NoScript Detects Script Domain Incorrectly

[RichardGv]

Environment: Firefox 3.54 (latest when posting) with NoScript1.9.9.14 (latest when posting) on Ubuntu 9.10 Karmic Desktop
NoScript detects the domain of a site incorrectly when "document.domain" is set to wrong value with JavaScript. For example, if there's a page on "subdomain.example.com" with inline JavaScript setting " document.domain = "example.com"; ", and you have allowed "subdomain.example.com" but no "example.com" in NoScript whitelist, the inline JavaScript after the piece of Javascript setting "document.domain" will not function.
I've made a demo page: http://stc.hux.pp.ru/noscript-problem/
When I'm visiting http://zhidao.baidu.com/ (It's a Chinese site.), even if I allowed "http://zhidao.baidu.com" in my NoScript whitelist, the inline script in it does not function, because there's a piece of JavaScript in it:

Code: Select all

document.domain="baidu.com";

Are there any ways to let NoScript ignore document.domain?

[Giorgio Maone]

No, this is the expected behavior.
On pages like those (www.cnn.com is another example, "upgrading" domain to cnn.com) you need to allow the shortest domain, which in facts gets proposed as soon as you allow the subdomain and NoScript can "sense" the change.

[RichardGv]

That expected behavior created a lot of difficulty when I'm trying to visit "http://zhidao.baidu.com". It sets "document.domain" to "baidu.com", so in order to allow inline scripts on the page to execute correctly, I have to allow the whole base 2-nd level domain "baidu.com" to execute scripts. I don't want to do so, however. I don't trust a few subdomains of "baidu.com".
Would you mind adding an option in NoScript to let it ignores "document.domain" or apply rules about a subdomain to a page on this subdomain with JavaScript set its "document.domain" to the base domain? I indeed don't want to add a new GreaseMonkey script to revert "document.domain" back. Thanks a lot.
Update: Just noticed the policy caused problem in guide.opendns.com, too.

[Giorgio Maone]

I guess you can use a Surrogate Script to handle those cases:

noscript.surrogate.stickyDomain.sources

Code: Select all

@*.baidu.com *.opendns.com

noscript.surrogate.stickyDomain.replacement

Code: Select all

document.__defineSetter__("domain", function() {})

[Edited to remove an extra trailing "s" from preference names]

[RichardGv]

Thanks a lot for the fast response. The code you provided works well. (You added an extra "s" after "surrogate", though.)
Is it okay to let NoScript allow execution of inline scripts on a page on "sub.example.com" with JavaScript setting its "document.domain" to "example.com" when either "sub.example.com" or "example.com" is in NoScript whitelist? It would be great if NoScript can do that, if written that feature won't take too much time.
Anyway, thanks for the great product. I've been using NoScript since I started using Firefox 4 years ago, and this is the first time I found a problem in it.

[RichardGv]

It appears that the workaround works only on zhidao.baidu.com. Other sites still have the same problem. Including:

Code: Select all

http://guide.opendns.com/?url=www.myfirehost.com&servfail
http://web.qq.com (I've modified noscript.surrogate.stickyDomain.sources.)
(I will add more when I find more.)

Any other ways to solve the problem? Thanks in advance.

[RichardGv]

I've found out the problem. The workaround does not work if there's an <iframe> with JavaScript inside changing "document.domain". Are there any other ways?