data:-URLs cannot be whitelisted

Bug reports and enhancement requests
Post Reply
Rob Wu
Posts: 1
Joined: Thu Oct 23, 2014 4:15 pm

data:-URLs cannot be whitelisted

Post by Rob Wu » Thu Oct 23, 2014 4:35 pm

I'd like to whitelist data-URIs that I type in the address bar. Unfortunately, NoScript blocks data:-URLs, without any exception. Contrary to my expectations, the NoScript button does not have any "Temporarily allow data:text/html,..." option.

"noscript.allowURLBarJS" is set to true in about:config (as suggested here), but that did not give me the ability to whitelist data:-URLs. To make sure that it is not caused by a conflicting add-on, I've created a new Firefox profile and installed NoScript from the website (stable and dev versions).

Steps to reproduce:

1. Open a new tab
2. Type "data:text/html,<script>alert(0)</script>" and press Enter
3. Expected result: Dialog with "0" being displayed. Actual result: No dialog at all.

- Firefox 33.0 (Linux)
- NoScript 2.6.9.2 and 2.6.9.3rc2

How can I get NoScript to whitelist data:-URLs?
Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0

barbaz
Senior Member
Posts: 9029
Joined: Sat Aug 03, 2013 5:45 pm

Re: data:-URLs cannot be whitelisted

Post by barbaz » Thu Oct 23, 2014 4:40 pm

I thought it was supposed to allow scripts on URL-bar-typed data: URIs automatically?
EDIT Scratch what was here before. Decided to try this myself, on SeaMonkey - and it works as you say is expected.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 Gecko/20100101

barbaz
Senior Member
Posts: 9029
Joined: Sat Aug 03, 2013 5:45 pm

Re: data:-URLs cannot be whitelisted

Post by barbaz » Thu Oct 23, 2014 10:58 pm

However, confirmed broken in latest development build in Firefox 31 ESR (also on Linux), clean profile.
Allow Scripts Globally does get it working, but that's the only thing that gets it working...

Seems this is a Firefox-specific bug.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 Gecko/20100101

User avatar
therube
Ambassador
Posts: 7362
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: data:-URLs cannot be whitelisted

Post by therube » Fri Oct 24, 2014 11:20 pm

FF 32.0.3

Code: Select all

The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. script>



And yes, SeaMonkey works as expected (mostly).

[Mostly. Still the issue with being too quick & also about:config enabling URL entry without ... something, perhaps enabling the actual Pref - but I'm not complaining about either.)

(frickin FF, Help | About & it automatically starts to download the update. Suppose I hadn't specifically turned off Updating.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 SeaMonkey/2.30

baptx
Posts: 12
Joined: Tue Apr 28, 2015 7:09 pm

Re: data:-URLs cannot be whitelisted

Post by baptx » Tue Apr 28, 2015 7:42 pm

This bug is still present with NoScript in Firefox 37. I remember at the beginning of october 2014, the bug was not present.
We can't use Firefox data: with NoScript until we "allow scripts globally", like barbaz said and we can't add data: in whitelist, why?
I don't know if it's a Firefox specific bug, here is the error on Firefox console (Ctrl + Shift + J): Component returned failure code: 0x805e0007 [nsIWebNavigation.loadURI]

This is a serious problem that has to be fixed. Now people using NoScript are losing Firefox functions, for example the right click -> View Image on an HTML5 canvas will fail.
You can try it yourself, I have a canvas example here: http://drawcode.eu/projects/connect-points/
Before the bug, Firefox would open the data URL in the browser (data:image/png;base64,xxxxx).

I also used it a lot for hacks:
data:text/html,<iframe src="http://www.youtube.com/embed/video_ID">
or
document.location = "data:text/html;charset=utf-8," + encodeURIComponent(document.body.innerHTML).
(Edit: the second example still works)

The canvas view image broken function is a problem that a lot of NoScript users will have. Have you any news on this bug?
Last edited by baptx on Tue Apr 28, 2015 8:35 pm, edited 2 times in total.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0

barbaz
Senior Member
Posts: 9029
Joined: Sat Aug 03, 2013 5:45 pm

Re: data:-URLs cannot be whitelisted

Post by barbaz » Tue Apr 28, 2015 7:58 pm

baptx wrote:This bug is still present with NoScript in Firefox 37. I remember at the beginning of october 2014, the bug was not present.
We can't use Firefox data: with NoScript until we "allow scripts globally", like barbaz said and we can't add data: in whitelist, why?
I don't know if it's a Firefox specific bug, here is the error on Firefox console (Ctrl + Shift + J): Component returned failure code: 0x805e0007 [nsIWebNavigation.loadURI]

