EDIT: this problem can be reproduced only if you block @font-faces also for whitelisted sites. Added text is bold, removed text is struck out.
Steps to reproduce and current results:
In your NoScript Option -> Embeddings, select "Forbid @font-face" and "Apply these restrictions to whitelisted sites too"
Open this pdf file. Notice that the document font is messed up.
Go to the Noscript menu. Notice that there's an entry named "Allow pdf.js", and there's a greyed out entry, "Forbid resource:", with no subentries.
Click on "Temporarily allow all this page". Notice that the document is still messed up.
Go to "Blocked objects", select one subentry and give "ok" to the eventual popup. Now the document is displayed with the correct font. Notice that "Forbid resource" entry is not changed.
Click on "Revoke temporary permissions".
Select one of "Blocked objects" subentried. Notice that document is displayed correctly again.
Manually reload the page. The font now is messed up again
Expected results:
3. "Forbid resource" should be displayed only when a resource is allowed. Furthermore I suspect that pdf.js is not a site but a script embedded inside the pdf, and this is not clear what NoScript will allow there.
3. Resource should be allowed if pdf.js is allowed.
5. "Blocked objects" should be renamed to "Allow resources" for consistency. Furthermore is not clear what is the difference between subentries, and why the confirmation popup is displayed only for the first subentry.
8. Document should refresh if a resource changes is allowed status (and if you have the setting).
I tested it on Firefox 21.0 on Linux 32 bit, with NoScript 2.6.6.2
Last edited by Lucas Malor on Thu Jun 13, 2013 7:29 am, edited 3 times in total.
Lucas Malor wrote:Steps to reproduce and current results:
Open this pdf file. Notice that the document font is messed up.
Nope. Looks fine to me.
Expected results:
2. "Forbid resource" should be displayed only when a resource is allowed. Furthermore I suspect that pdf.js is not a site but a script embedded inside the pdf, and this is not clear what NoScript will allow there.
I suspect that 'resource' is in fact allowed, and that the greyed-out entry is to show that something unblockable (ie part of the browser itself) is present.
4. "Blocked objects" should be renamed to "Allow resources" for consistency. Furthermore is not clear what is the difference between subentries, and why the confirmation popup is displayed only for the first subentry.
I think that the naming of the Blocked Objects submenu is consistent with the naming of the other submenus (Untrusted and Recently Blocked Sites).
I tested it on Firefox 21.0 on Linux 32 bit, with NoScript 2.6.6.2
Ditto, but the font looked fine to me even with the whole site blocked.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:21.0) Gecko/20100101 Firefox/21.0
Thrawn wrote:I think that the naming of the Blocked Objects submenu is consistent with the naming of the other submenus (Untrusted and Recently Blocked Sites).
Good observation. I think anyway it is not, since "Untrusted" entry groups together subentries that let you to both trust and untrust a site, and furthermore they let you make the permission permanent.
I would add that apparently there's no way to permanently allow objects from "Blocked Objects" menu. I have to allow the hosting site from "Recently Blocked Sites", and furthermore the affected web pages are not reloaded automatically.
Is it not much simpler to add these entries to the main list as well?
that said, +1 to a GUI for that pref in Blocked Objects submenu (as in, when forbidden Flash from https://somesi.te is present add entry like "Allow shockwave-flash@https://somesi.te" that would append something like
Well, it would be great, but I think the current behavior (add them to capability.policy.maonoscript.sites) is enough.
The main problem is that if a site includes some object (font, iframe etc) but no javascript, it will be not listed in the normal menu list.
See for example an item in ebay.it. If you're signed in, item descriptions are embedded in a iframe, and the iframe source domain, vi.vipr.ebaydesc.com, is not listed in the main list, but only in the Blocked objects submenu. To add a permanent exception the easiest way is to click the noscript placeholder, select the domain and add it manually to the whitelist.
PS: thank you for the noscript.allowedMimeRegExp tip.
