(S) v10: needs to be reloaded to operate on website w/ PDF.

Ask for help about NoScript, no registration needed to post
fenix

(S) v10: needs to be reloaded to operate on website w/ PDF.

Post by fenix »

Hello.

Firefox includes a built-in PDF viewer to display PDF files inside the browser window and is enabled by default. However, it seems, that there is a problem with a proper NoScript v10 operate on such websites. I've tried about 3, 4 websites with PDF files and clicking on a NoScirpt icon to make some changes in permissions etc., there is such message:

Code: Select all

In order to operate on this tab, NoScript needs to reload it. Proceed?

          [               OK              ]           [              Cancel              ]
Clicking on the [OK] button, reloads web page, but nothing changes if it's about NoScript normal functionality - possibility to change permissions etc. After clicking on the NoScript icon again, there is the same information mentioned above. After clicking on [Cancel] button, nothing happens. After hovering the mouse cursor on the NoScript icon, but without clicking, there is such information:

Code: Select all

Blocked 0 of 0 items
Here are an example links to reproduce this issue ("needs to reload" problem appears, on each of these web sites.):

https://spectreattack.com/spectre.pdf
https://www.usenix.org/system/files/con ... z-rola.pdf
https://pdfs.semanticscholar.org/5d9b/6 ... 305fc5.pdf

Is this a bug? Anyway, here are some technical informations:

✓ NoScript: v10.1.8.1
✓ Firefox: v60.0 (32-bit)
✓ Platform: Linux

Thanks, best regards.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by therube »

Not seeing any issue here.
Click the links & each pdf opens in a new tab - with no other interaction needed.

FF 60 x64
NoScript 10.1.8.2rc2
Oh, nevermind.

The pertinent part:
clicking on a NoScirpt icon
Confirmed.
Though I have no idea what is expected in that situation?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 Lightning/5.4
fenix

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by fenix »

Hello therube.

You asked "what is expected in that situation?" Hmm, I think that there should be a possibility to change the trust levels etc. (By default, each domain is under the Default, right? So, I think that on a web sites, which display PDF files inside the browser window, there should be a possibility, for example, to explicitly set Trusted, Temp-Trusted or Untrusted and so on. Just like with other web sites such as youtube.com where User can allow only three domains to work properly and display videos etc. (the rest domains can be set as Untrusted).

Thanks, best regards.

fenix aka ragner
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by barbaz »

Confirmed in Firefox 60, NoScript 10.1.8.2rc2, new profile.
https://noscript.net/abe/abe_rules.pdf is also affected.

With Firefox 59 I get the expected behavior.
*Always* check the changelogs BEFORE updating that important software!
-
fenix

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by fenix »

Hello barbaz.

Thanks for checking this issue. Anyway, .PDF is a common target for malware attacks, right? So I think there should be a possibility to set/change NoScript's presets on such web sites etc. We already saw a few CVE's that allows remote attackers to cause a DoS or possibly have other malicious impact via a crafted .PDF document (an attacker could plant a malicious .PDF on website). I think NoScript should allow Users to make some changes on such websites: e.g. change preset from a Default to Custom etc.

Thanks.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by skriptimaahinen »

Well, looks like FF 60 blocks content scripts from running in the PDF-viewer. This is what breaks NS. Not sure if intended, but it might be due to a fix for security vulnerability that allowed PDF-files to run scripts in the viewers context. (The very unhelpful and wrong popup message is NS bug though.)

@fenix: Unfortunately none of the NS settings really affect PDF security. That's purely the PDF-viewers responsibility.

@Giorgio: Do showing the resource-URIs (e.g. resource://pdf.js) benefit user in any way?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by Giorgio Maone »

skriptimaahinen wrote: @Giorgio: Do showing the resource-URIs (e.g. resource://pdf.js) benefit user in any way?
I do not think so, but maybe I could instead try to intercept the PDF load attempt before it gets to the viewer and block it outright, tying this behavior to a special "PDF" permission...
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by skriptimaahinen »

In that case I think it might be best to allow resource (and chrome|moz-extension|about) URIs regardless of the policy, maybe, or am I missing some important case?

Not sure if NS should interfere with PDF handling as FF itself offers plethora of user configurable ways to do it (pdf.js, external viewer, download).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by therube »

Can you still do 'external viewer', as in like via a Plugin in FF (Quantum)?
I thought all that was allowed was Flash.
(FF 52 should be able to do external viewer, via Plugin.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.3
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by skriptimaahinen »

I doubt the plugins work anymore except in 52, though last time used Adobe plugin was something like 15 years ago. :) And even if the plugins did work, NS could block them with the "object" option.

However, FF does offer option to open the PDF in external program.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
fenix

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by fenix »

Hello.

So, as skriptimaahinen has just written in his comment: "Not sure if NS should interfere with PDF handling (...)" maybe there should be a different information, instead of "In order to operate on this tab, NoScript needs to reload it. Proceed?" Something like:

1/ Permissions for websites with a .PDF files can not be changed, because of...
2/ Permissions for websites with a .PDF files can not be changed due to...

And then name the reason of such decision at the end (after: "because of/due to"? There can be [OK] button only. But that's just a naive and stupid idea... Sorry.

Thanks.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
fenix

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by fenix »

Hello.

It seems, that v10.1.8.8 version fixed issue with reloading NoScript on websites with .PDF files etc. I've checked one site and after clicking on the main icon, there was not an information, mentioned in my first post, but all preset available in NoScript. Mentioned site has been set with a "DEFAULT" preset (domain was: …semanticscholar.org) etc. So, it seems everything is okay. However, I didn't do any tests like, for example, change presets, add some options ('script', 'frame' and so on).

One more thing to note. When I moved a mouse cursor on NoScript icon, but without clicking, a small window appeared with such an informations (the same thing has happened in my first post):

Code: Select all

NoScript 10.1.8.8
Blocked 0 of 0 items
Here is a tested website: https://pdfs.semanticscholar.org/5d9b/6 ... 305fc5.pdf If someone will have some free time, please make more tests.

Thanks.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
paulmcg
Posts: 2
Joined: Thu Jul 19, 2018 4:43 pm

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by paulmcg »

I am having problems downloading .pdf and .tgz archives on some of our company Web sites, even though I whitelisted our sites.

The PDF download problem occurs in NoScript10.1.8.9rc1 with Firefox 61.0.1. It seems to occur when a Web page opens a window with JavaScript for the PDF URL instead of just giving you the URL.

I uploaded a .zip file with the HTML, JavaScript and CSS files from when the problem occurs plus a screen shot of the Firefox error.
https://drive.google.com/file/d/1cUv_PC ... sp=sharing
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by Giorgio Maone »

paulmcg wrote:I am having problems downloading .pdf and .tgz archives on some of our company Web sites, even though I whitelisted our sites.[/url]
Could you also check with Firefox's developer console (ctrl+K), Network tab, which HTTP headers is the server sending exactly (or give me a public server where this problem can be reproduced)?
Might Firefox's popup blocker be interfering (i.e., does the link work if you disable NoScript)?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
paulmcg
Posts: 2
Joined: Thu Jul 19, 2018 4:43 pm

Re: (S) v10: needs to be reloaded to operate on website w/ P

Post by paulmcg »

Giorgio Maone wrote:Could you also check with Firefox's developer console
I had to upload the Firefox console log, since this site's spam filter wouldn't let me upload here.
https://drive.google.com/open?id=1QiTKY ... ectNupKlkD

The problem doesn't happen if I disable NoScript. The pages that cause the problem are not publicly accessible on one of our servers (myife.panasonic.aero).
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Post Reply