InformAction Forums

With NoScript and Firebug both installed and doing what they do best, I can't open the console when javascript is disabled by NoScript on the page.
As the Firebug folks replied here:
http://code.google.com/p/fbug/issues/detail?id=1488
what's not to like?!
Well, I want to have my cake and eat it, too. Is there a clinical way to enable just enough javascript so Firebug can add its HTML and work, while the javascript sent by the untrusted page does not?

about:config's noscript.injectHTML looks promising?

Sorry, as John said Firebug can't inject scripts safely in a page where scripts are forbidden.
If you need to run a short snippet of JavaScript on a forbidden page, you can do it from the location bar as a javascript: URL (NoScript will allow them temporarily).

Interesting, maybe there is something else going on with my setup but I have Firebug and NS and I have never had to whitelist a page to have functionality. Hmm..this makes me think and I shall look into it and see why it works for me.

Giorgio Maone wrote:Sorry, as John said Firebug can't inject scripts safely in a page where scripts are forbidden.
If you need to run a short snippet of JavaScript on a forbidden page, you can do it from the location bar as a javascript: URL (NoScript will allow them temporarily).

Can you explain some of the details about this? Is this connected to a firefox API, or how noscript works?
i.e. if I really wanted this feature, where should a patch be directed?
I believe disallowed pages that include external javascript from permitted domains works, right?
Should firebug be able to include javascript from chrome?

GµårÐïåñ wrote:Interesting, maybe there is something else going on with my setup but I have Firebug and NS and I have never had to whitelist a page to have functionality. Hmm..this makes me think and I shall look into it and see why it works for me.

Firebug generally works (e.g Inspector)--it's the console, only. Try opening it on a disallowed page, and type something simple like `x=2`. If it is working for you, which versions of each do you have?

sky wrote:

Giorgio Maone wrote:Sorry, as John said Firebug can't inject scripts safely in a page where scripts are forbidden.
If you need to run a short snippet of JavaScript on a forbidden page, you can do it from the location bar as a javascript: URL (NoScript will allow them temporarily).

Can you explain some of the details about this? Is this connected to a firefox API, or how noscript works?

Both. NoScript talks with the Gecko's ScriptSecurityManager component, and tells it which domains are allowed to run script and which are not.
Whenever a script tries to run, the ScriptSecurityManager is asked for permission, and if it vetoes execution the script does not execute.
Additionally, if a web page is not entitled to run scripts according to the ScriptSecurityManager, no scripts are even loaded by it, no matter their individual origin.
If, for instance, noscript.net is not whitelisted, its 3rd party scripts from informaction.com won't run anyway, even if the latter is whitelisted, because noscript.net cannot execute nor load any script.

sky wrote: i.e. if I really wanted this feature, where should a patch be directed?

No idea, you should ask the Firebug guys.
Regarding what it takes to make it work, you've got two ways: using the Components.utils.evalInSandbox() API or synchronously whitelist the page, execute the script, then forbid it again.
In both cases, asynchronous scripts (e.g. functions delayed with setTimeout(), event handler or appended <SCRIPT> elements won't work anyway).

sky wrote: I believe disallowed pages that include external javascript from permitted domains works, right?

Wrong, see above.

I use FireFox 3 with both NoScript and FireBug installed. I use FireBug for debugging my own web development (which is obviously on trusted sites), but on untrusted sites, I often use the Inspect->HTML and the CSS/DOM tabs to see how a site did something. However, I can't say I have a use case for running JavaScript via the FireBug console on an untrusted page... which makes me wonder: What's your use case here? Perhaps there's a different way to do what you want.

-Foam

Well not having an issue but then again I don't normally try to inject JS into untrusted pages, just use the inspection tool to see what it is doing. I am using Firebug 1.3.3 and NS 1.9.2.7