Noscript Breaking a Website despite Everything 'Trusted'

Ask for help about NoScript, no registration needed to post
whiteletter
Posts: 3
Joined: Fri Jul 02, 2021 6:36 pm

Noscript Breaking a Website despite Everything 'Trusted'

Post by whiteletter »

Hi folks.

I'm having an issue on Firefox with noscript and the Musician's Friend website. Basically it breaks it for me, unless I set it, every time, to 'disable restrictions for this tab'. There's no way for me to set all the sites listed when I visit it to 'trusted' because even when they're all set to trusted, the page is still broken.

Why is this the case? What's being blocked that I can't set to 'trusted' because it's not listed? Is there a workaround beside either disabling noscript or clicking 'disable restrictions for this tab' every time I visit?

Is this a problem local to my particular setup or duplicatable for other folks here? Thanks.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
whiteletter
Posts: 3
Joined: Fri Jul 02, 2021 6:36 pm

Re: Noscript Breaking a Website despite Everything 'Trusted'

Post by whiteletter »

Following up I see there are other posts here with similar issues.

I checked 'unrestricted CSS' for trusted websites, and that fixes the breakage. Can anyone tell me more about what 'unrestricted CSS' is?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Noscript Breaking a Website despite Everything 'Trusted'

Post by Giorgio Maone »

whiteletter wrote: Fri Jul 02, 2021 6:52 pm I checked 'unrestricted CSS' for trusted websites, and that fixes the breakage. Can anyone tell me more about what 'unrestricted CSS' is?
"Unrestricted CSS" means that NoScript skips some additional checks on visual stylesheets which make sense where scripts are disabled and attackers may reach for additional means to work around the blocking.
Having it checked on TRUSTED sites is the recommended setting.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
whiteletter
Posts: 3
Joined: Fri Jul 02, 2021 6:36 pm

Re: Noscript Breaking a Website despite Everything 'Trusted'

Post by whiteletter »

Thanks, I got it.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
DougM

Re: Noscript Breaking a Website despite Everything 'Trusted'

Post by DougM »

FYI I had this issue as well. As of the 11.2.9 update, 'unrestricted CSS' was un-checked for trusted sites. Checking it resolved problems loading various sites.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
JaneGirl

Re: Noscript Breaking a Website despite Everything 'Trusted'

Post by JaneGirl »

There's a safer solution, as there's some security issue with unrestricted CSS (not sure about CSS standard, but at least some browser (IE comes to mind) allow some level of scripting with CSS - I remember I had to use this to ensure my site showed PNG's with transculent parts correctly with IE 5 & 5.5!

Anyway, while I wonder why nobody explained it better what issues it can have, I'm even more baffled that nobody suggested using "Custom" instead of "Allowed". When you choose "Custom" for a domain, it let's you pick specific permissions for that domain, and you can check all of them if you so want; including "unrestricted CSS"

Didn't check the posts date, so not sure if this is applicable to the version used when this was posted, but it-s not a new option.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Noscript Breaking a Website despite Everything 'Trusted'

Post by barbaz »

You can do that, however there is no security advantage to un-checking the "unrestricted CSS" option on script-allowed sites as discussed before in other threads. If a site wants to do that type of attack, and you allow its Javascript, it will just do it with Javascript since JS provides many easier and more accurate ways to perform the attack than trying to do it through CSS.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply