(Invalid) Scripts Not Blocked On data: URIs!

[barbaz]

NS 2.6.8.26rc1, SeaMonkey 2.26 (and Palemoon 24.5)
noscript.allowURLBarJS -> true

STR:
enter in address bar

Code: Select all

data:text/html,<div id=%221%22>...</div><script>document.getElementById(%221%22).innerHTML=%22Scripts ARE ENABLED HERE%22</script>

Expected results: shows "..."
Actual results: shows "Scripts ARE ENABLED HERE", but the icon indicates that scripts are forbidden!

[therube]

> noscript.allowURLBarJS -> true

In SeaMonkey, you don't even need to do that.
All you need to do is to open about:config. That is sufficient.
Then just type your data: URI (or javascript: code).

[therube]

Hmm.
And FF works differently...

[Giorgio Maone]

This is by design.
Actually NoScript goes great length to ensure this works.
Of course, if a non-whitelisted page tries to load a data: URI, scripts will be blocked there.

[therube]

But FF & SeaMonkey give different results.

FF returns: "..."
SeaMonkey: "Scripts ARE ENABLED HERE"

Both browsers indicates that scripts are forbidden!

[Giorgio Maone]

Both browsers indicates that scripts are forbidden!

And scripts ARE forbidden indeed. NoScript enables them "on the fly" if the URL is entered in the URL bar, just like it does with bookmarklets, then disable them back as soon as the "bookmarklet" execution is done.

[therube]

NoScript enables them "on the fly" if the URL is entered in the URL bar, just like it does with bookmarklets, then disable them back as soon as the "bookmarklet" execution is done

Right, & I expect that.

But, SeaMonkey (& seemingly Palemoon) return different results from FF ?

[therube]

Arbitrarily picked some old NoScript, noscript-2.6.8.10rc1.xpi, & that returns the same results in both browsers, "Scripts ARE ENABLED HERE".

So is the actual situation that, Scripts Are Blocked On data: URIs in FF 29 ?

[therube]

Arbitrarily picked some old NoScript

No, that does not matter, is not the issue. Current NoScript is fine to test with.


Ah, maybe it's "about:blank" (about:newtab) ?

about:newtab

[therube]

http://forums.informaction.com/viewtopic.php?f=8&t=9204

it looks like JavaScript does not work within the context of about:newtab at all - regardless of extensions

So, if that is correct, expected, then there appears to be no issue at all.

[barbaz]

This is by design.
Actually NoScript goes great length to ensure this works.
Of course, if a non-whitelisted page tries to load a data: URI, scripts will be blocked there.

Ah OK then. Didn't realize NS differentiated between URL bar data: URI loads and content-originated data: URI loads.
Tried the obvious exploit scenario - meta refresh to a data URI from a script-blocked server - and indeed, the script did not run.
Also tried allowing the server - and the script ran if I clicked a link (inserted by NoRedirect) to the data URI, but it was blocked if I simply allowed the meta refresh the normal way.

Sorry about the misunderstanding.