[RESOLVED] Newest NS versions break cross-hosted stylesheets

[CJax]

Q: problem?
A: Since Noscript 2.4.2 (newewst RC was tested, nothing changed) cross-hosted stylesheets (and probably some scripts to) are not loading at all anymore, breaking websites like AMO, Youtube, Wikipedia and others who use stylesheets hosted on other servers.

Q: Sure?
A: Absolutely, I singled out Noscript to be the cause by deactivating all Addons except Noscript and then allowing scripts globally... it wouldn't work. On the other hand only disabling Noscript while having every thing else enabled makes all these sites load their stylesheets correctly.

Q: Only Stylesheets?
A: Could be more, but not having stylesheets makes today's webpages unusable anyway.

Q: culprit?
A: XSS-filter:
a) It's been tweaked the most lately
b) It doesn't work with all scripts and objects allowed, so that can't be it.

Q: Versions?
A: You can see, but it also doesn't work with the Stable Friefox 12 release.

Thanks in advance

[Thrawn]

Hmm...I can't reproduce this, but:

• XSS filter couldn't really be it, since you're talking about stylesheets, which aren't active content. Even a sanitised request should still be able to retrieve them.
• Have you used any custom ABE rules? Options-Advanced-ABE to see them.
• Any messages in Tools-Error Console?
• Have you tried a new profile with nothing installed except NoScript?

[Tom T.]

I haven't had any trouble with any of those sites, either.

Q: Sure?
A: Absolutely, I singled out Noscript to be the cause by deactivating all Addons except Noscript and then allowing scripts globally... it wouldn't work. On the other hand only disabling Noscript while having every thing else enabled makes all these sites load their stylesheets correctly.

Doesn't eliminate the possibility of a corrupt profile, as Thrawn suggested.
Also, if "absolutely", why can't we reproduce it? Can you borrow another machine that has NS, and see if it's reproducible on that one?

Q: culprit?
A: XSS-filter:
a) It's been tweaked the most lately

Irrelevant and illogical.

b) It doesn't work with all scripts and objects allowed, so that can't be it.

If it were the XSS filter, you would receive various XSS notifications. Since you haven't reported any, that actually *eliminates* the XSS filter as a culprit.
See XSS FAQ

[hanfi]

Hi,

I got a similar problem today (well, maybe it was there before, but i did not hit it).
The page in question is a php script returning a xml-page which is then rendered using xslt-stylesheet (not css!)

Now i find these lines in the error console of firefox:

Code: Select all

[NoScript] Blocking cross-site CSS served from https://spahan.ch/mail.xsl with wrong type info application/xml and included by https://spahan.ch/aliasManager.php

Well, first, this is not actually cross-hosted and second, the xsl stylesheet IS xml.
So i think something is wrong here.

NS-Version in use is 2.4.3rc3

[dhouwn]

Well, first, this is not actually cross-hosted and second, the xsl stylesheet IS xml.

Maybe it expects the precise content type, see:

This appendix registers a new MIME media type, "application/xslt+xml".

Also XSLT is still blocked per default on untrusted pages (since it's pretty powerful, Turing-complete), which can be toggled in the "Untrusted" section of the "Advanced" options.

But indeed, it's not cross-site.

[hanfi]

Well, first, this is not actually cross-hosted and second, the xsl stylesheet IS xml.

Maybe it expects the precise content type, see:

This appendix registers a new MIME media type, "application/xslt+xml".

I added the xslt+xml type to my webserver, now i get a similar error....

Code: Select all

[NoScript] Blocking cross-site CSS served from https://spahan.ch/mail.xsl with wrong type info application/xslt+xml and included by https://spahan.ch/aliasManager.php

Also XSLT is still blocked per default on untrusted pages (since it's pretty powerful, Turing-complete), which can be toggled in the "Untrusted" section of the "Advanced" options.

Yes, i always have to allow the site, that is expected.

I too tried disable NoScript and then the page works without problems.
I created a test case (by simply using a static xml instead the php script) one can find here: https://spahan.ch/test.xml (please ignore ssl errors, i fix that when i get some spare time :-p)

[Giorgio Maone]

Looks like a regression from

v 2.4.3rc3
=========================================================================
[...]
x Fixed exception raised by inclusion type checks when parent document's
URI has no host

Investigating, thanks.

[Giorgio Maone]

Fixed in latest development build 2.4.4rc1, thank you.

[ATKoerner]

Fixed in latest development build 2.4.4rc1, thank you.

Thanks for fixing. I've had the same problems with local xslt style sheet transformations not working any longer with NoScript 2.4.3