Exception for Chrome URIs

[barisderin]

Hello,

One of my add-ons add a chrome:// URI based javascript inside web pages. Because if contentaccessible is set to yes the chrome URI works as expected without NoScript installed.

Code: Select all

content	readability 	chrome/content/ contentaccessible=yes

But if NoScript is installed the chrome URI is blocked. Because the origin of the javascript is the add-on and it is safe, I tried to add an exception to NoScript but could not succeed in. Is there any way to add exceptions for chrome:// URIs inside NoScript? If not why NoScript does not allow adding chrome:// exceptions?

Related add-on:
https://addons.mozilla.org/en-US/firefox/addon/46442

Thanks.

[Giorgio Maone]

The problem is not the one you think, and NoScript has nothing to do with that: by default, NoScript doesn't block chrome scripts, but no script can run on a page where JavaScript is disabled, by any mean (not just NoScript).
In fact, if you disable JavaScript from Firefox's Tools|Options|Content panel, you'll have the same effect.
NoScript makes big effort to make the Readability bookmarklet work, but in an extension you could make a better work by running your DOM-manipulating scripts in a chrome content (which can't be stopped), rather than (like it seems you do) injecting them in content (where they get blocked by JavaScript settings and/or by NoScript).

[barisderin]

Hello Giorgio,

Sorry for misunderstanding and thanks for the clarification.

The Readability add-on adds just 2 scripts inside the web pages. One of them is an embedded script and the other is chrome URI related script.

Code: Select all

<script type="text/javascript">
readStyle='style-newspaper';readSize='size-medium';readMargin='margin-wide';
</script>
<script type="text/javascript" src="chrome://readability/content/scripts/readability.js"></script>
<link rel="stylesheet" type="text/css" media="screen" href="chrome://readability/content/style/readability.css"></link>
<link rel="stylesheet" type="text/css" media="print" href="chrome://readability/content/style/readability-print.css">

I created a new Firefox Profile and installed both NoScript and Readability. With default settings Readability did not work with NoScript. High probably because the javascript is disabled by NoScript, right. When Temporarily allowed the Readability works with NoScript. But some of the NoScript users do not like to allow temporarily the web pages again and again for the add-on to work.

I know if the bookmarklet is ported to Chrome it will work without any problem. But the problem is because Readability script is frequently changed porting the bookmarklet is time consuming. So rather than that Readability add-on adds the same javascript file of Arc90 to the web page but as chrome:// URI for security reasons.

Non-working of secure chrome:// URI seems a bit strange while non-secure third party Arc90 URI is working. So could you make the chrome URIs work all the time or simply add an exception for sth like:

Code: Select all

chrome://readability/content/scripts/*

Also if you have any other suggestion I would be happy if you share it with me.

Thanks

[Giorgio Maone]

Non-working of secure chrome:// URI seems a bit strange while non-secure third party Arc90 URI is working.

Unfortunately that's how Firefox work: if the parent page has JavaScript disabled, <script> inclusions are not even processed, no matter if their origin is trusted or not.
One way to work around this is using Components.utils.evalInSandbox, which is guaranteed to run even on JavaScript-disabled pages but may need some little (and web-compatible) modification to work.

[barisderin]

Hello Giorgio,

Thanks for the suggestions. I tried the Components.utils.evalInSandbox but it did not help completely. The bookmarklet semi-partially works.

In the forum I come with a topic that says location bar scripts work even NoScripts blocks the web page code. An example is below which is typed and executed in location bar:

Code: Select all

javascript:alert("working");

But when I try the same code in the add-on as below it does not work.

Code: Select all

window.content.location.href='javascript:alert("working");'

Any idea about how can I create the same effect of working location bar javascript execution inside the extension while NoScrips disables the web page scripts?

[Giorgio Maone]

Any idea about how can I create the same effect of working location bar javascript execution inside the extension while NoScrips disables the web page scripts?

You can use the "backdoor" NoScript implements for bookmarklets:

Code: Select all

Components.classes["@maone.net/noscript-service;1"].getService().wrappedJSObject.executeJSURL("javascript:alert(1)");

Notice that this will run on the selected tab of the focused window.