howto: noScript block inline JS but not external scripts

[gafir]

Hello,

I'm trying to understand how noScript blocks inline JavaScript within a page. Am I right to say that it uses configurable security policies (CAPS) to turn off Javascript globally, and then enables Javascript on a per page/domain basis?
It then uses content policies (with nsIContentPolicy) to prevent external scripts from being loaded. So when clicking on "Allow all this page" it turns on Javascript using a configurable security policy for this page only, and then allows for the loading of external scripts with nsIContentPolicy as well?

However, I'm trying to understand how you allow or disallow the loading of inline JavaScript (on page). Is this only an on/off option based on the page url such as using caps to enable the page only?
Is there a way to disallow the execution of inline javascript (such as: <script>alert('hello');</script>) while still allowing the loading/execution of external scripts (as <script src="myscript.js"></script>) on a page? If so, how does it do it?


Many thanks!

[gafir]

Answer to my own question: I guess there's no way currently to allow for some inline javascript while preventing the execution of external scripts from the same domain. It's either allow all this page or not. In order to do so you'd need to turn on javascript globally for this page, catch the http response and rewrite it to remove some of the inline js, catch external scripts with nsIContentPolicy.shouldLoad, and then render the page. This is what i'm working on for another extension (with a different purpose than noscript).

[Giorgio Maone]

Answer to my own question: I guess there's no way currently to allow for some inline javascript while preventing the execution of external scripts from the same domain.

You can use ABE for that:

Code: Select all

Site http://some.trusted.domain.com/untrustedsubdir/*.js
Deny