SVG and Noscript

Ask for help about NoScript, no registration needed to post
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: SVG and Noscript

Post by GµårÐïåñ »

Tom T. wrote:The confusion is that blocking the JS defeats the demo. ... SMIL or no SMIL. :?
Yes, because the demo is JS based. If it was using SMIL it would not be affected.
I was trying to do what Alan suggested -- put that page on a site without that JS, namely, my own little page @ my ISP, but I haven't updated it in ages, and I can't even type or paste in the "edit" block. Their tech support is not open at this hour, so if I can get it working another time, I will indeed try hosting that exact page.
Send me what you want done, through here or PM or email and I will be happy to put it on my site and give you the link to post and play with. But I am pretty sure that while JS code is blocked by NS, not SMIL, I have seen it in action with NS and no issue.

I'd be happy to do the code writing and hosting for you, just say the word brother. You know that, you wouldn't even need to edit anything.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11 Comodo_Dragon/17.5.2.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: SVG and Noscript

Post by Tom T. »

GµårÐïåñ wrote:
Tom T. wrote:The confusion is that blocking the JS defeats the demo. ... SMIL or no SMIL. :?
Yes, because the demo is JS based. If it was using SMIL it would not be affected.
Exactly what I was trying to convince certain others in this thread: the demo uses JS. "I'm* not confused, but there is confusion in the thread, among some.
GµårÐïåñ wrote:
Tom T. wrote:I was trying to do what Alan suggested -- put that page on a site without that JS, namely, my own little page @ my ISP, but I haven't updated it in ages, and I can't even type or paste in the "edit" block. Their tech support is not open at this hour, so if I can get it working another time, I will indeed try hosting that exact page.
Send me what you want done, through here or PM or email and I will be happy to put it on my site and give you the link to post and play with. But I am pretty sure that while JS code is blocked by NS, not SMIL, I have seen it in action with NS and no issue.

I'd be happy to do the code writing and hosting for you, just say the word brother. You know that, you wouldn't even need to edit anything.
I didn't mean that I had to edit or write any code. I was just going to copy/paste the source code of the demo page into a page on my own ISP-hosted site.
But their "site-builder" tool was malfunctioning: I couldn't paste. Period. Or type, into the field where one enters one's new material. It's a glitch in their system, that's all.

If you want to copy/paste that demo source code and host it, fine. Twenty seconds, if my blinking ISP's site editor was working properly
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: SVG and Noscript

Post by GµårÐïåñ »

Tom T. wrote:Exactly what I was trying to convince certain others in this thread: the demo uses JS. "I'm* not confused, but there is confusion in the thread, among some.
FWIW, you are right, so I am not sure why others would be confused.
Tom T. wrote:I didn't mean that I had to edit or write any code. I was just going to copy/paste the source code of the demo page into a page on my own ISP-hosted site.

But their "site-builder" tool was malfunctioning: I couldn't paste. Period. Or type, into the field where one enters one's new material. It's a glitch in their system, that's all.

If you want to copy/paste that demo source code and host it, fine. Twenty seconds, if my blinking ISP's site editor was working properly
Ok, so I am going to assume, you mean this link: http://www.petercollingridge.co.uk/site ... seover.svg
and this source:

Code: Select all

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" height="80">

  <text x="10" y="35">Only the blue square</text>
  <text x="10" y="50">has a mouseover effect</text>

  <rect id="rect1" x="160" y="10" width="60" height="60" fill="blue"
   onmouseover="evt.target.setAttribute('opacity', '0.5');"
    onmouseout="evt.target.setAttribute('opacity', '1)');"/>

  <rect id="rect2" x="230" y="10" width="60" height="60" fill="green"/>

</svg>
RIght? Confirm and it shall be done in seconds.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11 Comodo_Dragon/17.5.2.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: SVG and Noscript

Post by Tom T. »

Exactly.

(the source code of the demo page.)
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: SVG and Noscript

Post by GµårÐïåñ »

Tom T. wrote:Exactly.

