NoScript prevents allowed site from making API calls

Bug reports and enhancement requests
Post Reply
Hyena
Posts: 5
Joined: Wed Sep 20, 2017 7:34 am

NoScript prevents allowed site from making API calls

Post by Hyena »

I have a real example here: http://cryptograffiti.info/

When I go to that page with NoScript enabled, the NoScript bar appears as expected. When I choose to allow all on that site then the bar disappears but the site remains broken. Turns out that API requests to 3rd party services get blocked by NoScript. I would say that this is a bug in NoScript, but perhaps there is a good reasoning behind it? In that case I would like to know what to do.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript prevents allowed site from making API calls

Post by barbaz »

Works for me with -

Code: Select all

+blockexplorer.com
+blockchain.info
+btc.blockr.io
+cryptograffiti.info
*Always* check the changelogs BEFORE updating that important software!
-
Hyena
Posts: 5
Joined: Wed Sep 20, 2017 7:34 am

Re: NoScript prevents allowed site from making API calls

Post by Hyena »

barbaz wrote:Works for me with -

Code: Select all

+blockexplorer.com
+blockchain.info
+btc.blockr.io
+cryptograffiti.info
I just tested this on another computer. I installed the NoScript 5.0.10 on Firefox 55.0.2 (64-bit) and the issue is still there. When I first go to the named page it asks me whether I want to allow scripts. When I choose to allow scripts on all of the page then the page refreshes and starts making API calls to those 3rd party sites. However, all those calls fail. NoScript does not ask me again whether I want to allow access to the named 3rd party sites. And this does not make any sense to ask it because I already allowed NoScript to run scripts on all of the page. API calls are not scripts, they are just API calls to 3rd party services. NoScript should not block these. And to make matters worse, NoScript does not give me a warning that some resources are blocked by it, it does not ask me to allow access to those services. Only when I switched tabs and returned to the cryptograffiti tab then NoScript asked me to enable access to those 3rd party services. I think this is a bug.

Image
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript prevents allowed site from making API calls

Post by barbaz »

Blocking of "API calls" (normally called XMLHttpRequest) is a security feature, not a bug. If you don't want that security, go to about:config and set noscript.forbidXHR to 0.
Hyena wrote:NoScript does not ask me again whether I want to allow access to the named 3rd party sites. [...] And to make matters worse, NoScript does not give me a warning that some resources are blocked by it, it does not ask me to allow access to those services. Only when I switched tabs and returned to the cryptograffiti tab then NoScript asked me to enable access to those 3rd party services. I think this is a bug.
I'm not so sure. I didn't have this trouble.

Please create a clean profile from scratch. Install only NoScript latest development build, leaving all the defaults.
Does the problem still exist?
If not, what if you then import your NS settings into the clean profile using the Import and Export buttons *on the very bottom* of NS Options?
If that still doesn't reproduce the problem, it's not a NoScript issue... try Standard Diagnostic (leaving NS enabled) to isolate and correct the real cause.

Let us know, thanks.
*Always* check the changelogs BEFORE updating that important software!
-
Hyena
Posts: 5
Joined: Wed Sep 20, 2017 7:34 am

Re: NoScript prevents allowed site from making API calls

Post by Hyena »

Being the dev of the named site, I think it's just easier for me to include some small resource from all of these APIs statically to the cryptograffiti's index.html, which would (hopefully) force NS to spawn the dialogue for allowing the named services immediately after the user has allowed scripts for the main site itself.

I have reproduced the issue on two separate and independent Linux machines already. If you're not willing to fix this then developers need to build a workaround, obviously. This is pretty bad bug because it leaves the user with absolutely no information whether it is caused by NS or if the site itself is broken.

I also made a screen recording of the bug.
You can see that first when you go to the site there is absolutely no NS dialogue and the site is not working. Only when I temporarily switch to some other random tab and then back then NS dialogue appears.
Expected behavior: the dialogue should start immediately

By the way, this forum has an intolerable "spam filter". It does not allow me to post anything and it says:
Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry.
Turns out the spam filter does not like it if I quote other users. Better fix this, because it's not obvious at all. I thought it was my IP and it was not.
Last edited by Hyena on Mon Sep 25, 2017 8:31 am, edited 1 time in total.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript prevents allowed site from making API calls

Post by barbaz »

Sorry, I misunderstood what you were describing. The NoScript menu does update in real time for me. But the icon does not change state, nor is the notification bar shown again, until:
1) Switching tabs,
2) Waiting for the icon & notification bar to update to reflect the new tab,
3) Switching back.

This happens in Firefox 55.0.3. I do not see the bug in SeaMonkey '2.49.1pre' (based on Firefox 52.3.0).

Moving to NoScript Development. Thanks for the bug report.
Hyena wrote:If you're not willing to fix this th
This will be fixed. It may take a while, as Giorgio is the only NoScript developer, and he is currently very busy porting NoScript to WebExtensions.
Hyena wrote:I also made a screen recording of the bug. You can download it here: https://filetea.me/n3wbY4Td8DISkqJjoe8SXFoVQ
That link gives me a blank plain-text document.
*Always* check the changelogs BEFORE updating that important software!
-
Hyena
Posts: 5
Joined: Wed Sep 20, 2017 7:34 am

Re: NoScript prevents allowed site from making API calls

Post by Hyena »

barbaz wrote:That link gives me a blank plain-text document.
Thanks for the reply, the video is now here: http://www.dailymotion.com/video/x61wdpb
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript prevents allowed site from making API calls

Post by therube »

Firefox 55.0.2
Why not 55.0.3?

Seems to be working for me, 55.0.3 x64, Windows.

Load the site, notification bar shows up.
Allow cryptograffiti.info.
(A slight delay...)
Notification bar shows up again, this time showing 1/4 & once you Allow those, the site works.
(A slight delay...)
Notification bar shows up again, this time showing 4/5 (with coinbase.com being newly added).


(And SeaMonkey 2.49.1 reacts the same way.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 Lightning/5.4
Hyena
Posts: 5
Joined: Wed Sep 20, 2017 7:34 am

Re: NoScript prevents allowed site from making API calls

Post by Hyena »

therube wrote:
Firefox 55.0.2
Why not 55.0.3?

Seems to be working for me, 55.0.3 x64, Windows.

Load the site, notification bar shows up.
Allow cryptograffiti.info.
(A slight delay...)
Notification bar shows up again, this time showing 1/4 & once you Allow those, the site works.
(A slight delay...)
Notification bar shows up again, this time showing 4/5 (with coinbase.com being newly added).


(And SeaMonkey 2.49.1 reacts the same way.)
Package manager has not yet provided me 55.0.3. good to know it's working on the latest though
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript prevents allowed site from making API calls

Post by therube »

I'm on Windows.
barbaz was able to duplicate your issue on a Mac (I guess it was).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript prevents allowed site from making API calls

Post by barbaz »

therube wrote:barbaz was able to duplicate your issue on
... the unbranded build of Firefox 55.0.3, on Ubuntu Linux 64-bit.

I haven't used Mac OS in years and have zero interest in switching back.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply