SVG and Noscript

[Giorgio Maone]

But agree with the point: If NS treats that one hook as a script, then the icon should be blue and white, not plain white, when scripting is allowed and that particular hook (or any other with JS-type function) is allowed.

I too found it strange to see the solid-white icon, but script from petercollingridge showing in the Allowed or TA menu.

Giorgio?

The icon is white if no <script> HTML element has been found on the page, and it's always been this way: in other words, it should be taken just as an loose indication of the dependency of the page on scripting, but it's not meant to be accurate especially in regard of scriptlets embedded inside HTML attributes (e.g. event handlers or javascript: URLs), whose detection at load time would be excessively performance-heavy and error-prone.

BTW, this is stated quite clearly on http://noscript.net/features :

The number of detected <script> tags for current page is shown in a tooltip when you fly over the icon with your mouse. If the "S" inside the icon is white rather than blue, 0 script tags have been detected: this likely means you don't need to enable JavaScript in that page at all.

[Alan Baxter]

Thank you for the detailed clarification, Giorgio. Now I understand why the icon didn't indicate that NoScript was blocking any JavaScript even though it was.

[therube]

the JS function evt.target.setAttribute()

Which I guess is the part I don't understand.
How do you know, or what makes it a "JS function"?

e.g. event handlers or javascript: URLs

Just what are "even handlers" or "javascript: URLs"?

[Giorgio Maone]

e.g. event handlers or javascript: URLs

Just what are "even handlers" or "javascript: URLs"?

This is a script element (which is counted by NoScript and concurs in coloring its icon):

Code: Select all

<script>doSomething()</script>

This is JavaScript invoked as soon as the page loads, put in the body element as an inline event handler ("onload" attribute):

Code: Select all

<body onload="doSomething()"></body>

This is a javascript URL in the "href" attribute of an anchor element:

Code: Select all

<a href="javascript:doSomething()">Click me to do something</a>

The onmouseover and onmouseout attributes in the SVG example are inline event handlers, executed when the mouse pointer enters or exits the element they refer to.

[SmilerCurious]

This is a javascript URL in the "href" attribute of an anchor element:

Code: Select all

<a href="javascript:doSomething()">Click me to do something</a>

and what saves me having to leave an untrusted site 9 times out of 10 is Giorgio's "attempt to fix JavaScript links" option for untrusteds.
The tenth time I usually back out of the site.

[Tom T.]

@ Giorgio:

What Alan Baxter said, and thanks for emphasizing "likely" in the Features page. I must have missed that however long ago I read it.
I think most of us just weren't aware of many instances where these script functions are invoked on pages where there is no <script> element.

@ SmilerCurious:

A tip I copied from someone, somewhere (if I had noted it, or could remember, I'd gladly give credit), on how he worked around JS links:

Was at http://cleanslate.stanford.edu/index.php. Tried to click on "about". Nothing happens. NoScript reports Stanford script being blocked.

From the above home page, http://cleanslate.stanford.edu/index.php, View > Page Source > Find "about clean slate". Found "<LI><A class=menuSubItem href="about_cleanslate.php">About Clean Slate</A>. "href" is a referral to another site, i. e. a link. So I copied "about_cleanslate.php" (the HTML parameter) to the clipboard, went back to the home page, http://cleanslate.stanford.edu/index.php, pasted "about_cleanslate.php" over "index.php", hit "enter", and I'm there!

I just retested it. The site is still there; the links still break with scripting disallowed, and his workaround-slant-hack still works.

[SmilerCurious]

Digging into source will find urls certainly, Tom T, and that I will do if it's really important, but my point is that I *usually* back out of sites with un-fixed JS links because the info isn't worth either my time or trust.
With svg js stuff, as I said, with a site untrusted I'm not even going to be aware the author has animated anything, so Giorgio keeps web use streamlined and distraction-free, as well as safer. The OP may like to take that on board if they want to reach NS users.
Which is sort of why I posted here in the first place.

[SmilerCurious]

The OP may like to take that on board if they want to reach NS users.
Which is sort of why I posted here in the first place.

Sorry rees65, how naff does that sound. I mean that the OP is clearly trying to avoid blockable scripting in their design and three cheers to them for that!

[Tom T.]

Digging into source will find urls certainly, Tom T, and that I will do if it's really important, but my point is that I *usually* back out of sites with un-fixed JS links because the info isn't worth either my time or trust.

Agree.

With svg js stuff, as I said, with a site untrusted I'm not even going to be aware the author has animated anything, so Giorgio keeps web use streamlined and distraction-free, as well as safer.

Agree^2.

... the OP is clearly trying to avoid blockable scripting in their design and three cheers to them for that!

IMHO, you were right the first time -- OP was surprised that SVG onmouseover was blocked on untrusted sites, and wondered if that was "overkill". Wanted to use onmouseover and other things, and this thread brought out that in fact, JS functions are involved in such, and can be misused.

I've looking at SVG's. Specifically for non-JavaScript interactivity.
I was surprised to see a native mouseover event blocked.
It works fine if permission is granted to the parent site.

