I seem to recall that NoScript, prior to WebExtensions, would present file:// URLs for blocking/unblocking. With the current version on FF59, it seems to allow scripts in file URLs to run with no option to block them.
My particular use case is in conjunction with Zotero. When I save a web page with Zotero, the snapshot function copies the page and all directly referenced resources to the filesystem. When I access the page later from the snapshot, I note that the inline js executes and there does not appear to be any options to block it. Note: this is on Linux Mint and I'm also using uBlock Origin.
BTW - I love the new NoScript. I was frustrated at first because FF updated unexpectedly and left me sans no-script. When I updated that, the interface was unfamiliar and I had no time to learn it. I finally took 15 minutes to read up and learn how the new one works and now I feel right at home!. I can't thank you all enough!
Scripts in file URIs (file://)
Scripts in file URIs (file://)
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Re: Scripts in file URIs (file://)
What you describe is a limitation of WebExtensions. What's your question?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Scripts in file URIs (file://)
Thank you barbaz - That explains it.barbaz wrote:What you describe is a limitation of WebExtensions. What's your question?
I guess that creates some risk for Zotero users, or anyting else that takes a local snapshot of a page. If I snapshot a page with malicious javascript, then later open the snapshot, at that point the malicious script would run.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0