Cross-Domain XHR now totally blocked?

[WhyDoIHaveToRegister]

On my blog I have a widget which uses XMLHTTPRequest to retrieve a status page from my server on another domain. To work with the security policy I added the Access-Control-Allow-Origin header to the response as the documentation specifies and it worked fine.

Today I've restarted Firefox for the first time in about a week and it seems at some point during that time, NoScript was updated. The new policy is now blocking my widget's requests even though they were allowed before, no settings have been changed, and all scripts on the page are whitelisted.

Specifically the onreadystatechange event fires as normal, but the status code is zero and the response is blank. A message appears in the error console:

[ABE] <LOCAL> Deny on {GET http://hyperhacker.no-ip.org:55555/ <<< http://segment6.blogspot.com/, http://segment6.blogspot.com/ - 11}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

I haven't modified this rule myself so it seems some recent update changed it, causing it to now block all cross-domain requests even if the server allows them. This breaks useful functionality of the browser and most users will not know how or care to fix it, so to them it will look like my script (and any others using this method) is simply broken.

[therube]

What version of NoScript are you running?

If you revert to an earlier version, http://noscript.net/feed, does it work?

[Giorgio Maone]

If hyperhacker.no-ip.org resolves to a private IP, or to your WAN IP (i.e. the same IP you offer to web sites when you browse) that's normal.
In the latter case, you just need to uncheck NoScript Options|Advanced|WAN IP belongs to LOCAL.

[GµårÐïåñ]

So if I understand you correctly Giorgio, you are saying that if the machine he is accessing it from is also the machine hosting the website, then it will see it as a local resolution and the rule will attach? Now in the past when I did testing, I would use the actual server name (since it was NOT on my machine) to do the testing of code, because if I used the localhost or 127.0.0.1 address to test the local code, it would be blocked. This meant I never encountered this issue but since he is having it, does it mean that he is also hosting it and since the address resolves to the same location it sees it as local? Just wondering for better understanding.

[Giorgio Maone]

So if I understand you correctly Giorgio, you are saying that if the machine he is accessing it from is also the machine hosting the website, then it will see it as a local resolution and the rule will attach?

Yes, provided that the origin is not in in the LAN as well.

[WhyDoIHaveToRegister]

I see, so other viewers wouldn't have this problem? Good to know, thanks. Is there a way to disable the "WAN IP belongs to local" rule for certain sites only, so I don't have to disable that protection entirely to test my widget?

[Giorgio Maone]

Insert the following rule in the beginning of your NoScript Options|Advanced|ABE SYSTEM rule:

Code: Select all

Site http://hyperhacker.no-ip.org:55555/*
Accept

[WhyDoIHaveToRegister]

Thanks, that got it.

[GµårÐïåñ]

I see, so other viewers wouldn't have this problem? Good to know, thanks. Is there a way to disable the "WAN IP belongs to local" rule for certain sites only, so I don't have to disable that protection entirely to test my widget?

Thanks, that got it.

BTW, if your username is intentional and indicative, then you should know that this forum allows anonymous posting and registration is not required. So we are glad you have an account and you can have tracking, archiving and reminders for the added benefit but if you had chosen not to get it, you could have still posted just fine.

[WhyDoIHaveToRegister]

Mostly yes, but not in this particular forum.

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

I use this name as a sort of "mini-protest" against sites that require registration when they really don't need to. I guess in this case it's just a configuration glitch?

[Alan Baxter]

I guess in this case it's just a configuration glitch?

Nah, not a glitch. Only the Support forums allow guest posting. Sometimes I forget that too.

[GµårÐïåñ]

I was under the impression, per Giorgio, that you can post in NoScript and FlashGot forums without registering and anonymously. I guess there are restrictions in place now that we didn't have or noticed before. I will verify.

EDIT: Confirmed that you can post anonymously in the NoScript Support, ABE and FlashGot Support forums of this site. So that is more than sufficient anonymous access for anyone to post their issues without registering, so the protest is fairly unfounded and unnecessary - especially that your issue could have been just as validly and properly more so, placed in the NoScript Support forum anonymously and didn't _HAVE_ to be in the Development forum if you didn't want to register. Hope that clears it up now.

Sample Anonymous Posts:
NoScript Support (http://forums.informaction.com/viewtopic.php?f=7&t=4876)
NoScripte/ABE (http://forums.informaction.com/viewtopi ... =23&t=4877)
FlashGot Support (http://forums.informaction.com/viewtopic.php?f=6&t=4878)