I'm hoping someone can tell more about this, feeling that it's security overkill - is mouseover really dangerous?

I generally despise pop-out menus and other onmouseover junk, with limited exceptions: Browser menus, NS menu, etc., because I use them every day, and so expect them and know where they are.
But at a strange or infrequent site, it's distracting to have stuff jump out at you while innocently moving the mouse pointer. Any possible misuse is even more reason to avoid.

What the heck is wrong with HTML links, anyway? (for site navigation) -- perhaps with "show/hide'" to save the space that mouseover menus also save.

[SmilerCurious]

IMHO, you were right the first time

No I was wrong. You may have missed this post http://forums.informaction.com/viewtopi ... =15#p36695from rees65, who did declare:

I'm approaching this as a developer wishing to add user interactivity without dropping into scripting.

And now that this thread has dissected source to show where scripting runs without declared <script> HTML, I bet rees65 understands that the mouseover scriptlet isn't as benign as it seemed initally, because Giorgio has explained that scriptlets aren't picked up always.
So that "you may want to" from me does look naff in this context and I most certainly don't want to upset a developer with their heart clearly already in the NS camp

Re animated menus, there can be a place for them when a site has many functions - for example banking and government agencies - so that the home page isn't disgustingly cluttered with text. But many developers just grab template designs for cluttered menus and use them for as little as a single link and not for complex site mapping. Which is indeed annoying. The basics of menu animation were grasped very early on by eager web designers and there are some great examples of really annoying Mystery Meat Navigation on the webpagesthatsuckdotcom site.
Web design has its share of bad exponents. Which is why we need Giorgio.

[GµårÐïåñ]

Thanks for your explanation of particular event hooks being identified and treated as JS (maybe FAQ should reference that?)

Although such events are also available inside HTML, which leads to ambiguity and confusion, since people assume they are the same. Thing such as onLoad, onMousover, etc, although initially were released as part of an enhanced DHTML protocol (basically adding minor scripting) it has now been pretty much swallowed, for lack of a better term, inside the JS engine. Therefore despite some fringe objections, it is most appropriate to consider them as scripting methods, since they control events.

What was causing difficulty, I think, at the UK site was that the root's script had to be allowed. Once that is allowed, then all subfolders are allowed to run script, *including internal hook calls that qualify as script*, even though *that page* shows no JS of its own. Correct? (If so, "yes" will suffice. )

Yes

IMHO, Giorgio is absolutely right to poke no holes in this. Imagine how easily this same mouseover effect could be used maliciously. Possibly some might trip ClearClick, but as you said, the SMIL and other various components could be attack vectors. If we don't trust the site, we shouldn't trust *any* executable, or user-action-driven, code. Agree? (1=Yes; 0=No )

Yes

EDIT: Ah hell. I saw this quoted post from Tom and I went to reply and then it posted and I was like, what the hell, this looks different and then noticed there has been a whole page of discussion since I started to reply to that message. SHEESH

[Tom T.]

IMHO, you were right the first time

No I was wrong. You may have missed this post http://forums.informaction.com/viewtopi ... =15#p36695from rees65, who did declare:

I'm approaching this as a developer wishing to add user interactivity without dropping into scripting.

And now that this thread has dissected source to show where scripting runs without declared <script> HTML, I bet rees65 understands that the mouseover scriptlet isn't as benign as it seemed initally, because Giorgio has explained that scriptlets aren't picked up always.
So that "you may want to" from me does look naff in this context and I most certainly don't want to upset a developer with their heart clearly already in the NS camp

In the last post, at first I started to agree on the "three cheers", then something alarmed in the noggin, so I re-read OP's OP -- but *not* the later quote; you're correct about that.

So just re-read it, and still a bit ambiguous:

SVG supports <script> tags and I would expect that to be blocked - being a significant potential security threat.
But its native methods, eg onmouseover, I imagined would be fine, in as much as I wouldn't expect NS to block CSS.

I'm approaching this as a developer wishing to add user interactivity without dropping into scripting.

... which may mean that rees65 still wants to use mouseover and other event hooks, albeit without explicit <script> tags or things like SVG that support exectuables. Maybe OP will come back and tell us?

IF in fact rees65 does code the pages without these event-driven things -- I loved Giorgio's term, "scriptlets", as it's a perfect analogy to Java's "applets" --
then indeed,

ELSEIF --

Re animated menus,.... really annoying Mystery Meat Navigation on the webpagesthatsuckdotcom site.

Great minds think alike. I came sooo close to citing that site to you and OP.

[SmilerCurious]

still a bit ambiguous

To you maybe, not to me. The OP possibly thought script tags were the only js svg used. The thread shows scriptlets are also involved; js is pluripotent all over web stuff and html5 is getting presented in some places without the js distinction being made clearly enough. svg/js isn't as benign as CSS and the OP will have taken this on board in their stated desire to avoid scripting in interaction.

Hi rees65!
Ain't it grand when people talk *about* you
My opinion is that you will avoid dangerous scripting, however it's implemented.
Otherwise, why come to the NS forum to firm up your knowledge of it?

all the best to you