Conflict betwen Noscript and slovari.yandex.ru

[Renji]

I'm open slovari.yandex.ru, input any text into input field and press enter. If javascript disabled via Noscript, first press of "enter" don't have any effect. Second press work.
If I'm remove Noscript addon, go to about:config and disable script via javascript.enabled value, this bug don't appear. First press of "enter" have expected effect. Therefore this is bug in Noscript, non in site or Firefox themselves.
In other sites this bug don't appear.

[barbaz]

When this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

[Renji]

When this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

In moment when bug occurs I'm see nothing. Before this and some short time after second press "enter" I'm have some warnings. For more info, this bug appear in fresh installed Debian 8 Mate. After this I'm try use Debian Cinamon LiveCD, effect is same - bug appear, but only in one site.

Warnings right after browser load:

Code: Select all

While registering XPCOM module file:///usr/lib/iceweasel/components/libdbusservice.so, trying to re-register CID '{75a500a2-0030-40f7-86f8-63f225b940ae}' already registered by <static module>.
Failed to load native module at path '/usr/lib/iceweasel/components/libxpcomsample.so': (80004005) /usr/lib/iceweasel/components/libxpcomsample.so: cannot open shared object file: No such file or directory
Could not read chrome manifest 'file:///usr/lib/iceweasel/browser/extensions/%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D/chrome.manifest'.
"[CustomizableUI]" "Custom widget with id loop-button does not return a valid node" CustomizableUI.jsm:167
[ABE WAN] Detected WAN IP X.X.X.X
Key event not available on some keyboard layouts: key="r" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
A promise chain failed to handle a rejection. Did you forget to '.catch', or did you forget to 'return'?
See https://developer.mozilla.org/Mozilla/JavaScript_code_modules/Promise.jsm/Promise

Date: Mon Feb 22 2016 07:06:33 GMT+0300 (MSK)
Full Message: Error: loop is not enabled
Full Stack: this.MozLoopService.initialize<@resource:///modules/loop/MozLoopService.jsm:1110:29
TaskImpl_run@resource://gre/modules/Task.jsm:314:40
TaskImpl@resource://gre/modules/Task.jsm:275:3
createAsyncFunction/asyncFunction@resource://gre/modules/Task.jsm:249:14
LoopUI.init@chrome://browser/content/browser.js:4485:7
gBrowserInit._delayedStartup@chrome://browser/content/browser.js:11917:5
 MozLoopService.jsm:1110:0

Some time after second "Enter":

Code: Select all

HEAD 
XHR 
https://slovari.yandex.ru/%5C/%5C/suggest-slovari.yandex.ru%5C/ [HTTP/1.1 404 Not Found 18ms]
HEAD 
XHR 
https://slovari.yandex.ru/test/%D0%BF%D0%B5%D1%80%D0%B5%D0%B2%D0%BE%D0%B4/%5C/%5C/suggest-slovari.yandex.ru%5C/ [HTTP/1.1 404 Not Found 17ms]
no element found data::1:1
1456114053555	Toolkit.GMP	ERROR	GMPInstallManager.onLoadXML could not load xml: [Exception... "SSL is required and URI scheme is not https."  nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: checkCert :: line 142"  data: no] Log.jsm:749:0
1456114053556	Toolkit.GMP	ERROR	GMPInstallManager.simpleCheckAndInstall Could not check for addons: {"target":{},"status":200,"message":"[Exception... \"SSL is required and URI scheme is not https.\"  nsresult: \"0x8000ffff (NS_ERROR_UNEXPECTED)\"  location: \"JS frame :: resource://gre/modules/CertUtils.jsm :: checkCert :: line 142\"  data: no]"} Log.jsm:749:0

[barbaz]

Just to be clear, does disabling all extensions other than NoScript get it working? (Tools > Add-ons Manager)
None of those messages, aside the ABE WAN message, are directly NoScript-related, but some of those messages at the end seemingly indicate some other, "unofficial" add-on is present but unable to update due to misconfigured install.rdf.

[Renji]

Just to be clear, does disabling all extensions other than NoScript get it working? (Tools > Add-ons Manager)

For testing purpose, other extensions don't even installed. But sorry, I'm forgot open Browser Console "Net" menu and select XHR/log options. Now, in moment of bug, I'm see "HEAD XHR https://slovari.yandex.ru/test/%D0%BF%D ... orm-button [HTTP/1.1 200 OK 126ms]" line. If I'm click to this, I'm see this "DENY" in server reply. Sorry for the link to pastebin.com, but for some reason spam filter don't allow me post this text direct.

