BUGS: 1.9.4.x Dev

[GµårÐïåñ]

Giorgio,

There are several issues that I think you need to look into for this build:

1. Any time I add a site to the whitelist, checking the list, the file:// is added as well and I certainly didn't do it. I have managed to get that to happen in 7 sites out of 18 that I tried. So just about 50% of the time. Not sure if the way the site is designed contributes to this bug but for me this would be a biggie.

Edit: ITS NOW PERSISTENT and file:// WILL NOT go away from the whitelist, for me this is a HUGE problem.

2. When you whitelist a site (forbid active content on trusted is not checked) it will not show the flash or active content until you restart Fx and then go back to that page again. This is a huge problem as you can imagine, having to reboot the browser each time trusted decisions are made defeats the purpose, no?

3. After you whitelist a site, the performance on that site is degraded and there is a huge lag in mouse movements and typing while in the "canvas" area of Fx for that site (the display) and the only way to get it to stop so far has been to disable NS or close the tab and reload again from URL bar.

Let me know if you need anything else but clean profile with NS or reset did nothing for these issues either. Hope that helps you out but I have no choice but to rollback right now. Also, can you tell me how NS is build with regards to permissions processing; namely what authority is exerted first? ABE asserts first or regular untrusted settings?

Case example: I don't want to allow googleapis.com or yahooapis.com and will place them on the untrusted list. However, there might be selective sites that I DO want to give access, I can setup ABE to allow them access but the question remains will those selective permissions be honored or will they be ignored because the domain is marked untrusted?

[Alan Baxter]

Edit: ITS NOW PERSISTENT and file:// WILL NOT go away from the whitelist, for me this is a HUGE problem.

It seems to be there by default now. I can delete it, but a Reset just brings it back. I don't see it listed in any of the noscript about:config prefs.

2. When you whitelist a site (forbid active content on trusted is not checked) it will not show the flash or active content until you restart Fx and then go back to that page again. This is a huge problem as you can imagine, having to reboot the browser each time trusted decisions are made defeats the purpose, no?

Unable to reproduce.

3. After you whitelist a site, the performance on that site is degraded and there is a huge lag in mouse movements and typing while in the "canvas" area of Fx for that site (the display) and the only way to get it to stop so far has been to disable NS or close the tab and reload again from URL bar.

Unable to reproduce.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
NoScript 1.9.4.1 with default prefs
Default theme and no other extensions

[GµårÐïåñ]

It seems to be there by default now. I can delete it, but a Reset just brings it back. I don't see it listed in any of the noscript about:config prefs.

Its permanent and there is no way at all to remove it. No reset even needed, delete it and go back and check, its back immediately.

Unable to reproduce.

I discovered another link to this issue. If you allow a page with flash, it will allow it and add file:// to the whitelist. If I go in the options and remove file:// and click ok, then it will immediately show the page with NO flash elements and it will not work again until you restart Fx. The only way to fix, is to disable NS and that's unacceptable to me.

Unable to reproduce.

See issue above as the reason why the resources seem to hang because the media is removed and apparently the page continues to think they are loading and accessing it. Creating a small paint refresh loop.

[OnTheRocks]

I found another issue with 1.9.4.1 used with SeaMonkey and Firefox trunk builds.
Every time I visit a SSL encrypted site the message box with the security warning "You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party." appears. But only on the first browser tab. Opening the same page in one of the next browser tabs works without problem.
Going back to 1.9.3.92 solves this problem.

Regards Sven

[therube]

1. Not seeing that. Also don't see file: listed in \defaults\preferences\noscript.js.

OK, I misread. file:// is not appearing in the NoScript context menu, but it is being added to the whitelist (Options | Whitelist). Further, when Forbid a site or do a Reset, it again ads file:// to the whitelist. (A Revoke Temporary Permissions does not do this.)

No reset even needed, delete it and go back and check, its back immediately.

True.

2./3. Can't seem to be able to duplicate?


Open https://login.yahoo.com/config/login_verify2?&.src=ym in a new page:



Then open it a second time in a new tab in that same page.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090429 Minefield/3.6a1pre

I get the same here too, but not always the popup dialog, mostly on the broken icon.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090608 SeaMonkey/2.0b1pre

[Giorgio Maone]

@GµårÐïåñ:
the file:// thing is reproducible, weird and huge. Trying to fix it ASAP.
2 & 3 are not reproducible for me, could you please point us to some test cases with URLs and permissions?

@OnTheRocks, therube:
investigating, thanks.

However, there might be selective sites that I DO want to give access, I can setup ABE to allow them access but the question remains will those selective permissions be honored or will they be ignored because the domain is marked untrusted?

ABE processing happens after NoScript permissions and before XSS checks, and ABE knows nothing about NoScript (in facts, I developed it with the goal of making it as much independent as possible from NoScript, so I can refactor it in a separate extensions as soon as it's completed and stable enough).
Therefore, NoScript's untrusted prevails over ABE but ABE can be used to selectively block or sandbox stuff which is generally allowed by NoScript.

[dhouwn]

@GµårÐïåñ:in facts, I developed it with the goal of making it as much independent as possible from NoScript, so I can refactor it in a separate extensions as soon as it's completed and stable enough

But why do you make then changes to NoScript depending on ABE?

x Lighter XSS checks, relying on ABE for pre-screening when possible
(preventing some timeout-related false positives and random hangs)

[Giorgio Maone]

@GµårÐïåñ:in facts, I developed it with the goal of making it as much independent as possible from NoScript, so I can refactor it in a separate extensions as soon as it's completed and stable enough

But why do you make then changes to NoScript depending on ABE?

x Lighter XSS checks, relying on ABE for pre-screening when possible
(preventing some timeout-related false positives and random hangs)

It's not the same. While extracting ABE from NoScript is in the roadmap, the opposite is not.
Furthermore, they share lots of functionality (e.g. origin and DNS checks, which are far from trivial in Firefox) so I'm refactoring it in separate modules when it makes sense, but at this moment NoScript depending on ABE does actually make sense as well and having both them in a single extension allows for huge optimizations which would be impossible otherwise (e.g. coalescing time-consuming duplicate checks).

