Scripts on two pages don't work when NoScript is active

[Enigma]

Hello,

I've been using NoScript on several computers for many years now. Yesterday for the first time I encountered problems with two demo pages for jQuery scripts:

a) http://jquery.malsup.com/corner/
b) http://digitalbush.com/projects/masked- ... ugin/#demo

On page a) the corners of the rectangles aren't modified, on page b) there should be an input mask displayed in the form field that has the focus (see http://www.ajaxblender.com/masked-input.html). I added all involved domains to the NoScript whitelist and even tried the NoScript setting "Scripts Globally Allowed", but without effect. After deactivating NoScript completely, both pages were displayed as expected. First I thought it might be an incompatibility with one of the many other Firefox extensions I'm using on my main computer (Windows XP SP3, 32-bit), but I experienced the same on a newly installed Windows 7 (Home Premium, 64-bit) system with NoScript as the only Firefox extension.

The NoScript version on both computers is 2.0.9.9. Could a modification in that version have lead to this problem or is it just bad luck that, after years of using NoScript without problems, I suddenly visited two pages (within a couple of minutes) that don't work when NoScript is activated?

Cheers,
Jan

[Giorgio Maone]

That's because both those sites do very stupid things with their 3rd party script inclusions.
From Tools|Error Console:

Code: Select all

[NoScript] Blocking nosniff Javascript served from https://github.com/malsup/corner/raw/master/jquery.corner.js?v2.11 with wrong type info text/plain, inline and included by http://jquery.malsup.com/corner/

Code: Select all

[NoScript] Blocking cross-site Javascript served from http://jquery-joshbush.googlecode.com/files/jquery.maskedinput-1.2.2.min.js with wrong type info text/x-c, attachment; filename="jquery.maskedinput-1.2.2.min.js" and included by http://digitalbush.com/projects/masked-input-plugin/#demo

In practice, maybe to spare some bandwith on their own server, they try to include library scripts (jquery.corner and jquery.maskedinput, respectively) directly from their public source repositories.
Now, as you probably know, both Github and Googlecode allow anybody to register an account and post whatever file he wants there.
That's why they both serve their user-controlled content with a bogus content-type header (and in Github's case even with the X-Content-Type-Options: nosniff header) or attachment info, in order to clearly state it's meant for download only and should never be executed as a script or parsed as a HTML or CSS document, because any attacker could put malicious files on that server.

If you really want to work-aorund, you can add

Code: Select all

http://jquery-joshbush.googlecode.com/files/jquery.maskedinput-1.2.2.min.js https://github.com/malsup/corner/raw/master/jquery.corner.js?

to your noscript.inclusionTypeChecking.exceptions [url=http://kb..org/About:config]about:config[/url] preference.

[Enigma]

Thank you very much for your quick reply! So it was indeed "bad luck"...

If you really want to work-aorund, you can add

Code: Select all

http://jquery-joshbush.googlecode.com/files/jquery.maskedinput-1.2.2.min.js https://github.com/malsup/corner/raw/master/jquery.corner.js?

to your noscript.inclusionTypeChecking.exceptions [url=http://kb..org/About:config]about:config[/url] preference.

Great, I didn't know about this setting before. I added the first URL to this setting; the jQuery Corner script isn't very interesting for me - I just mentioned it because of the coincidence of the two failing scripts within several minutes.

Thanks again!

Cheers,
Jan