noscript.mandatory value content can be bypassed

[NoThing]

Hello, maybe some compatibility issue between NoScript and Vertical_Tabs_Reloaded AddOns

Windows 8.1 64Bits, Firefox 52.7.4 ESR (64-bit)

userchrome.css and usercontent.css disabled for testing

when updating from noscript 5.1.2 to 5.1.3 (or the latest noscript...)
the Vertical_Tabs_Reloaded v0.8.2 stops working : the vertical tabs do not appear at all.

My Vertical_Tabs_Reloaded Options :
Display tabs on the right : UNchecked
Hide tabs in fullscreen : UNchecked
Compact Mode (hides text labels) : UNchecked
Theme : None (default)
Toolbar Position : Top
Hotkey for hiding/showing tabbar : [empty]

My extensions (I would be a pain to disable all of them except NoScript and Vertical_Tabs_Reloaded for further testing) :

Add to Search Bar 2.9 true add-to-searchbox@maltekraus.de
Addons Recent Updates 0.1.8 true addonsRecentUpdates@infocatcher
Application Update Service Helper 2.0 true aushelper@mozilla.org
Auto-Sort Bookmarks 3.2 true sortbookmarks@bouanto
Bookmark Current Tab Set 0.2.4.1-signed.1-signed true bookmarkcurrenttabset@jake.kasprzak.ca
Classic Theme Restorer 1.7.3.4 true ClassicThemeRestorer@ArisT2Noia4dev
Classic Toolbar Buttons 1.6.0 true CSTBB@NArisT2_Noia4dev
Context Search 0.6.4 true {902D2C4A-457A-4EF9-AD43-7014562929FF}
Controle de Scripts 1.0.3.1-signed.1-signed true {75e19832-90c0-4553-91a0-e5d0ac5d99fd}
Cookie Monster 1.3.0.5 true {45d8ff86-d909-11db-9705-005056c00008}
Customizable Shortcuts 0.9.8 true customizable-shortcuts@timtaubert.de
customize_titlebar_v2 0.8 true customize-titlebar-v2@solc.me
DOM Inspector 2.0.16.1-signed true inspector@mozilla.org
Download Auto-Resume 1.0.0 true @download-autoresume
Download Manager (S3) 4.13 true s3download@statusbar
Edit Bookmark Plus 2.3.2 true edit-bookmark-plus@kashiif-gmail.com
Extension Options Menu 2.18 true {1feca320-6b4d-11df-a08a-0800200c9a66}
FindBar Tweak 2.1.12 true fbt@quicksaver
IsAdmin 2.5.2 true isadmin@vdtsoftware.ffext
Link Alert 2.0.1 true linkalert.conlan@addons.mozilla.com
Menu Icons Plus 3.2.1-signed.1-signed true menuiconsplus@codedawn.com
Mozilla Archive Format 5.2.1 true {7f57cf46-4467-4c2d-adfa-0cba7c507e54}
Multi-process staged rollout 1.10 true e10srollout@mozilla.org
NewScrollbars (aka NoiaScrollbars) 1.2.8 true NoiaScrollbars@ArisT2_Noia4dev
NoScript 5.1.2 true {73a6fe31-595d-460b-a920-fcc0f8843232}
NoUn Buttons 1.1.4.1.1-signed.1-signed true {99f30549-35d4-11d9-8a2a-396c6e707e82}
Nuke Anything 2.4 true {1ced4832-f06e-413f-aa14-9eb63ad40ace}
Open in Browser 1.18 true openinbrowser@www.spasche.net
Paste and Search (Forms) reloaded 0.0.2.1-signed.1-signed true {c8c583c0-519c-11ab-b0da-08a0200c9a77}
Personal Titlebar 2.0.20160701 true personaltitlebar@moztw.org
Pocket 1.0.5 true firefox@getpocket.com
Preloader (for Firefox) 1.1.1-signed.1-signed true {8a8c1ada-2504-45c6-a2d2-265591abbd00}
Progre 1.0.2.1-signed.1-signed true progre@nuko.org
RefControl 0.8.17.1-signed.1-signed true {455D905A-D37C-4643-A9E2-F6FEFAA0424A}
Restart 3.0.2 true Restart@schuzak.jp
SQLite Manager 0.8.3.1-signed.1-signed true SQLiteManager@mrinalkant.blogspot.com
Tab Mix Plus 0.5.0.4 true {dc572301-7619-498c-a57d-39143191b318}
tabTooltip 1.2 true tabTooltip@onemen.com
Text Link 5.0.2016031501 true {54BB9F3F-07E5-486c-9B39-C7398B99391C}
Thin Tabs 1.6 true thintabs@bonsaimind.org
Toggle animated GIFs 1.3.1 true giftoggle@simonsoftware.se
Toolbar Buttons 1.1.1-signed.1-signed true {03B08592-E5B4-45ff-A0BE-C1D975458688}
Undo Bookmarks Menu 1.7.1-signed.1-signed true undoBookmarksMenu@alice
URL Tooltip 1.3 true url-tooltip@timothytate.net
Vertical Tabs Reloaded 0.8.2 true verticaltabsreloaded@go-dev.de
Vertical Toolbar 1.0.17 true verticaltoolbar@xuldev.org
Video DownloadHelper 6.3.3 true {b9db16a4-6edc-47ec-a1f4-b86292ed211d}
Web Compat 1.0 true webcompat@mozilla.org
Zoom Page 15.8 true zoompage@DW-dev

[barbaz]

Please create a clean profile from scratch. Install only NoScript latest development build and Vertical_Tabs_Reloaded, leaving all the defaults.
Does the problem still exist?
If not, what if you then import your NS settings into the clean profile using the Import and Export buttons *on the very bottom* of NS Options?
If that still doesn't reproduce the problem, NoScript is not the culprit... try Standard Diagnostic (leaving NS enabled) to isolate and correct the real cause.

Let us know, thanks.

[NoThing]

OK I found the problem :

In my profile I have a user.js config file, inside which I reset NoScript white list on each Firefox start with :
user_pref("capability.policy.maonoscript.sites", "[my allowed sites list]");

[my allowed sites list] did NOT include the followings 24 special items :
about: about:addons about:blocked about:certerror about:config about:crashes about:feeds about:home
about:memory about:neterror about:plugins about:preferences about:privatebrowsing about:reader
about:sessionrestore about:srcdoc about:support about:tabcrashed blob: chrome:
mediasource: moz-extension: moz-safe-about: resource:

Until NoScript 5.1.2 this was apparently not a problem, starting with NoScript 5.1.3 that killed VerticalTabsReloaded AddOn
(and possibly some other features that I did not notice)

So I have added the 24 special items to [my allowed sites list]
> VerticalTabsReloaded is OK,
> the 24 items are back (and grayed, except about:reader) in NoScript UI white list.
My issue is seemingly solved (I'm now using NoScript 5.1.8.4, the last available for my Firefox 52.7.4 ESR)

Suggestion : NoScript may enforce the 24 items as allowed, even if absent from the 'capability.policy.maonoscript.sites' string.
(unless you still want to allow the power user to disable them, at their own risk, via the user.js...)

Note : the title of this thread should now be something like :
"capability.policy.maonoscript.sites must include system items"

[barbaz]

Thanks for reporting back.

Did these entries stay listed in about:config > noscript.mandatory the whole time? If so, I would suggest this is a bug and the thread should be titled "noscript.mandatory can be bypassed".

[NoThing]

When I remove the 23 special items from my user.js>'capability.policy.maonoscript.sites' :

>in about:config 'noscript.mandatory' value is STILL at its DEFAULT value and has the 23 special items,
the full 'noscript.mandatory' value is :
[System+Principal] about: about:addons about:blocked about:certerror about:config about:crashes about:feeds about:home about:memory about:neterror about:plugins about:preferences about:privatebrowsing about:sessionrestore about:srcdoc about:support about:tabcrashed blob: chrome: mediasource: moz-extension: moz-safe-about: resource:

>in NoScript UI white list the 23 special items do NOT appear

>if I open a tab to about:addons or about:privatebrowsing, for example,
the NoScript toolbar button says that about:addons or about:privatebrowsing URL are NOT allowed for script
(despite about:addons and about:privatebrowsing being in the mandatory list)
I can still add them manually in the white list.

(about:reader is not in the mandatory list, so only 23 items are mandatory)
about:reader seems to be needed to display the reader mode : should it be made mandatory ?