(the source code of the demo page.)
Just for the record, you don't need to put his anywhere else, as the item with the source is SVG code already, so it doesn't depend on the site its hosted on and scripting for that site. The scripting portion being blocked by NS which results in the demo "breaking" is the following segment:

Code: Select all

   onmouseover="evt.target.setAttribute('opacity', '0.5');"
   onmouseout="evt.target.setAttribute('opacity', '1)');"/>
So as long as NS is blocking JS, that event hook fails (evt.target.setAttribute()), rightfully so, and if allowed it runs, again rightfully so. So its all there in the source of the demo, no need to put it on another server to show anything.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11 Comodo_Dragon/17.5.2.0
rees65
Posts: 2
Joined: Sun Mar 18, 2012 2:15 pm

Re: SVG and Noscript

Post by rees65 »

As the OP, thank you all for the replies, esp Alan Baxter - I'll remember to enclose URL's in future.

What I'm understanding so far, setting SVG aside momentarily, is that a site's use of Javascript affects non Javascript pages.
That accounts for the example URL being blocked.

To confirm: on a non NS blocked site that SVG works. On a NS blocked site it fails.
True for local and remote
This is on my testing site, it does not use JavaScript.
http://www.functional-design.co.uk/imag ... seover.svg

Alan understood my concern that there wasn't a NS warning - I think I understand the reasons now.
But I'm still wrestling with why using NS to disable JavaScript breaks that demo, it doesn't explicity call JavaScript .

SVG supports <script> tags and I would expect that to be blocked - being a significant potential security threat.
But its native methods, eg onmouseover, I imagined would be fine, in as much as I wouldn't expect NS to block CSS.

I'm approaching this as a developer wishing to add user interactivity without dropping into scripting.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: SVG and Noscript

Post by GµårÐïåñ »

If the domain is allowed to accept scripting, this demo would work fine (as it relies on scripting), if not then it won't. Like for example, going to the link you provided on your site, not having your site on my whitelist, it didn't work, but when I temp allowed it, it worked just fine. As I said earlier, its the event hook code that you are using that is scripting and being blocked accordingly. Although you don't consider that explicit call to JS, it is indeed a JS framework hook and calling on that engine to give you that functionality, hence, JS (scripting) and NS is intelligent enough to know it when it sees it, regardless of how its written or obscured. It checks the handler, not how its written or what its called.

Hope that helps clear it up from a programmer's perspective, like my own, as both a software and web developer. Unfortunately until we live in a world where scripting is used for function and not malice, you gonna have to make some compromises. That will always favor security over blind faith, trust and functionality. So you can provide the functionality and let the user's choose to allow it or not. Ideally, you would choose a method that doesn't force the user to make a choice between function or trust. Good luck.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: SVG and Noscript

Post by GµårÐïåñ »

Forgot to add on a separate note, that although Giorgio can arbitrarily and by choice whitelist certain functions deemed benign (open to perspective and interpretation) within his script checking engine, so that such simple SVG code doesn't fail even with the scripting on the site blocked, it would be a work around hack, inelegant and ultimately pokes holes in the absolutely security provided. But in theory it can be done.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: SVG and Noscript

Post by Tom T. »

GµårÐïåñ wrote:Forgot to add on a separate note, that although Giorgio can arbitrarily and by choice whitelist certain functions deemed benign (open to perspective and interpretation) within his script checking engine, so that such simple SVG code doesn't fail even with the scripting on the site blocked, it would be a work around hack, inelegant and ultimately pokes holes in the absolutely security provided. But in theory it can be done.
Thanks for your explanation of particular event hooks being identified and treated as JS (maybe FAQ should reference that?)

What was causing difficulty, I think, at the UK site was that the root's script had to be allowed. Once that is allowed, then all subfolders are allowed to run script, *including internal hook calls that qualify as script*, even though *that page* shows no JS of its own. Correct? (If so, "yes" will suffice. :D )

The second demo page added confirmation, although even at the root of the site, there is a JS notification from NS, and two script sources:
the site itself, and googleapis.

