Posting long text to JS based Bins lead to messed up Noscript

[security-alert]

Hi There,

I discovered a bug in NS when using it with online bins like anonbin or private bin..etc when i try to post very big text (software or System logs)

To Reproduce:

- Make NoScript visible in browser toolbar
- Go to https://notes.anonpaste.org/ (allow the needed script/s to make the service work)
- Add very long text to Editor (empty space), You can copy mine (uploaded as a file) which i faced the problem with:

https://notes.anonpaste.org/?b855400314 ... Lbhhr1YsBy

or from here

https://gofile.io/d/cCN2aE


- Untick "Burn after reading" and make "Expires: Never" then press on "Send"
- 2 behaviors you can notice:
* 1- Browser gonna tell you that Noscript slowing down the browser would you like to stop it?
* 2- While the page loading after pressing "Send" (as mentioned above), Press on NoScript icon in toolbar browser and go to settings= None closable page going to keep pop up

The important bug need to be fixed is not very much on 1 because maybe thats expected, The annoying part is point 2.

Tested on: (You can reproduce it with Firefox-esr if you dont want or have TB)

TorBrowser 11.0.13 (based on Mozilla Firefox 91.9.0esr) (64-bit), Security Level: Safer

NoScript version: 11.4.6

If you find it hard to reproduce i can upload a video about it.

ThX!

[therube]

Unable to confirm.

FF 91.9.0esr, new Profile, visit site, upload file (or paste data in), (2.5 MB).
No issues.

FF 100 beta1, existing Profile, visit site, upload file (or paste data in).
No issues.


(I don't have Tor on hand to test.)

[security-alert]

After some time of playing with FF/NS i think i figured out the cause of it, The issue is not about long text but actually its about how many scripts going to be generated and blocked after Temp.Allow one when visiting the website then double click on Noscript (which allow the list of scripts table to popup outside in new window) <- This list will keep popping out and thus hanging/crushing the browser.

To understand what i mean more check the uploaded video: (The website i browsed is just an example)

https://gofile.io/d/fkTuO2

Note: Not all my virtual machines produced the same effect, But some of them i can reproduce the same effect every time.

Host: Debian 11
FF version: 91.10.0esr (64-bit)
NS version: 11.4.6

If you need further debugs, Just tell me.

ThX!

[therube]

Not sure how you're getting that modal-like dialog box?

There have been odd times where I've gotten something like that (can't recall if NoScript related or not ?), but stuff like that does happen in FF (Quantum or whatever they call it).


Are you using any other extensions that may be affecting things?
If you disable all other extensions except for NoScript...
And/or test in a new, clean Profile with only NoScript installed...

And is this both with Tor & outside of Tor?

Oddly, in your video, the alqabas page never did load at all?

[security-alert]

Not sure how you're getting that modal-like dialog box?

You mean this one on the right side: (This is different FF which i can load the website with)

https://gofile.io/d/dzbiOO

This can be produced if you:

Temp.Trust alqabas first script then keep double clicking on NS (similar to the video i have uploaded) then it will show up.

Are you using any other extensions that may be affecting things?

No, Totally fresh install FF-ESR with only NS (as shown in the video)

And is this both with Tor & outside of Tor?

Yes, Actually Tor Browser is based on FF-ESR so whatever happen there happen here (except very few exceptions), But as i have shown i can produce with FF not just with TB.

Oddly, in your video, the alqabas page never did load at all?

Yeah crazy, Thats why i thought its better to report it here and investigate whats causing that.

[therube]

Temp.Trust alqabas first script then keep double clicking on NS (similar to the video i have uploaded) then it will show up.

Yes that is what I tried, but I'm unable to get it to "break free" on my end (Windows).

[security-alert]

So is there a debug mechanism to the NoScript which either can be looked at in a local file or special version of NS which has URL that send live reports or ..etc?

Because if i have this issue and you cant produce it because of different environments then we need a detailed debug way just for NS readings, If there is one please tell me how to do it.