code: Select all

NoScript 10.1.8.8
Blocked 0 of 0 items
Here is a tested website: https://pdfs.semanticscholar.org/5d9b/6 ... 305fc5.pdf If someone will have some free time, please make more tests.

Thanks.

paulmcg
Posts: 2
Joined: Thu Jul 19, 2018 4:43 pm

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by paulmcg » Thu Jul 19, 2018 5:14 pm

I am having problems downloading .pdf and .tgz archives on some of our company Web sites, even though I whitelisted our sites.

The PDF download problem occurs in NoScript10.1.8.9rc1 with Firefox 61.0.1. It seems to occur when a Web page opens a window with JavaScript for the PDF URL instead of just giving you the URL.

I uploaded a .zip file with the HTML, JavaScript and CSS files from when the problem occurs plus a screen shot of the Firefox error.
https://drive.google.com/file/d/1cUv_PC ... sp=sharing

User avatar
Giorgio Maone
Site Admin
Posts: 8650
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by Giorgio Maone » Thu Jul 19, 2018 5:52 pm

paulmcg wrote:I am having problems downloading .pdf and .tgz archives on some of our company Web sites, even though I whitelisted our sites.[/url]
Could you also check with Firefox's developer console (ctrl+K), Network tab, which HTTP headers is the server sending exactly (or give me a public server where this problem can be reproduced)?
Might Firefox's popup blocker be interfering (i.e., does the link work if you disable NoScript)?

paulmcg
Posts: 2
Joined: Thu Jul 19, 2018 4:43 pm

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by paulmcg » Fri Jul 20, 2018 3:49 pm

Giorgio Maone wrote:Could you also check with Firefox's developer console
I had to upload the Firefox console log, since this site's spam filter wouldn't let me upload here.
https://drive.google.com/open?id=1QiTKY ... ectNupKlkD

The problem doesn't happen if I disable NoScript. The pages that cause the problem are not publicly accessible on one of our servers (myife.panasonic.aero).

Post Reply