[barbaz]

(posting pastebinned content here)

Code: Select all

Request URL: 	https://slovari.yandex.ru/test/%D0%BF%D0%B5%D1%80%D0%B5%D0%B2%D0%BE%D0%B4/b-form-button
Request Method: 	HEAD
Status Code: 	HTTP/1.1 200 OK
Request Headers 07:56:01.000
User-Agent:	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.6.1
Host:	slovari.yandex.ru
Connection:	keep-alive
Accept-Language:	en-US,en;q=0.5
Accept-Encoding:	gzip, deflate
Accept:	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Sent Cookie
yandexuid:	7840956161456112415
uid:	1bTMKVbKiWxzhiuGBNHuAg==
slovari-state:	translation,
Response Headers Δ126ms
X-Frame-Options:	DENY
Strict-Transport-Security:	max-age=31536000
Server:	nginx
Expires:	Mon, 22 Feb 2016 04:56:00 GMT
Date:	Mon, 22 Feb 2016 04:56:00 GMT
Content-Type:	text/html; charset=UTF-8
Content-Encoding:	gzip
Connection:	keep-alive
Cache-Control:	max-age=0, proxy-revalidate
Received Cookie
slovari-state:	translation,
No Response Body Δ0ms

[barbaz]

That DENY just means that it's not want to be loaded in a frame. The request succeeds, as indicated by "200 OK"

[barbaz]

Hang on, I've just noticed that request is XHR... Are you Allowing some scripts in NoScript (temporarily or otherwise) on that site?

Would like some more clarification:
So if you block all scripts on that site in NoScript the bug still occurs? And if you Allow all scripts on that site (nothing in Untrusted) in NoScript, what happens?

[Guest]

Hang on, I've just noticed that request is XHR... Are you Allowing some scripts in NoScript (temporarily or otherwise) on that site?

NoScript say "Scripts currently forbidden. |<SCRIPT> 5| <OBJECT> 0". I'm trying remove all sites from white list, but nothing changed.

So if you block all scripts on that site in NoScript the bug still occurs? And if you Allow all scripts on that site (nothing in Untrusted) in NoScript, what happens?

If I'm allow all scripts, bug don't appear.

[barbaz]

Thanks. That behavior is what it would look like if there's a problem with one or more of our surrogates.
Can you please find the minimal set of scripts needed to be Allowed for the bug to not appear, then right-click the NoScript menu (*not* one of the sites menu entries, but e.g. the "About NoScript" entry - this copies the state of the entire NS menu to clipboard) and paste here?

[Renji]

Can you please find the minimal set of scripts needed to be Allowed for the bug to not appear, then right-click the NoScript menu (*not* one of the sites menu entries, but e.g. the "About NoScript" entry - this copies the state of the entire NS menu to clipboard) and paste here?

Allow yandex.ru is enough. Screenshot with NoScript menu:

[barbaz]

"yastatic.net" looks like their CDN to me. It's probably required that if you Allow scripts, that you Allow that too for the site to work. So if you Allow yastatic that it breaks instead of helping?? If that's correct, if you Allow yastatic do you get any other sites in the NS menu?

[Renji]

"yastatic.net" looks like their CDN to me. It's probably required that if you Allow scripts, that you Allow that too for the site to work. So if you Allow yastatic that it breaks instead of helping?? If that's correct, if you Allow yastatic do you get any other sites in the NS menu?

Allow or disallow yastatic change nothing. But don't worry about this, I'm already find reason of bug - onClick event. Minimal HTML code:

Code: Select all

<!DOCTYPE html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head>
<body><form class="b-search" action="/search.xml"><table class="b-search__table">
<tbody>
  <tr>
    <td class="b-search__input"><input name="text" value="test" tabindex="1"></td>
    <td><span onclick="return {'b-form-button':{name:'b-form-button'}}"><input type="submit"></span></td>
  </tr>
</tbody></table></form></body></html>

If I'm remove NoScript, disable scripts via about:config, put "test" into input field and press enter, I'm go to file:///search.xml?text=test page. If I'm disable all scripts via NoScript, put "test" into input field, and press enter, this press have no effect. If I'm remove onclick from HTML source, this bug disappear.

[therube]

Confirmed behavior.
And I suspect you're correct about the onclick too.

(That's the first thing I noticed.
And the button itself says:

Code: Select all

return {'b-form-button':{name:'b-form-button'}} null

)

[barbaz]

Confirmed behavior.

Not here.. I cannot reproduce the problem (nor what therube sees) from that test case.
What am I missing?