IMHO, Giorgio is absolutely right to poke no holes in this. Imagine how easily this same mouseover effect could be used maliciously. Possibly some might trip ClearClick, but as you said, the SMIL and other various components could be attack vectors. If we don't trust the site, we shouldn't trust *any* executable, or user-action-driven, code. Agree? (1=Yes; 0=No :mrgreen: )
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: SVG and Noscript

Post by therube »

this demo ... relies on scripting ... the event hook code that you are using, that is scripting, and being blocked accordingly

Although you don't consider that explicit call to JS, it is indeed a JS framework hook and calling on that engine to give you that functionality, hence, JS (scripting)
Could you explain that part further.
Is that then like "inline script"?
I think I now have an inkling of understanding, but without something in my face saying, here it is, I'm still a bit confused.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120318 Firefox/13.0a2 SeaMonkey/2.10a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: SVG and Noscript

Post by Tom T. »

therube wrote:
this demo ... relies on scripting ... the event hook code that you are using, that is scripting, and being blocked accordingly

Although you don't consider that explicit call to JS, it is indeed a JS framework hook and calling on that engine to give you that functionality, hence, JS (scripting)
Could you explain that part further.
Is that then like "inline script"?
I think I now have an inkling of understanding, but without something in my face saying, here it is, I'm still a bit confused.
GµårÐïåñ wrote:
So as long as NS is blocking JS, that event hook fails (evt.target.setAttribute()), rightfully so, and if allowed it runs, again rightfully so. So its all there in the source of the demo, no need to put it on another server to show anything.
So: NS treats the JS function evt.target.setAttribute() as it would a complete script: blocks it if scripting is blocked; allows it if script is allowed.

Since this function alone apparently could be used for malice, NS is correct to regard it as script and block it.

Anyway, that's what I got from it. Reread (or read) GµårÐïåñ's linked post, and see what you think.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: SVG and Noscript

Post by Alan Baxter »

Alan Baxter wrote:
dhouwn wrote:JS is JS, I don't get how this behavior would be unexpected.
It's unexpected because that page doesn't use JavaScript. The NoScript icon and my viewing of the source for that page seem to agree that no JavaScript is being used. Could you be more specific about where you see JavaScript?
GµårÐïåñ wrote: Just for the record, you don't need to put his anywhere else, as the item with the source is SVG code already, so it doesn't depend on the site its hosted on and scripting for that site. The scripting portion being blocked by NS which results in the demo "breaking" is the following segment:

Code: Select all

   onmouseover="evt.target.setAttribute('opacity', '0.5');"
   onmouseout="evt.target.setAttribute('opacity', '1)');"/>
So as long as NS is blocking JS, that event hook fails (evt.target.setAttribute()), rightfully so, and if allowed it runs, again rightfully so. So its all there in the source of the demo, no need to put it on another server to show anything.
Thank you for the explanation, GµårÐïåñ. Apparently those two lines are what dhouwn meant by "JS is JS", although he never provided the requested explanation like you did.
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: SVG and Noscript

Post by Tom T. »

What Alan Baxter said.
Thanks to GµårÐïåñ for providing explicit identification of what looks like a duck, walks like a duck...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
SmilerCurious

Re: SVG and Noscript

Post by SmilerCurious »

So you've identified JS that could be maliciously used in the demo source. Good.
But Alan Baxter's implied question hasn't been answered:
http://forums.informaction.com/viewtopi ... 357#p36626
"The NoScript icon indicates with its white S that scripting isn't used on that page,"
Inquiring minds want to know why no coloured indicator.

Mind you, svg is clearly going to be used mainly for tarting up, not for your actual useful stuff, so a user won't really need to dig into source to find out if that static coin image wants to be flipped.
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: SVG and Noscript

Post by Tom T. »

SmilerCurious wrote:So you've identified JS that could be maliciously used in the demo source. Good.
But Alan Baxter's implied question hasn't been answered:
http://forums.informaction.com/viewtopi ... 357#p36626
"The NoScript icon indicates with its white S that scripting isn't used on that page,"
Inquiring minds want to know why no coloured indicator.
Good question.

I surmised very early in this thread:
Tom T. wrote:I think the icon is white, vs. blue/white, because *that document* does not load script. But it's part of a URL for which all scripts apply, which is why I could toggle the demo by toggling script permission of the main site.
Now we know, courtesy of Guardian, that it was a specific JS function call that (properly) triggers NoScript's protections, or requires permission to run, if you want it to. But agree with the point: If NS treats that one hook as a script, then the icon should be blue and white, not plain white, when scripting is allowed and that particular hook (or any other with JS-type function) is allowed.

I too found it strange to see the solid-white icon, but script from petercollingridge showing in the Allowed or TA menu.

Giorgio?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Post Reply