So in the end you'll have the choice of installing ABE standalone or NoScript (which includes ABE).

[GµårÐïåñ]

@GµårÐïåñ:
the file:// thing is reproducible, weird and huge. Trying to fix it ASAP.
2 & 3 are not reproducible for me, could you please point us to some test cases with URLs and permissions?

Thank you for the acknowledgment and I will work on gathering some technical data for the other ones that others can't reproduce.

ABE processing happens after NoScript permissions and before XSS checks, and ABE knows nothing about NoScript (in facts, I developed it with the goal of making it as much independent as possible from NoScript, so I can refactor it in a separate extensions as soon as it's completed and stable enough).
Therefore, NoScript's untrusted prevails over ABE but ABE can be used to selectively block or sandbox stuff which is generally allowed by NoScript.

Understood, thank you. So a question: Say I want to give access to googleapis.com only to TWO sites. I have to whitelist googleapis.com in NS it seems and then use ABE permissions to limit who can access it. Now how would you instruct ABE best as to allow site1.com and site2.com to access it BUT ANY others from accessing it. I just want to make sure I have the logic of the ABE ruleset down so I can build a wizard for it, for my own testing at first and then I will post the finished product in Asgard for testing and then maybe a link to the public to use. For now I am going to assume you will build something like that, so I am doing it mostly for my own testing right now.

[Giorgio Maone]

So a question: Say I want to give access to googleapis.com only to TWO sites. I have to whitelist googleapis.com in NS it seems and then use ABE permissions to limit who can access it. Now how would you instruct ABE best as to allow site1.com and site2.com to access it BUT ANY others from accessing it.

Code: Select all

Site googleapis.com *.googleapis.com
Accept from site1.com site2.com
Deny

I just want to make sure I have the logic of the ABE ruleset down so I can build a wizard for it
[...]
For now I am going to assume you will build something like that, so I am doing it mostly for my own testing right now.

Yes, a rule builder is definitely in the ABE roadmap, but if you build your wizard in XUL (or XHTML) + JavaScript, maybe we can reuse something in ABE's core

[dhouwn]

What I noticed with 1.9.4.1

• The Force HTTPS feature does not work properly anymore (it seems to work for embedded content though)
• When I open a link/bookmar in a new tab/window, "data;" is displayed in the address bar until the first details of the page are drawn

[therube]

I just had an instance where the Allow Global icon only displayed momentarily before reverting back to the Scripts Partially Allowed icon.

Restarted my browser (SeaMonkey 1.1.17), & now I cannot duplicate.

[Giorgio Maone]

@therube:
Did you execute a bookmarklet or some javascript: URL on the address bar?

[therube]

No.
Simply went to the NoScript icon & selected Allow Globally.



Broken https: notification:

Seems to only (usually, as it appears to not always be duplicable) occur on the first https: access that is loaded from an existing web page - more correctly, from within a window that has loaded a web page.
I.e., it does not occur if your home page is about:blank.
So if you start your browser (about:blank) then go to https://login.yahoo.com/config/login_verify2?&.src=ym, it will load correctly.
If you start your browser (about:blank), then open a new tab (about:blank again), then load http://www.seamonkey-project.org/ in that tab, then load https://login.yahoo.com/config/login_verify2?&.src=ym, you get a broken icon.

Perhaps related to the broken Force HTTPS report? (I'll let you find it as "https" is a "common word" .)
(Maybe I'm mistaken & there is no Force HTTPS report?)

Huh? And I did a Reset in a particular (SeaMonkey 1.1.17) Profile & now I cannot force the broken https: bug even though I want to .

Oh, & I did (do sometimes?) see this in SeaMonkey 1.1.17, so no ABE (at least I have not attempted anything with noscript.ABE.legacySupport).

Alright, what am I thinking, what am I seeing? In one 1.1.17 Profile I have ABE, it is just there, in another there is no ABE tab at all, it is just missing. And I have done nothing to have it occur or not occur?

In my main Profile, noscript.ABE.enabled is set to false, & noscript.ABE.legacySupport is set to true. Just the opposite in the other Profile. I guess that explains that part, but again, I did nothing (that I recall) to make it one way or the other in either Profile. Only thing I can figure is that on some update, they defaulted to "on" (the Gecko 1.9 way), & having NOT performed a Reset in that Profile, it has remained. Having done a Reset in the other Profile, it then reset it to "the Gecko 1.8 way" - off.

OK, so it *is* ABE related.

Further OK, noscript.ABE.enabled is the toggle to enable/disable ABE. ABE does need to be enabled for the https: bug to occur.

Double further OK. A Reset sets noscript.ABE.enabled to false in Gecko 1.8 & that is why ABE "disappeared" & also why I then could not then force the broken https: issue.

Start browser (about:blank)
mail.yahoo.com OK

New window (about:blank)
mail.yahoo.com OK

New window (about:blank)
load http://www.seamonkey-project.org
mail.yahoo.com BROKEN
subsequent mail.yahoo.com in same window OK


Now is this only a cosmetic issue or does some potential vulnerability actually exist with the broken icon?

[dhouwn]

Had this once, but can't reproduce anymore:

Error: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsILoadGroup.removeRequest]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://noscript/content/ABE.js :: anonymous :: line 242" data: no]
Source File: chrome://noscript/content/ABE.js
Line: 242