Bug involving XHTML, CSP, and Firefox ESR

Ask for help about NoScript, no registration needed to post
phyzome
Posts: 7
Joined: Wed Aug 12, 2009 6:52 pm

Bug involving XHTML, CSP, and Firefox ESR

Post by phyzome » Sun Apr 25, 2021 10:46 pm

Viewing this page https://www.alm.website/blog/2021/04/25/v3.1-xsite (default untrusted) with Firefox 78.9.0esr I get a blank page. (The site's author, on Firefox 84 and with the site not trusted, does not see this problem.) Disabling NoScript or allowing scripts results in the page showing; disabling NoScript *and* disabling all Javascript also results in the page showing.

It seems to have something to do with CSP processing and XHTML. I get several repetitions of the following:

Code: Select all

Content Security Policy: Couldn’t process unknown directive ‘noscript-marker’
Content Security Policy: Couldn’t process unknown directive ‘script-src-elem’
Content Security Policy: Couldn’t process unknown directive ‘script-src-attr’
with one of these mixed in:

Code: Select all

XML Document: temporary replacing <html xmlns="http://www.w3.org/1999/xhtml">  with <HTML>
DocumentCSP.js:42:17
The page currently ships with the following CSP, if this is relevant:

Code: Select all

Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

barbaz
Senior Member
Posts: 9903
Joined: Sat Aug 03, 2013 5:45 pm

Re: Bug involving XHTML, CSP, and Firefox ESR

Post by barbaz » Sun Apr 25, 2021 11:22 pm

I can confirm the bug in Firefox 88.0, NoScript 11.2.5rc1. Workaround is to enable the "object" capability for the site.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 9089
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Bug involving XHTML, CSP, and Firefox ESR

Post by Giorgio Maone » Mon Apr 26, 2021 10:38 am

barbaz wrote:
Sun Apr 25, 2021 11:22 pm
I can confirm the bug in Firefox 88.0, NoScript 11.2.5rc1. Workaround is to enable the "object" capability for the site.
Actually I canNOT reproduce it in Firefox >= 88, but I can see it in 78.10.0esr and can confirm the work-around.
Still trying to pinpoint the real culprit, though, since the temporary XHTML<->HTML node swap happens no matter what, so it doesn't seem to be it.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0

User avatar
Giorgio Maone
Site Admin
Posts: 9089
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Bug involving XHTML, CSP, and Firefox ESR

Post by Giorgio Maone » Mon Apr 26, 2021 12:42 pm

OK, I've found it: the application/xml content type triggered the code path to handle full page embeddings, and on ESR that cascaded to a window.stop() in order to prevent streaming media from starting (this doesn't happen for me on 88 and above, but it's time sensitive so it might depend on barbaz having a slower connection than mine).
I'm gonna fix it in 11.2.5rc2, thanks.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0

skriptimaahinen
Senior Member
Posts: 231
Joined: Wed Jan 10, 2018 7:37 am

Re: Bug involving XHTML, CSP, and Firefox ESR

Post by skriptimaahinen » Mon Apr 26, 2021 12:55 pm

You might be able to trigger it by navigating (site -> about:newtab -> site). Can reproduce that way on 87.
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

User avatar
Giorgio Maone
Site Admin
Posts: 9089
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Bug involving XHTML, CSP, and Firefox ESR

Post by Giorgio Maone » Mon Apr 26, 2021 9:41 pm

Fixed in latest development build, thanks:
v 11.2.5rc2
============================================================
x [nscl] Minor fixes from the library
x [nscl] Fixed XHTML pages broken when served with
application/xml MIME type and no "object" capability

x [nscl] Switch early content script configuration to use
/nscl/service/DocStartInjection.js
x [nscl] Refactored ContentScriptOnce.js to the library
x Rename the "csspp0" capability to "unchecked_css"
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0

Post Reply