NoScript doesn't block FRAME even if Forbid FRAME is enabled

Ask for help about NoScript, no registration needed to post
Paranoid User

NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Paranoid User »

Can NoScript block any website from silently adding unnecessary frames/iframes (even more evil, invisible frames/iframes) when I leave the website?

A famous example would be to browse about.com. For example: http://pcworld.about.com/od/softwareser ... e-Tool.htm
Click on any external link of this page. A big top frame will be added even if you are browsing other websites.
It doesn't help at all even if you enabled Forbid FRAME.

I realize it offers an option to remove the frame, but a bad guy who want to spy you can use the same trick to add an invisible frame with no option of removal.
Is there anything NoScript can do to block a website from adding FRAME or IFRAME when I'm leaving its website?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Grumpy Old Lady »

Confirmed FRAMES not blocked in 3.0.12 as well as 3.5.1
Perhaps Giorgio recognises this form of complicated "keep the customer in the shop as long as you can" scripting as benign?
The about.com people don't want you to go if FRAMES are forbidden:

Code: Select all

<noframes><body bgcolor="#cccc99" text="#000000" link="#000066" vlink="#000066" topmargin="5" bottomMargin="0" leftMargin="0"><table border="0" cellspacing="0" cellpadding="0" width="500"><tr><td align="center"><img src="/zimages70z/error/title.gif" height="54" width="284"><p>This feature of About.com requires frames.</p><p>click on the link below to proceed to <br /> <a href="http://www.pcworld.com/businesscenter/index/software_services.html" target="_top">http://www.pcworld.com/businesscenter/index/software_services.html</a>.</p></td></tr><tr><td align="center"><p>&nbsp<br><img src="/zimages70z/error/people1.gif" height="47" width="129"></td></tr></table></body></noframes>
pfft. I just noticed it's a NYTimes site. I'm not a fan of their use of active content.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Giorgio Maone »

It's been fixed yesterday in latest development build 1.9.7.3
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Grumpy Old Lady »

Testing with 1.9.7.3 and the frames are still happening - reset to all defaults, then forbid <FRAMES> :?:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Giorgio Maone »

What do you mean by "happening"? Aren't they blocked with placeholder?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Grumpy Old Lady »

Sorry, poor choice of word.
The frames are not being blocked. No placeholder shows, and the content is getting fully displayed - that is both the about.com top frame, including the "turn off this frame" notice, as well as the third party page.

Going to check with 3.5.1. again in XP
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.12) Gecko/2009070811 Ubuntu/9.04 (jaunty) Firefox/3.0.12
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Grumpy Old Lady »

Same bug in XP. 1.9.7.3
FRAMES still not blocked.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Giorgio Maone »

Really weird. It's working fine for me. Does it happen on a clean profile?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Grumpy Old Lady »

Doing all this support thread with a clean profile. Easier :-)

Forbidding both <IFRAME> and <FRAME> - all other default settings - gives the desired blocking of the third party page.
Placeholder has <IFRAME> label.

EDIT: But I'll go now and create a new profile, just to be sure.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Giorgio Maone »

Before going on, have you got both forbid IFrames and forbid Frames checked?
I know it's an implementation detail which would need to be better documented or directly fixed, but for legacy Frame blocking to be effective, you need to block IFrames as well.
Checking if I can remove this caveat in 1.9.7.4...
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Grumpy Old Lady »

Giorgio Maone wrote:Before going on, have you got both forbid IFrames and forbid Frames checked?
Yes boss :-)
That's the problem. I was being very literal and only checking <FRAMES> (as I guess is the OP)
My daily profile has both checked all the time, so I've never seen this apparent anomaly.

This new profile confirms that blocking works when both FRAMES and IFRAMES are checked.

I still don't like NYT sites though ;-)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Paranoid User

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Paranoid User »

Giorgio Maone wrote:It's been fixed yesterday in latest development build 1.9.7.3
Installed it in a new profile. I have both forbid IFRAME and FRAME checked.
It works but with some problems. The big top frame is blank but still occupies large space.
No way you can delete the frame and reclaim the space.

I once visited a site which is so aggressive that it adds the top frame and encoded all external links.
It won't go away even if you middle click to open a new page.
The link on the URLbar is also encoded and has something like %3A%3F. :(

Would you add a feature that can remove the frame completely and reclaim the space?
I think it should be pretty easy by simply calling a function to remove/hide anything within <noframe> ... </noframe>.
Tell me if I'm wrong. Thanks. :)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Giorgio Maone »

Paranoid User wrote: Would you add a feature that can remove the frame completely and reclaim the space?
I think it should be pretty easy by simply calling a function to remove/hide anything within <noframe> ... </noframe>.
Tell me if I'm wrong. Thanks. :)
Sorry, you're wrong (the content of <noframe>...</noframe> is irrelevant here, since it would be evaluated only if your browser did not support frames, which is not the case).
And such a feature is out of NoScript's scope: blocking frames (i.e. preventing them from loading, like NoScript does) is very different than taking the content of one of the frames currently displayed (the bottom one, in your case, but how to tell which generally?) and placing it on the top level.
The best approach to something like that is using a GreaseMonkey script ad-hoc for the site you want to "deframeize".
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by therube »

While we're here, & as kind of pointed out already, if you were to open the (lower) IFRAME into a new tab (whilst blocked, placeholder still visible), the location bar shows something like this:

Code: Select all

data:text/html;charset=utf-8,%3Chtml%3E%3Chead%3E%3C%2Fhead%3E%3Cbody%20style%3D%22padding%3A%200px%3B%20margin%3A%200px%22%3E%3Ciframe%20src%3D%22http%3A%2F%2Fwww.quickbooks.intuit.com%2F%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C%2Fiframe%3E%3C%2Fbody%3E%3C%2Fhtml%3E
I suppose that is to be expected because it is actually the IFRAME that you are opening rather then the (expected) web page itself - as the web page has yet to load.

Also, if you were to center-click the IFRAME (prior to clicking the placeholder), it would open in a new tab - void of the About.com (header) FRAME. If you had already clicked the placeholder, then you can Open Frame in New Tab - again void of the About.com (header) FRAME.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17
Paranoid User

Re: NoScript doesn't block FRAME even if Forbid FRAME is enabled

Post by Paranoid User »

therube wrote:

Code: Select all

data:text/html;charset=utf-8,%3Chtml%3E%3Chead%3E%3C%2Fhead%3E%3Cbody%20style%3D%22padding%3A%200px%3B%20margin%3A%200px%22%3E%3Ciframe%20src%3D%22http%3A%2F%2Fwww.quickbooks.intuit.com%2F%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C%2Fiframe%3E%3C%2Fbody%3E%3C%2Fhtml%3E
Yes I sometimes see URL like this. Actually what are all those %3A%2F, %2F%22%20?
Do they have a name?
How can I turn the gibberish URL back into normal readable URL?
Is there any tool on the web which can do this?
Also, if you were to center-click the IFRAME (prior to clicking the placeholder), it would open in a new tab - void of the About.com (header) FRAME. If you had already clicked the placeholder, then you can Open Frame in New Tab - again void of the About.com (header) FRAME.
Links is usually re-coded (like in about.com). Middle click on the link doesn't remove the frame.
But once you are in the page with frame right click the content frame | this frame | show only this frame. It's the easiest way to bypass all restrictions added by the offending website.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Post Reply