(S) v10: needs to be reloaded to operate on website w/ PDF.

Ask for help about NoScript, no registration needed to post

(S) v10: needs to be reloaded to operate on website w/ PDF.

Postby fenix » Sun May 13, 2018 4:46 pm

Hello.

Firefox includes a built-in PDF viewer to display PDF files inside the browser window and is enabled by default. However, it seems, that there is a problem with a proper NoScript v10 operate on such websites. I've tried about 3, 4 websites with PDF files and clicking on a NoScirpt icon to make some changes in permissions etc., there is such message:

Code: Select all
In order to operate on this tab, NoScript needs to reload it. Proceed?

          [               OK              ]           [              Cancel              ]

Clicking on the [OK] button, reloads web page, but nothing changes if it's about NoScript normal functionality - possibility to change permissions etc. After clicking on the NoScript icon again, there is the same information mentioned above. After clicking on [Cancel] button, nothing happens. After hovering the mouse cursor on the NoScript icon, but without clicking, there is such information:

Code: Select all
Blocked 0 of 0 items

Here are an example links to reproduce this issue ("needs to reload" problem appears, on each of these web sites.):

https://spectreattack.com/spectre.pdf
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-sanchez-rola.pdf
https://pdfs.semanticscholar.org/5d9b/6da578552b50b572d365cd2a837cc1305fc5.pdf

Is this a bug? Anyway, here are some technical informations:

✓ NoScript: v10.1.8.1
✓ Firefox: v60.0 (32-bit)
✓ Platform: Linux

Thanks, best regards.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix
 

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby therube » Sun May 13, 2018 5:00 pm

Not seeing any issue here.
Click the links & each pdf opens in a new tab - with no other interaction needed.

FF 60 x64
NoScript 10.1.8.2rc2

Oh, nevermind.

The pertinent part:
clicking on a NoScirpt icon

Confirmed.
Though I have no idea what is expected in that situation?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 Lightning/5.4
User avatar
therube
Ambassador
 
Posts: 6913
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby fenix » Sun May 13, 2018 7:12 pm

Hello therube.

You asked "what is expected in that situation?" Hmm, I think that there should be a possibility to change the trust levels etc. (By default, each domain is under the Default, right? So, I think that on a web sites, which display PDF files inside the browser window, there should be a possibility, for example, to explicitly set Trusted, Temp-Trusted or Untrusted and so on. Just like with other web sites such as youtube.com where User can allow only three domains to work properly and display videos etc. (the rest domains can be set as Untrusted).

Thanks, best regards.

fenix aka ragner
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix
 

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby barbaz » Sun May 13, 2018 10:11 pm

Confirmed in Firefox 60, NoScript 10.1.8.2rc2, new profile.
https://noscript.net/abe/abe_rules.pdf is also affected.

With Firefox 59 I get the expected behavior.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8393
Joined: Sat Aug 03, 2013 5:45 pm

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby fenix » Mon May 14, 2018 8:48 am

Hello barbaz.

Thanks for checking this issue. Anyway, .PDF is a common target for malware attacks, right? So I think there should be a possibility to set/change NoScript's presets on such web sites etc. We already saw a few CVE's that allows remote attackers to cause a DoS or possibly have other malicious impact via a crafted .PDF document (an attacker could plant a malicious .PDF on website). I think NoScript should allow Users to make some changes on such websites: e.g. change preset from a Default to Custom etc.

Thanks.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix
 

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby skriptimaahinen » Wed May 16, 2018 11:36 pm

Well, looks like FF 60 blocks content scripts from running in the PDF-viewer. This is what breaks NS. Not sure if intended, but it might be due to a fix for security vulnerability that allowed PDF-files to run scripts in the viewers context. (The very unhelpful and wrong popup message is NS bug though.)

@fenix: Unfortunately none of the NS settings really affect PDF security. That's purely the PDF-viewers responsibility.

@Giorgio: Do showing the resource-URIs (e.g. resource://pdf.js) benefit user in any way?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
skriptimaahinen
Junior Member
 
Posts: 41
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby Giorgio Maone » Thu May 17, 2018 5:45 am

skriptimaahinen wrote:@Giorgio: Do showing the resource-URIs (e.g. resource://pdf.js) benefit user in any way?

I do not think so, but maybe I could instead try to intercept the PDF load attempt before it gets to the viewer and block it outright, tying this behavior to a special "PDF" permission...
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8417
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby skriptimaahinen » Thu May 17, 2018 5:17 pm

In that case I think it might be best to allow resource (and chrome|moz-extension|about) URIs regardless of the policy, maybe, or am I missing some important case?

Not sure if NS should interfere with PDF handling as FF itself offers plethora of user configurable ways to do it (pdf.js, external viewer, download).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
skriptimaahinen
Junior Member
 
Posts: 41
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby therube » Thu May 17, 2018 6:20 pm

Can you still do 'external viewer', as in like via a Plugin in FF (Quantum)?
I thought all that was allowed was Flash.
(FF 52 should be able to do external viewer, via Plugin.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.3
User avatar
therube
Ambassador
 
Posts: 6913
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby skriptimaahinen » Thu May 17, 2018 9:01 pm

I doubt the plugins work anymore except in 52, though last time used Adobe plugin was something like 15 years ago. :) And even if the plugins did work, NS could block them with the "object" option.

However, FF does offer option to open the PDF in external program.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
skriptimaahinen
Junior Member
 
Posts: 41
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby fenix » Thu May 24, 2018 10:57 am

Hello.

So, as skriptimaahinen has just written in his comment: "Not sure if NS should interfere with PDF handling (...)" maybe there should be a different information, instead of "In order to operate on this tab, NoScript needs to reload it. Proceed?" Something like:

1/ Permissions for websites with a .PDF files can not be changed, because of...
2/ Permissions for websites with a .PDF files can not be changed due to...

And then name the reason of such decision at the end (after: "because of/due to"? There can be [OK] button only. But that's just a naive and stupid idea... Sorry.

Thanks.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix
 


Return to NoScript Support

Who is online

Users browsing this forum: No registered users and 2 guests