whitelisted website still blocked :(

[J-Sauce]

I've been playing around with NS for two days now, trying to get

Code: Select all

http://www.findnewjams.com

to work.
The website only functions properly when I disable the extension all together.
I have the site whitelisted, and even with global permissions it still does not work.
I've tried resetting the extension and importing the settings back in but still no luck.

errors from the Error Console

Code: Select all

Error: uncaught exception: Error: Permission denied for <http://www.facebook.com> to get property Proxy.InstallTrigger

Error: Path is not defined
Source File: http://findnewjams.com/js/voting.js
Line: 451

Error: e is undefined
Source File: http://findnewjams.com/js/player.js
Line: 107

This is my homepage and would really appreciate some help! thanks!

[Tom T.]

I get the Line 451 error, plus this:

Code: Select all

Error: console is not defined
Source File: http://www.findnewjams.com/js/player.js
Line: 106

Also, in Page Info > Media,

Code: Select all

Media:
http://www.youtube.com/e/aW9MM0r-rlY?enablejsapi=1&playerapiid=ytplayer&hd=1&wmode=transparent 

0 x 0 pixels, 3.1k.

NoScript is often not fond of "transparent" things, though I did not get an actual ClearClick warning (of ClickJack attack).
However, protection against "web bugs" has been removed in latest builds, as Firefox no longer supports NoScript's ability to do so. Probably not the issue.

I'd check that "player" error, (for a coding error), because that seems to be what's missing from the site. The forward/back arrows, etc. are good.

Thanks for letting us know that it's your own site. Given that, I hope that you don't mind that the links were sanitized.

[Giorgio Maone]

[NoScript] Blocking nosniff Javascript served from https://raw.github.com/mtrpcic/pathjs/m ... ath.min.js with wrong type info text/plain, inline and included by http://www.findnewjams.com/

Don't try to use github.com as a CDN: it's a code repository, and as such anybody can drop whatever (possibly malicious) code he wants there.
As you can see, scripts (and any other file in the code repositories) are served with the "text/plain" content type (rather than "text/javascript"), which allows NoScript to discriminate them and preventing their execution.
Otherwise, allowing github.com wholesale would be very dangerous, because for obvious reasons Github's administrator have no control on the safety of the scripts hosted there.

Solution for the webmaster: copy the script in your own domain.

Work-around for the user: add https://raw.github.com/mtrpcic/pathjs/m ... ath.min.js to your noscript.inclusionTypeChecking.exceptions about:config preference.

[Tom T.]

[NoScript] Blocking nosniff Javascript served from https://raw.github.com/mtrpcic/pathjs/m ... ath.min.js with wrong type info text/plain, inline and included by http://www.findnewjams.com/

Don't try to use github.com as a CDN: it's a code repository, and as such anybody can drop whatever (possibly malicious) code he wants there.....

[facepalm] Dang. I saw that NS info message, but missed the significance: that he was in effect using github as a CDN.
Well, learn something new every day. Thanks.

[J-Sauce]

I think there's a misunderstanding here. I was saying it is my homepage, as in when I start my browser it is my favourite page to open up to.
Only recently in the last week or so has it stopped working with NS.

Sorry for the confusion, but is there anything I can do from my end. I do not own or run the site.

[Giorgio Maone]

is there anything I can do from my end. I do not own or run the site.

Work-around for the user: add https://raw.github.com/mtrpcic/pathjs/m ... ath.min.js to your noscript.inclusionTypeChecking.exceptions about:config preference.

[Tom T.]

I think there's a misunderstanding here. I was saying it is my homepage, as in when I start my browser it is my favourite page to open up to.
Only recently in the last week or so has it stopped working with NS.

Sorry for the confusion, but is there anything I can do from my end. I do not own or run the site.

I'm sorry, too, for the confusion.

But now even more it seems that Giorgio is warning that the site could easily be dangerous, because its actual webmaster (not you ) has coded carelessly, for the reasons Giorgio said. Perhaps point the webmaster to this thread, to alert of the dangers -- and until it's fixed, perhaps avoid the site, or at least not make it your home page?

@ Giorgio: Is this not true, or have I overstated from your warning?

[Giorgio Maone]

But now even more it seems that Giorgio is warning that the site could easily be dangerous, because its actual webmaster (not you ) has coded carelessly, for the reasons Giorgio said. Perhaps point the webmaster to this thread, to alert of the dangers -- and until it's fixed, perhaps avoid the site, or at least not make it your home page?

@ Giorgio: Is this not true, or have I overstated from your warning?

No, I'm not suggesting the site is dangerous.
I'm just pointing a bad coding practice (use public code repositories to offload the burden of hosting scripts) which, if generally permitted by NoScript, would lead to the dangerous situation of having any file uploaded to the repository by anyone to be preemptively allowed to run as a script.

A specific exception like the one I suggested as a work-around for users of the site in my previous posts is not more dangerous than just trusting the original site.

[Tom T.]

A specific exception like the one I suggested as a work-around for users of the site in my previous posts is not more dangerous than just trusting the original site.

Understood. And it may not be dangerous now. But with the sloppy coding, and the NS Exception, then *at any moment*, someone could drop something into Github, which might be picked up by the site in question, no?

Which is why, being a tinfoil-hatter myself , I would avoid the site until they correct the coding. In its current state, the site won't work for him without the exception. If he allows the exception, he's forfeiting NoScript's protection against any possible malicious code as above. The fact that the site is broken proves that NoScript is keeping him safe from "possible" dangers of what is definitely a poorly-coded site.

Sorry if I did not make this clear in my previous post. Please advise, once again? Thanks.

[Giorgio Maone]

A specific exception like the one I suggested as a work-around for users of the site in my previous posts is not more dangerous than just trusting the original site.

Understood. And it may not be dangerous now. But with the sloppy coding, and the NS Exception, then *at any moment*, someone could drop something into Github, which might be picked up by the site in question, no?

That exception is specific to that site, so (unless of course Github gets hacked, which would mean very high magnitude trouble) the only "someones" entitled to changing it are the commiters of the project (i.e. the persons in charge of providing the code for that JS library anyway).

[Tom T.]

Thanks for clarifying, Giorgio.