I think that is a different story.. please try go to about:config > set noscript.allowURLBarJS to true and then copy+paste the data URI
*Always* check the changelogs BEFORE updating that important software!
-

baptx
Posts: 12
Joined: Tue Apr 28, 2015 7:09 pm

Re: data:-URLs cannot be whitelisted

Post by baptx » Tue Apr 28, 2015 8:34 pm

I already have set noscript.allowURLBarJS to true. The problem is that we cannot directly open a data URL in Firefox when using NoScript. I have found that if we use JavaScript to open the data URL, it works. For example in URL bar javascript:document.location = "data:text/html,<iframe src=\"http://www.youtube.com/embed/video_ID\">". But using just data:text/html,<iframe src="http://www.youtube.com/embed/video_ID"> in URL bar does not work.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0

barbaz
Senior Member
Posts: 9029
Joined: Sat Aug 03, 2013 5:45 pm

Re: data:-URLs cannot be whitelisted

Post by barbaz » Tue Apr 28, 2015 9:34 pm

Huh. So they don't.
Firefox 37.0.2, NoScript latest development build


(Thanks for the report, this feels like a very recent regression, give me a moment...)
*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9029
Joined: Sat Aug 03, 2013 5:45 pm

Re: data:-URLs cannot be whitelisted

Post by barbaz » Tue Apr 28, 2015 9:41 pm

I'm really confused.
I could have sworn I discussed the subject of data: URIs with Giorgio in PM and it was working.
But even with the exact Firefox & NoScript versions where it worked for me before, it's not working now? :?:

(I tested a clean profile then and now too, this is weird...)



(To note, SeaMonkey is not affected, you can type data: URIs in SeaMonkey and they will load.)
*Always* check the changelogs BEFORE updating that important software!
-

baptx
Posts: 12
Joined: Tue Apr 28, 2015 7:09 pm

Re: data:-URLs cannot be whitelisted

Post by baptx » Mon May 18, 2015 9:41 pm

I see we still cannot open data: URIs with NoScript enabled.
So I tried older versions of the addon and found that the problem appeared in version 2.6.9.20rc1 (March 28, 2015): https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/?page=1#version-2.6.9.20rc1
I checked the source code, you can easily see the diff with previous version on this GitHub mirror: https://github.com/avian2/noscript/commit/18ec90050f36a6afea492c3b4de01beef317a0ba

The problem comes from the code in xpi/chrome/content/noscript/Policy.js at line 560:

Code: Select all

else if (!this.isJSEnabled(originSite = this.getSite(originURL))) {
                   return this.reject("top level data: URI from forbidden origin", arguments);
                 }

I don't know what it is for but it breaks data: URIs. If I remove the "else if" block from the latest version of NoScript, the problem is fixed.
For information, the code is not the same in latest version and looks like this:

Code: Select all

else if (
                  !(aContext.ownerDocument.URL === originURL // Addon-SDK panels
                     || this.isJSEnabled(originSite = this.getSite(originURL)))
                  ) {
                  return this.reject("top level data: URI from forbidden origin", arguments);
                }

I hope you will fix it, thanks.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0

barbaz
Senior Member
Posts: 9029
Joined: Sat Aug 03, 2013 5:45 pm

Re: data:-URLs cannot be whitelisted

Post by barbaz » Mon May 18, 2015 9:50 pm

It's to do with viewtopic.php?f=7&t=20657 - I noticed inconsistencies in data: URI handling, and that's how Giorgio fixed it...
*Always* check the changelogs BEFORE updating that important software!
-

baptx
Posts: 12
Joined: Tue Apr 28, 2015 7:09 pm

Re: data:-URLs cannot be whitelisted

Post by baptx » Tue Jun 09, 2015 5:53 pm

If someone wants a fix while the bug is still present in the official NoScript release, I created a fork with the patch: https://github.com/avian2/noscript/pull/4

Edit: A workaround to view the data: URI of an HTML5 canvas is to right click on it and select "View Image" while pressing the "Ctrl" key, so it opens data: URI in a new tab without being blocked by NoScript bug.
It is also possible to open "data:text/html,<iframe src="http://www.youtube.com/embed/video_ID">" in a new about:blank tab but not an existing website tab.
I hope you will fix this problem, it looks like my patch was ignored.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0

barbaz
Senior Member
Posts: 9029
Joined: Sat Aug 03, 2013 5:45 pm

Re: data:-URLs cannot be whitelisted

Post by barbaz » Tue Dec 15, 2015 5:07 pm

Your patch outright removes an important security measure as well as workaround code needed for certain Addon-SDK panels, it's no surprise it was ignored by Giorgio.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply