InformAction Forums

Posted: **Sat Jul 25, 2009 12:34 am**

Giorgio Maone wrote:Can you check latest development build 1.9.6.96?

Both are fixed.

I saw a new icon overlay in this build, a little plus in the bottom right corner:

, what does it mean?

to see it (Fx2):

1) go to http://www.betanews.com/
2) mark adtechus.com as untrusted, allow about:blank, and everything else not allowed
3) at this point if you forbid about:blank or remove adtechus.com from untrusted, the plus disappears

Posted: **Sat Jul 25, 2009 5:26 am**

That's the Partially Allowed Subcontent Icon
Quoting from the features page http://noscript.net/features

this means the top level site is still forbidden but some active subcontent pieces (either frames or plugin objects) are allowed: some code may be running, but the page is likely not to work correctly yet because its main script source is still blocked.

subcontent in your example being about:blank.

Posted: **Sat Jul 25, 2009 5:38 am**

Giorgio Maone wrote:it hits the network but doesn't download more than the HTTP headers and anyway prevents content processing

I wasn't aware that these aborted requests were happening and sometimes even needed (content sniffing). Is it not possible to associate a given request with the html element that spawns it (iframe, script, frame, object, applet, embed) and to therefore know(given the url) whether it's allowed, without starting it? Can you please describe under what circumstances do they happen and why they are needed?

Posted: **Sat Jul 25, 2009 6:08 am**

Grumpy Old Lady wrote:That's the Partially Allowed Subcontent Icon
Quoting from the features page http://noscript.net/features
this means the top level site is still forbidden but some active subcontent pieces (either frames or plugin objects) are allowed: some code may be running, but the page is likely not to work correctly yet because its main script source is still blocked.
subcontent in your example being about:blank.

sorry about that, it's definitely not new, I just didn't have about:blank allowed before.

In this case the "about:blank" is not really a part of the page, it is an artifact of Noscript hiding placeholders for untrusted iframes. Should it therefore alter the permission status of the page? Think about it, you mark the iframe untrusted (making the page more restricted) and the status icon changes to less restricted (because of the implementation detail), that's rather counterintuitive.

Posted: **Sat Jul 25, 2009 6:26 am**

al_9x wrote:I wasn't aware that these aborted requests were happening and sometimes even needed (content sniffing). Is it not possible to associate a given request with the html element that spawns it (iframe, script, frame, object, applet, embed) and to therefore know(given the url) whether it's allowed, without starting it?

That's what NoScript does most of the time.

al_9x wrote:Can you please describe under what circumstances do they happen and why they are needed?

Code: Select all

<OBJECT DATA="http://some.site.com/some.content" />

You can't tell what the content is until it loads (it may be a HTML page, plain text, Flash, whatever: OBJECT is defined as a "generic embedding mechanism".

Code: Select all

 
<IFRAME src="http://some.site.com/some.content" >

Ditto, and the content policy gets called with hints at a HTML document. Even though it may actually load Flash, PDF or whatever the author wants. You can't tell until you sniff.

And finally

Code: Select all

<a href="http://some.site/some.content">click me</a>

This load the content on a top level window, with hints for HTML. Again it may be anything, and you can't tell until you sniff.

In other words, among the elements you listed, only <script> and <embed> are reasonably sincere, and yet for <embed> you may need to sniff if the user allows Java and forbids Flash, for instance.

al_9x wrote:In this case the "about:blank" is not really a part of the page, it is an artifact of Noscript hiding placeholders for untrusted iframes.

Nope, it's (and just sometimes) an artifact of Firefox not managing to load the content.
Every frame when it's created loads about:blank. Then two things may happen: the frame has no src attribute and gets filled by the parent page, or the frame has a src attribute and spawns a second load for some different content. If this load is blocked the frame remains at about:blank. But in both cases (frame meant to load something else or just to keep about:blank and being scripted), the parent page can script it as long as it's there. Hence the icon.

Posted: **Sat Jul 25, 2009 6:47 am**

Giorgio Maone wrote: In other words, among the elements you listed, only <script> and <embed> are reasonably sincere, and yet for <embed> you may need to sniff if the user allows Java and forbids Flash, for instance.

Very clear explanation, thank you.
___________________________

It's not a big deal, and I'll drop it, but just a suggestion, to avoid the situation where you mark something untrusted and the icon becomes more permissive, perhaps about:blank should be not allowed by default.

Posted: **Wed Jul 29, 2009 1:33 am**

Giorgio Maone wrote:Can you check latest development build 1.9.6.96?

Ran into another "offline mode" error in an ad iframe. Fx2, NS1.9.7, ABE (works fine with ABE off)

Posted: **Wed Jul 29, 2009 6:10 am**

al_9x wrote:Ran into another "offline mode" error in an ad iframe. Fx2, NS1.9.7, ABE (works fine with ABE off)

I haven't had any such problems with Fx2, 1.9.7, ABE enabled with default rules.
The site in question is all-js plus the iframe from adultfriendfinder.com. After TA all of the js and telling adblock and NS to allow the iframe, I still can't get the ad, because adultfriendfinder is in my hosts file numerous times, which might be a message that maybe you don't want to go there -- this hosts service targets malware installers. But for the sake of science, I disabled hosts, and then the sign-up form for AFF appeared just fine, with new placeholders for blocked flash.

IOW, unable to reproduce on similar sw.

Posted: **Wed Jul 29, 2009 6:51 pm**

Tom T. wrote:I still can't get the ad, because adultfriendfinder is in my hosts file numerous times

the idea is not to get the ad, I'm blocking it too with hosts and noscript untrusted, but to see the offline mode error, can you try the instruction from the first post, on a new Fx2 profile ideally:

enable ABE, forbid iframes, apply restrictions to trusted, set no placeholders for untrusted

add

Code: Select all

127.0.0.1				adultfriendfinder.com www.adultfriendfinder.com

to the hosts file

goto http://img218.imagevenue.com/uploadimg-aff.php which contains an ad iframe
you will see Fx2 briefly load the "offline mode" error page in the iframe, which is then replaced by placeholder
this "offline mode" flashing wasn't there in 1.9.5
now mark the iframe domain as untrusted and reload
now since there is no placeholder, the "offline mode" error page will stay in the iframe.

Posted: **Wed Jul 29, 2009 7:21 pm**

(not seeing it on my end. neither SeaMonkey 1.1.17 nor FF2.0.0.20?)

Posted: **Thu Jul 30, 2009 9:45 am**

al_9x wrote:
the idea is not to get the ad, I'm blocking it too with hosts and noscript untrusted, but to see the offline mode error, can you try the instruction from the first post, on a new Fx2 profile ideally:

1) enable ABE, forbid iframes, apply restrictions to trusted, set no placeholders for untrusted

That is my default setting for all browsing.

2) goto http://img218.imagevenue.com/uploadimg-aff.php which contains an ad iframe
3) you will see Fx2 briefly load the "offline mode" error page in the iframe, which is then replaced by placeholder

I'm afraid I didn't.

4) this "offline mode" flashing wasn't there in 1.9.5
5) now mark the iframe domain as untrusted and reload
6) now since there is no placeholder, the "offline mode" error page will stay in the iframe.

No, it didn't. Sorry. Have you checked for extension conflicts, esp. the usual suspects, ABP and RP? Done Standard Diagnostic? I'm sorry, I can't reproduce it, nor could therube, so I don't how to be of any assistance. Strongly suspect another extension.

Posted: **Thu Jul 30, 2009 7:03 pm**

Tom T. wrote:I'm sorry, I can't reproduce it, nor could therube, so I don't how to be of any assistance. Strongly suspect another extension.

I found the missing ingredient, I have adultfriendfinder.com in my hosts file mapped to 127.0.0.1:

Code: Select all

127.0.0.1				adultfriendfinder.com www.adultfriendfinder.com

and the default system ABE rule is blocking it:

Code: Select all

[ABE] <LOCAL> Deny on {GET http://adultfriendfinder.com/go/page/reg_form_video_02?pid=p604822&ip=auto <<< http://img218.imagevenue.com/uploadimg-aff.php, http://img218.imagevenue.com/uploadimg-aff.php}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

without the hosts file block, there is no ABE involvement and no offline mode error page

Posted: **Thu Jul 30, 2009 7:14 pm**

Now that I understand this problem, it can be reproduced with any iframe by blocking it in hosts, for example betanews.com, add

Code: Select all

127.0.0.1				adserver.adtechus.com

to hosts and ABE will block it resulting in the offline mode error.

And one other thing, since the culprit is ABE blocking, you can turn off iframe blocking and you will still see the problem, but the error page is blank (not offline mode):

Posted: **Sat Aug 01, 2009 10:07 pm**

Giorgio has already advised all users of Hosts file to re-map away from localhost and to a non-existent address, e. g., 255.255.255.0 or 0.0.0.0.

InformAction Forums

Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression

Re: Fx2 post 1.9.5 iframe regression