Whitelist Entry with Protocol while forcing HTTPS

[dhouwn]

I stumbled upon an interesting issue with the following configuration:
I allowed scripts only on https://www.example.com and at the same time I force www.example.com to use HTTPS (I know that this configuration doesn't make in much sense most cases).
Now I am on a page on example.com with the following source:

Code: Select all

<head>
<base href="http://www.example.com/"></base>
<script type="text/javascript" src="a.js"></script>
<script type="text/javascript" src="http://www.example.com/b.js"></script>
</head>

Now I haven't had the time to look further in this, but at least one of those scripts seems to get executed. Either both of them get loaded and the NoScript icon is incorrectly displaying to me that some scripts are blocked (and offering me to allow http://www.example.com) or only one gets loaded which I as a user wouldn't expect when enforcement of HTTPS happens before everything.

[Giorgio Maone]

This kinda expected, since HTTP->HTTPS redirect happens after content blocking checks (which are remade anyway after the redirect).

[dhouwn]

Will this change with NoScript 3?

[Giorgio Maone]

Most likely not.

[dhouwn]

That the content checks are done twice in those cases does not matter that much, but nevertheless it seems unnecessary.

Does it make a difference whether Firefox itself (because of HSTS) or NoScript does the redirection?

[Giorgio Maone]

Does it make a difference whether Firefox itself (because of HSTS) or NoScript does the redirection?

Unfortunately, both HSTS and NoScript perform the redirection after content policies have been checked.
This is because content policies are called before the protocol of the request has been evaluated by the browser and the correct channel type created, while HSTS "lives" inside the nsIHTTPChannel implementation (and NoScript hooks it).

[dhouwn]

Unfortunately, both HSTS and NoScript perform the redirection after content policies have been checked.

OK, thanks for the explanation.

Just wondering while going overly off-topic here and into realms I don't have much of an understanding of (Mozilla Internals), but would this be an issue now that HTTP Upgrade is possible (which from what I understand makes it possible to change from http to another protocol type on-the-fly and might play a role for blockable page content if RFC 2817 gets implemented)?
(very theoretical, I know )

[Giorgio Maone]

would this be an issue now that HTTP Upgrade is possible (which from what I understand makes it possible to change from http to another protocol type on-the-fly and might play a role for blockable page content if RFC 2817 gets implemented)?)

I don't believe it would. This HTTP upgrade mechanism is mainly meant to make web sockets work, and the latter would be an issue only if you want to allow HTTP content and forbid HTTPS content on the same domain, something which frankly looks very unlikely. And anyway, if it ends to be an issue, we can ask to have a content policy hook on protocol change (even though I believe this will be implemented with redirection semantic, and therefore will be intercepted by NoScript anyway).