(S) v10: needs to be reloaded to operate on website w/ PDF.

Ask for help about NoScript, no registration needed to post

(S) v10: needs to be reloaded to operate on website w/ PDF.

Postby fenix » Sun May 13, 2018 4:46 pm

Hello.

Firefox includes a built-in PDF viewer to display PDF files inside the browser window and is enabled by default. However, it seems, that there is a problem with a proper NoScript v10 operate on such websites. I've tried about 3, 4 websites with PDF files and clicking on a NoScirpt icon to make some changes in permissions etc., there is such message:

Code: Select all
In order to operate on this tab, NoScript needs to reload it. Proceed?

          [               OK              ]           [              Cancel              ]

Clicking on the [OK] button, reloads web page, but nothing changes if it's about NoScript normal functionality - possibility to change permissions etc. After clicking on the NoScript icon again, there is the same information mentioned above. After clicking on [Cancel] button, nothing happens. After hovering the mouse cursor on the NoScript icon, but without clicking, there is such information:

Code: Select all
Blocked 0 of 0 items

Here are an example links to reproduce this issue ("needs to reload" problem appears, on each of these web sites.):

https://spectreattack.com/spectre.pdf
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-sanchez-rola.pdf
https://pdfs.semanticscholar.org/5d9b/6da578552b50b572d365cd2a837cc1305fc5.pdf

Is this a bug? Anyway, here are some technical informations:

✓ NoScript: v10.1.8.1
✓ Firefox: v60.0 (32-bit)
✓ Platform: Linux

Thanks, best regards.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix
 

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby therube » Sun May 13, 2018 5:00 pm

Not seeing any issue here.
Click the links & each pdf opens in a new tab - with no other interaction needed.

FF 60 x64
NoScript 10.1.8.2rc2

Oh, nevermind.

The pertinent part:
clicking on a NoScirpt icon

Confirmed.
Though I have no idea what is expected in that situation?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 Lightning/5.4
User avatar
therube
Ambassador
 
Posts: 7039
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby fenix » Sun May 13, 2018 7:12 pm

Hello therube.

You asked "what is expected in that situation?" Hmm, I think that there should be a possibility to change the trust levels etc. (By default, each domain is under the Default, right? So, I think that on a web sites, which display PDF files inside the browser window, there should be a possibility, for example, to explicitly set Trusted, Temp-Trusted or Untrusted and so on. Just like with other web sites such as youtube.com where User can allow only three domains to work properly and display videos etc. (the rest domains can be set as Untrusted).

Thanks, best regards.

fenix aka ragner
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix
 

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby barbaz » Sun May 13, 2018 10:11 pm

Confirmed in Firefox 60, NoScript 10.1.8.2rc2, new profile.
https://noscript.net/abe/abe_rules.pdf is also affected.

With Firefox 59 I get the expected behavior.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8524
Joined: Sat Aug 03, 2013 5:45 pm

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby fenix » Mon May 14, 2018 8:48 am

Hello barbaz.

Thanks for checking this issue. Anyway, .PDF is a common target for malware attacks, right? So I think there should be a possibility to set/change NoScript's presets on such web sites etc. We already saw a few CVE's that allows remote attackers to cause a DoS or possibly have other malicious impact via a crafted .PDF document (an attacker could plant a malicious .PDF on website). I think NoScript should allow Users to make some changes on such websites: e.g. change preset from a Default to Custom etc.

Thanks.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix
 

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby skriptimaahinen » Wed May 16, 2018 11:36 pm

Well, looks like FF 60 blocks content scripts from running in the PDF-viewer. This is what breaks NS. Not sure if intended, but it might be due to a fix for security vulnerability that allowed PDF-files to run scripts in the viewers context. (The very unhelpful and wrong popup message is NS bug though.)

@fenix: Unfortunately none of the NS settings really affect PDF security. That's purely the PDF-viewers responsibility.

@Giorgio: Do showing the resource-URIs (e.g. resource://pdf.js) benefit user in any way?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
skriptimaahinen
Senior Member
 
Posts: 89
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby Giorgio Maone » Thu May 17, 2018 5:45 am

skriptimaahinen wrote:@Giorgio: Do showing the resource-URIs (e.g. resource://pdf.js) benefit user in any way?

I do not think so, but maybe I could instead try to intercept the PDF load attempt before it gets to the viewer and block it outright, tying this behavior to a special "PDF" permission...
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8528
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby skriptimaahinen » Thu May 17, 2018 5:17 pm

In that case I think it might be best to allow resource (and chrome|moz-extension|about) URIs regardless of the policy, maybe, or am I missing some important case?

