Firefox update 11.2.13 issue

[ttb]

Even if site.com in whitelist www.site.com still in blacklist. 11.12.1 works fine.

UPD. There is issue with one site in different tabs. One in whitelist other in blacklist.

[barbaz]

The terms "whitelist" and "blacklist" are ambiguous in NoScript Webext. By "whitelist" do you mean Trusted? By "blacklist" do you mean Untrusted, or do you mean Default? Or something else?

Is the "site.com" tab https while the "www,site.com" tab plain http?

There is no NoScript version 11.12.1 (yet?), what version did you mean?

[ttb]

I mean trusted and untrusted. In two tabs same SSL-only site loads like executable trusted (it is) and untrusted at the same time.

>There is no NoScript version 11.12.1
Sorry my bad. 11.12.11.

[Giorgio Maone]

I'm still not sure I understand this correctly.
Assuming that you're either using the NoScript Options>Per-site Permissions UI or you've checked the NoScript Options>List full addresses in the permissions popup option, otherwise you wouldn't be able to configure www.site.com individually:

1. You set www.site.com to UNTRUSTED
2. Then you set site.com to TRUSTED
3. https://www.site.com remains UNTRUSTED, while https://site.com is TRUSTED.

That's expected, as it allows you to single out subdomains (e.g. analytics.site.com) to block while keeping the others and the top domain allowed.
And as far as I can see, 11.2.11 works exactly the same (not surprisingly, since there's been no changes in the permissions system since that version).

[Baraoic]

Not sure what ttb is trying to say, but I'm having issues with the 11.2.13 update as well. I've tried uninstalling and reinstalling, that didn't help.

The issue is noscript currently is blocking ALL scripts on ALL sites, no matter if I have them trusted/allowed or not. I've had to disable the addon to sign up for this forum to post this.

[ttb]

The issue is noscript currently is blocking ALL scripts on ALL sites, no matter if I have them trusted/allowed or not

For me some sites in trusted list works fine and some are not. Same site from trusted list in two tabs trusted and untrusted at the same time.

[Skeezix]

1. You set www.site.com to UNTRUSTED
2. Then you set site.com to TRUSTED
3. https://www.site.com remains UNTRUSTED, while https://site.com is TRUSTED.

That's expected...

I don't understand. How can one site be both trusted and untrusted?

[sensagrae]

Hi NoScript Support Team, I appreciate your addon and registered on your forum to search and post similar findings that the other users said in this specific thread title. I am experiencing this same issue on 2 separate Windows PC's since the last v11.2.13 NoScript automatic update from December 28, 2021 on Firefox (details below).

2 Separate Windows PC's: (did not do any personal settings changes for a long time, updates are applied automatically, previous NoScript versions have been working well and have not changed NoScript settings in a long time, did not make any new settings changes in Firefox and did not add/remove any new extensions in the past month to emphasize no personal changes made).

Browser: Firefox 95.0.2 64-bit [up to date]
OS: Windows 10 Pro-64bit [latest updates installed]
NoScript version: 11.2.13 [Auto-updated via Firefox on December 28, 2021, this is the version shown inside Firefox extension settings]
Related ad-blocking Firefox Extension used with NoScript for many years: uBlock Origin 1.40.2
Issue noted: began with this last automatic update of NoScript v11.2.13 from the past 1 day. Both in standard (non-incognito) and private-incognito firefox, previously stored per-site permission urls that I manually set to TRUSTED, are not applied upon visiting the respective web address (including any other addresses that needed to be whitelisted manually for its functionality).

Important to note: The NoScript Icon GUI shown on the Firefox browser and NoScript Settings (Firefox settings > extensions > NoScript) per-site permissions SHOW them as TRUSTED.

I have 2 different windows pc's with the same windows OS, Firefox and NoScript versions and similar manually saved per-site permissions on both and the issue is the same.

General examples websites include: reddit dot com (including related reddit domains needed for its functionality), captcha sites like hcaptcha dot com and many more personal url websites saved as TRUSTED from over the years.

To post here on the forum: I temporarily gave permission to the website address but then those settings will not apply when I refreshed/previewed my post even though it shows the website in the temporarily trusted section of the NoScript Icon-GUI on Firefox.

Sometimes with v11.2.13 NoScript, a reload of the website page, applies the previously stored trusted permission but then refreshing the page or navigating to another link within that same website, removes the main domain and anything else we may have manually set to TRUSTED in the past.

Disabling NoScript 11.2.13 extension on Firefox allowed site functionality to resume - undesirable but wanted to see. Also visited same websites on Google Chrome Browser that does not have NoScript just to make sure there were no other issues.

I hope some others with better understanding and knowledge on the topic could look into this further. Thank you very much for developing such a powerful utility for us to use!

[barbaz]

The issue is noscript currently is blocking ALL scripts on ALL sites, no matter if I have them trusted/allowed or not. I've had to disable the addon to sign up for this forum to post this.

@Baraoic & @sensagrae: 11.2.11 sent (& blocked) requests to 255.255.255.255 to polyfill synchronous messaging, whereas 11.2.13 uses IPv6 :: for that purpose, could that make the difference in your issue?

