JAR/XUL page blocked on browser reload

[nicktook]

I have a set of intranet applications implemented as signed JAR files with XUL pages.

Recently NoScript is blocking these applications when I do a reload of the page:

[NoScript] Blocking cross site Javascript served from https://pg2.arcamax.com:2001/ec/jar/ec4.jar with wrong type info application/java-archive and included by chrome://browser/content/browser.xul

Note: If the user never does a 'reload' then the application works fine. When a reload does occur, the user must restart the browser to get the page working again. The site is listed both in the XSS 'Anit-XSS Protection Exceptions and the 'Jar document blocking exceptions'.

I am running FF 3.5.1 and NoScript 1.9.6.93.

[therube]

There was a change put in relating to JAR with 1.9.6.4 (JAR archive traversal vis SCRIPT src).

If you revert back to noscript-1.9.6.3.xpi, does the issue subside?

(Or does this have to do with inclusion protection, which landed with 1.9.6.5?)

[nicktook]

1.9.6.3 works.

[nicktook]

1.9.6.4 works.
1.9.6.5 fails.

[nicktook]

I reinstalled 1.9.6.9 created about:config setting noscript.checkInclusionType and tried it as true or false. After a browser restart, it failed in both cases.

[therube]

As I was about to post, I see you replied ...

OK, in 1.9.6.5 (or the most recent #dev build for that matter), if you disable inclusion, does it then work?

v 1.9.6.5
=====================================================================
+ New layer of inclusion protection, checks whether 3rd party scripts
and CSSs are served with proper content type (it can be disabled
via noscript.checkInclusionType preference; exception patterns can
be listed in the noscript.checkInclusionType.exceptions preference)

(After that we can see about an exception.)

So I guess that is kind of answered. Now we've got to wait for others to chime in.

[nicktook]

Is there anything happening to fix this problem?

I had been running the old NoScript (1.9.6.4) but this morning I accidentally update and I no longer seem to be able install the old version. The trick of going to the direct down load link and editing the URL to point to the old version no longer works. Is there another way to get the old version?

[Giorgio Maone]

I reinstalled 1.9.6.9 created about:config setting noscript.checkInclusionType and tried it as true or false. After a browser restart, it failed in both cases.

You just need to set the (existant) noscript.inclusionTypeChecking about:config preference to false.
Even better, set the noscript.inclusionTypeChecking about:config preference to https://pg2.arcamax.com:2001/

Older versions are always available at http://noscript.net/feed anyway.