NoScript interfering with Mozilla capabilities policies?

[aloishammer]

I'm having problems with a default-deny cookie policy at https://club.nintendo.com/ (see for yourself: https://club.nintendo.com/js/clubn-dialogs.do and other JS containing code like:

if (typeof navigator.cookieEnabled == "undefined" && !cookieEnabled)

...which is clearly going to fail with default-deny for cookies (I'm using Cookie Monster to allow per-site). Since I can't make out how to write script surrogates, and gave up on that route, I'm attempting to simply deny usage of the .cookieEnabled property.

This works:

user_pref("capability.policy.default.Navigator.cookieEnabled", "noAccess");

...but if I try to follow the template laid out at http://www.mozilla.org/projects/securit ... olicy.html and set something like this:

user_pref("capability.policy.policynames", "brokencookiedetect");
user_pref("capability.policy.brokencookiedetect.sites", "https://club.nintendo.com/");
user_pref("capability.policy.brokencookiedetect.Navigator.cookieEnabled", "noAccess");

...my prefs.js gains this setting:

user_pref("noscript.policynames", "brokencookiedetect");

...and the policy isn't enforced. Help, please?

(If the best and correct and best path is to set script surrogates, I could use one for https://club.nintendo.com/js/clubn-dialogs.do as well as something involving http://my.monster.com/Login.aspx , which is broken the same way, last I looked.) (I've just been using Chromium instead for Monster. This is my first attempt to outwit witless webdevs who use broken objects like navigator.* for important things, like deciding whether to allow me to log in.)

(By the way, my account, aloishammer, on this forum, ended up disabled while I was trying to change my email address.)

[Giorgio Maone]

1. NoScript is the main CAPS client around, and using another CAPS policy with NoScript installed is not recommended, since it may be very complicated if not impossible
2. A surrogate for your purpose would be:
   noscript.surrogate.cookie.sources=club.nintendo.com my.monster.com
   noscript.surrogate.cookie.replacement=navigator.__defineGetter__("cookieEnabled", function() { return true; })
3. I forced reactivation on your account

[aloishammer]

1. NoScript is the main CAPS client around, and using another CAPS policy with NoScript installed is not recommended, since it may be very complicated if not impossible
2. A surrogate for your purpose would be:
   noscript.surrogate.cookie.sources=club.nintendo.com my.monster.com
   noscript.surrogate.cookie.replacement=navigator.__defineGetter__("cookieEnabled", function() { return true; })
3. I forced reactivation on your account

I'm afraid that those surrogates don't have the same effect as denying access. Can you check out https://club.nintendo.com/ ? No account required-- if you have cookie policy set to default-deny, you should get an in-document "dialog box" pop pretty much immediately.

[Giorgio Maone]

1. NoScript is the main CAPS client around, and using another CAPS policy with NoScript installed is not recommended, since it may be very complicated if not impossible
2. A surrogate for your purpose would be:
   noscript.surrogate.cookie.sources=club.nintendo.com my.monster.com
   noscript.surrogate.cookie.replacement=navigator.__defineGetter__("cookieEnabled", function() { return true; })
3. I forced reactivation on your account

I'm afraid that those surrogates don't have the same effect as denying access. Can you check out https://club.nintendo.com/ ? No account required-- if you have cookie policy set to default-deny, you should get an in-document "dialog box" pop pretty much immediately.

In fact, that surrogate have the effect of always returning true for navigator.cookieEnabled.
Maybe you want deny access because the side effect is throwing an exception disrupting the current method.
If this is the case, just turn the replacement into:

Code: Select all

navigator.__defineGetter__("cookieEnabled", function() { throw "x" }

[aloishammer]

1. NoScript is the main CAPS client around, and using another CAPS policy with NoScript installed is not recommended, since it may be very complicated if not impossible
2. A surrogate for your purpose would be:
   noscript.surrogate.cookie.sources=club.nintendo.com my.monster.com
   noscript.surrogate.cookie.replacement=navigator.__defineGetter__("cookieEnabled", function() { return true; })
3. I forced reactivation on your account

I'm afraid that those surrogates don't have the same effect as denying access. Can you check out https://club.nintendo.com/ ? No account required-- if you have cookie policy set to default-deny, you should get an in-document "dialog box" pop pretty much immediately.

In fact, that surrogate have the effect of always returning true for navigator.cookieEnabled.
Maybe you want deny access because the side effect is throwing an exception disrupting the current method.
If this is the case, just turn the replacement into:

Code: Select all

navigator.__defineGetter__("cookieEnabled", function() { throw "x" }

That makes perfect sense-- but I'm afraid it's still not working for me. Probably a silly question, but are you sure about the syntax of user_pref("noscript.surrogate.cookie.sources", "club.nintendo.com my.monster.com"); ?

[Giorgio Maone]

That makes perfect sense-- but I'm afraid it's still not working for me. Probably a silly question, but are you sure about the syntax of user_pref("noscript.surrogate.cookie.sources", "club.nintendo.com my.monster.com"); ?

Yes. You can easily check using a simple alert("test") as the replacement.
However I think I know why it's not working yet, I omitted a closing bracket in the second replacement. Should be:

Code: Select all

navigator.__defineGetter__("cookieEnabled", function() { throw "x" })

[aloishammer]

That makes perfect sense-- but I'm afraid it's still not working for me. Probably a silly question, but are you sure about the syntax of user_pref("noscript.surrogate.cookie.sources", "club.nintendo.com my.monster.com"); ?

Yes. You can easily check using a simple alert("test") as the replacement.
However I think I know why it's not working yet, I omitted a closing bracket in the second replacement. Should be:

Code: Select all

navigator.__defineGetter__("cookieEnabled", function() { throw "x" })

...I'm afraid that doesn't work, either. For reference: I'm not seeing any JS exceptions in the console.