Not sure if NS should interfere with PDF handling as FF itself offers plethora of user configurable ways to do it (pdf.js, external viewer, download).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
skriptimaahinen
Senior Member
 
Posts: 89
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby therube » Thu May 17, 2018 6:20 pm

Can you still do 'external viewer', as in like via a Plugin in FF (Quantum)?
I thought all that was allowed was Flash.
(FF 52 should be able to do external viewer, via Plugin.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.3
User avatar
therube
Ambassador
 
Posts: 7039
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby skriptimaahinen » Thu May 17, 2018 9:01 pm

I doubt the plugins work anymore except in 52, though last time used Adobe plugin was something like 15 years ago. :) And even if the plugins did work, NS could block them with the "object" option.

However, FF does offer option to open the PDF in external program.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
skriptimaahinen
Senior Member
 
Posts: 89
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby fenix » Thu May 24, 2018 10:57 am

Hello.

So, as skriptimaahinen has just written in his comment: "Not sure if NS should interfere with PDF handling (...)" maybe there should be a different information, instead of "In order to operate on this tab, NoScript needs to reload it. Proceed?" Something like:

1/ Permissions for websites with a .PDF files can not be changed, because of...
2/ Permissions for websites with a .PDF files can not be changed due to...

And then name the reason of such decision at the end (after: "because of/due to"? There can be [OK] button only. But that's just a naive and stupid idea... Sorry.

Thanks.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix
 

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby fenix » Wed Jul 18, 2018 4:13 pm

Hello.

It seems, that v10.1.8.8 version fixed issue with reloading NoScript on websites with .PDF files etc. I've checked one site and after clicking on the main icon, there was not an information, mentioned in my first post, but all preset available in NoScript. Mentioned site has been set with a "DEFAULT" preset (domain was: …semanticscholar.org) etc. So, it seems everything is okay. However, I didn't do any tests like, for example, change presets, add some options ('script', 'frame' and so on).

One more thing to note. When I moved a mouse cursor on NoScript icon, but without clicking, a small window appeared with such an informations (the same thing has happened in my first post):

Code: Select all
NoScript 10.1.8.8
Blocked 0 of 0 items

Here is a tested website: https://pdfs.semanticscholar.org/5d9b/6da578552b50b572d365cd2a837cc1305fc5.pdf If someone will have some free time, please make more tests.

Thanks.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix
 

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby paulmcg » Thu Jul 19, 2018 5:14 pm

I am having problems downloading .pdf and .tgz archives on some of our company Web sites, even though I whitelisted our sites.

The PDF download problem occurs in NoScript10.1.8.9rc1 with Firefox 61.0.1. It seems to occur when a Web page opens a window with JavaScript for the PDF URL instead of just giving you the URL.

I uploaded a .zip file with the HTML, JavaScript and CSS files from when the problem occurs plus a screen shot of the Firefox error.
https://drive.google.com/file/d/1cUv_PCBh2DcoshwxiRYqHGrYzlSjkcVZ/view?usp=sharing
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
paulmcg
 
Posts: 2
Joined: Thu Jul 19, 2018 4:43 pm

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby Giorgio Maone » Thu Jul 19, 2018 5:52 pm

paulmcg wrote:I am having problems downloading .pdf and .tgz archives on some of our company Web sites, even though I whitelisted our sites.[/url]

Could you also check with Firefox's developer console (ctrl+K), Network tab, which HTTP headers is the server sending exactly (or give me a public server where this problem can be reproduced)?
Might Firefox's popup blocker be interfering (i.e., does the link work if you disable NoScript)?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8528
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: (S) v10: needs to be reloaded to operate on website w/ P

Postby paulmcg » Fri Jul 20, 2018 3:49 pm

Giorgio Maone wrote:Could you also check with Firefox's developer console

I had to upload the Firefox console log, since this site's spam filter wouldn't let me upload here.
https://drive.google.com/open?id=1QiTKYZUW4QNPCceaIXq8D7ectNupKlkD

The problem doesn't happen if I disable NoScript. The pages that cause the problem are not publicly accessible on one of our servers (myife.panasonic.aero).
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
paulmcg
 
Posts: 2
Joined: Thu Jul 19, 2018 4:43 pm

Next

Return to NoScript Support

Who is online

Users browsing this forum: No registered users and 14 guests