NoScript blocking CORS

[yanosz]

Hello folks,

I noticed that NoScript is blocking CORS-Request by default - Example: http://register.kbu.freifunk.net/app/map (Source is:https://github.com/ff-kbu/ff-serv/blob/ ... app.js#L46)
This should not happen - the CORS-request is legit. Furthermore - there is no notice / warning regarding this incident allowing user-interaction.

How can I make this CORS-request complying with NoScript without forcing the user to make his way through Tools -> Add-Ons -> etc.?

Thanks,
Jan

[Thrawn]

On that page, I'm getting a dialog:

Der Browser konnte die Node-Statistik nicht laden - Ggf. verhindert NoScript den CORS-Request

which Google translates to:

The browser was unable to load the node statistics - if necessary. NoScript prevents the CORS request

Nothing in Browser Console though.

[Thrawn]

It looks like that message is actually coming from a hosted copy of the JQuery library.

Despite what it says, it might not be NoScript-related.

[yanosz]

Hello,

It looks like that message is actually coming from a hosted copy of the JQuery library.

Despite what it says, it might not be NoScript-related.

Well, the message is set by me - take a look at the source-code on github: https://github.com/ff-kbu/ff-serv/blob/ ... app.js#L61
IMHO it is NoScript related. If I disable NoScript, everything is fine here.

Greetz, Jan

[Giorgio Maone]

Is stats.kbu.freifunk.net (or just freifunk.net) in your whitelist?
If not, that's expected, because cross-site XHR, by default, is allowed only towards whitelisted destinations:

v 1.4.9.4
==========================================================================
+ Added client-side policy control for new Firefox 3 cross-site XHR,
configurable via noscript.forbidXHR about:config preference:
0 - Allow any XHR
1 - Allow cross-site XHR across trusted sites only (default)
2 - Allow same-site XHR only (like Firefox 2)
3 - Forbid all XHR

Otherwise it might be a bug, but I cannot reproduce it, even if I explicitly run this contrived test casse in a console:

Code: Select all

 
 $.getJSON('http://stat.kbu.freifunk.net/nodes.json', function(data) {
               alert(data.toSource())
 }).error(function(xhr,error, errorThrown) {
               alert("Error: " + xhr.status + errorThrown);
 })

[Giorgio Maone]

OK, after a while that I've kept your page opened in a background tab, the alert popped out.
It turns out, though, that it was a "304 not modified" response, which by your logic ("if (status !== 0)") is treated as an error while it is not. It just means you should use your cached data, if any, or explicitly ask for a refresh.

[yanosz]

Hello,

thanks for your effort in debugging.

OK, after a while that I've kept your page opened in a background tab, the alert popped out.
It turns out, though, that it was a "304 not modified" response, which by your logic ("if (status !== 0)") is treated as an error while it is not. It just means you should use your cached data, if any, or explicitly ask for a refresh.

Hmm... that's strange. When I was debugging this issue it was like: NoScript enable: Doesn't work. Without NoScript: Does work. Using wireshark I noticed that there was no http-request traffic while using NoScript.

The status condition is not responsible for detecting errors. When being there, JQuery has run into an exeception. (L 58). This usually does not / should not happen with 304-codes.
To my obersation: status is 0, when no http-request has been made and thus there is no return-code is available. This coincides with the fact that, error and errorThrown are nil.

This imho leads to the conclusion:
a) Either JQuery is buggy and is unable to perform XHR-Requests correctly (nothing to see in wireshark, blank fields in the callback)
b) Or NoScript prevents JQuery from making its call, without notifying the user.

Personally I suspect b) (due to the "No NoScript => No Problem" observation) but I'm not sure about this. I might be a comibanation of NoScript and JQuery, too.

Thanks,
Jan