If so, 11.2.12rc3 would work correctly but 11.2.12rc4 would be broken. Old NoScript @ https://noscript.net/feed?quantum&c=150&t=a

You might check that no other addon is blocking requests to IPv6 ::

[Baraoic]

The issue is noscript currently is blocking ALL scripts on ALL sites, no matter if I have them trusted/allowed or not. I've had to disable the addon to sign up for this forum to post this.

@Baraoic & @sensagrae: 11.2.11 sent (& blocked) requests to 255.255.255.255 to polyfill synchronous messaging, whereas 11.2.13 uses IPv6 :: for that purpose, could that make the difference in your issue?

If so, 11.2.12rc3 would work correctly but 11.2.12rc4 would be broken. Old NoScript @ https://noscript.net/feed?quantum&c=150&t=a

You might check that no other addon is blocking requests to IPv6 ::

Thank you, that's the issue. uBlock Origin has a Privacy list called "Block Outsider Intrusion into LAN" that has a couple rules related to :: and ::1 addresses. Disabling that list does fix the issue. Here is a link to the list https://github.com/uBlockOrigin/uAssets ... -block.txt

This is probably going to cause issues for a bunch of people. Is there a reason this was changed to ipv6 loopback? Can you not use the fe80:: link-local address instead?

[Giorgio Maone]

This is probably going to cause issues for a bunch of people. Is there a reason this was changed to ipv6 loopback? Can you not use the fe80:: link-local address instead?

That's not he loopback address ([::1]), but the unspecified address, and it was chosen exactly to avoid these kind of conflicts with other blocking extensions.
This seems a bug in the list you're mentioning, as this address is reserved not to be used by any node, and therefore blocking requests to it is moot.

[sensagrae]

The issue is noscript currently is blocking ALL scripts on ALL sites, no matter if I have them trusted/allowed or not. I've had to disable the addon to sign up for this forum to post this.

@Baraoic & @sensagrae: 11.2.11 sent (& blocked) requests to 255.255.255.255 to polyfill synchronous messaging, whereas 11.2.13 uses IPv6 :: for that purpose, could that make the difference in your issue?

If so, 11.2.12rc3 would work correctly but 11.2.12rc4 would be broken. Old NoScript @ https://noscript.net/feed?quantum&c=150&t=a

You might check that no other addon is blocking requests to IPv6 ::

Thank you, that's the issue. uBlock Origin has a Privacy list called "Block Outsider Intrusion into LAN" that has a couple rules related to :: and ::1 addresses. Disabling that list does fix the issue. Here is a link to the list https://github.com/uBlockOrigin/uAssets ... -block.txt

This is probably going to cause issues for a bunch of people. Is there a reason this was changed to ipv6 loopback? Can you not use the fe80:: link-local address instead?

Thank you very much @barbaz + @Baroic (also on the Block Intrusion-Ublock point) for replying with these additional findings and potential (hopefully temporary remedies)!

@barbaz - much of what you mentioned is technically complex for me to properly understand, did not attempt to go back yet to the previous version just in case I did something wrong and created issues with my current profile on firefox...

However, it was interesting what @Baroic had mentioned with ublock Origin Privacy list - Block Outsider Intrusion into LAN". I actually have that option ENABLED on ublock origin for however long it was available to select as an option (many months ago maybe?) and upon unchecking/disabling that option, the issue that was presented in the topic, appears to have resolved (meaning, NoScript was functioning normally as before).

@barbaz - I'm not sure on whether the novice end-user like myself needs to do any specific changes on Windows networking setting with IPv6 in those regards like you were mentioning about pollyfill on 11.2.11 and 11.2.13 using IPv6?

If it helps, I wanted to add a set of screenshot point to my original post I made this thread after visiting the Firefox addons webpage to see if others were noting similar issues with the latest NoScript update and when describing NoScript icon-GUI elements. The most recent comment did mention issues on youtube dot com. So I visited youtube to see as many websites from youtube have been manually set to TRUSTED in my per-site permission list many years ago.

The 3x screenshots below were my current screenshots with Firefox v95.0.2, NoScript v11.2.13 + "Block Outsider Intrusion into LAN" enabled on uBlock Origin 1.40.2.The screenshots provided were done on non-incognito Firefox (same results in incognito as I briefly did allow some changes a long time ago to manually whitelist some websites). Youtube dot com was a manual set to TRUSTED permission I did a very long time ago.

Image #1. I cannot recall if NoScript icon appears like this or as trusted when opening a new default non-incognito firefox window?


Image #2. Visiting youtube dot com (see block GUI icon + previously TRUSTED youtube url)


Image #3. Reloading/refreshing the page a few times, reverts to previously saved settings, reloading the page will sometimes go back to image #2. Reloading again goes back to image #3.

[barbaz]

For everyone who has this problem caused by any uBlock Origin list, the fix is to add this line to uBlock Origin dashboard > My rules -

Code: Select all

behind-the-scene https://[::]/nscl/moz-extension:// xmlhttprequest allow

(I had to do this in my own setup too.)

[Giorgio Maone]

Thanks to everyone who helped to identify/work-around this problem.
I've filed a bug report on uAssets, in the meanwhile.

[Giorgio Maone]

... and should be fixed in latest development build:
v 11.2.14rc1
============================================================
x [nscl] Updated SyncMessage fixes conflict with other
content blockers (thanks gwarser, barbaz and Baraoic)