Page 2 of 2
Re: Help documentation for Noscript
Posted: Mon Nov 02, 2015 5:05 pm
by barbaz
You're welcome, but I'm thinking I should bring the apparent status of noscript.forbidData to Giorgio's attention.
Re: Help documentation for Noscript
Posted: Fri Feb 26, 2016 4:04 pm
by fatboy
Whether correctly I understand?
1. noscript.xss.checkCharset.exceptions — exceptions of noscript.utf7filter?
2.1 noscript.allowLocalLinks.
from (
https://noscript.net/changelog#2.6.8.20)
If the list empty, then pages from capability.policy.maonoscript.sites can/cannot open file://, depending on noscript.allowLocalLinks;true/false.
If noscript.allowLocalLinks.from;^https://ololo\.com. */game-* — only these pages can open file://, on condition that noscript.allowLocalLinks;true
2.2 If noscript.allowLocalLinks.
to;file:///D:/small-tits, the pages will not be able to open file:///D:/big-boobs
2.3. "in the URL list syntax pattern of ABE"
noscript.allowLocalLinks.to;file:///D:/Cyrillic-symbols/ is invalid.
noscript.allowLocalLinks.to;ALL is valid?
What other URL will be/will not match?
Re: Help documentation for Noscript
Posted: Fri Feb 26, 2016 6:22 pm
by barbaz
(2) only apply to Gecko 29, see e.g.
viewtopic.php?f=10&t=19884
Re: Help documentation for Noscript
Posted: Sat Feb 27, 2016 6:36 pm
by fatboy
Thanks, I tried to read everything. The matter is that the websites requiring access to file:// never came across to me.
I try once again:
Gecko ≤ 28 — noscript.allowLocalLinks
Gecko ≥ 29 — noscript.allowLocalLinks isn't used.
Empty noscript.allowLocalLinks.from value corresponds to noscript.allowLocalLinks;false
noscript.allowLocalLinks.from;ALL corresponds to noscript.allowLocalLinks;true
Possible values: ALL site.tld ^https?://site\.tld .*/path subdomain.*
Possible noscript.allowLocalLinks.to values
file:///Disc:/folder/file ^file:///Disc:/folder/[0-9A-Z]\.ext ALL INCLUSION(SCRIPT, CSS, IMAGE, OBJ, FONT, MEDIA)
Re: Help documentation for Noscript
Posted: Sat Feb 27, 2016 7:38 pm
by barbaz
I think that by "ABE syntax" it's just meant that it's an AddressMatcher, which is the internal name for the parser of the patterns used to specify e.g. Site. INCLUSION is treated as a request method by ABE.
The "Gecko 29 only" I was referring to this internal code:
Code: Select all
Hacks: {
allowLocalLinks: function() {
let ns = noscriptOverlay.ns;
if (ns.geckoVersionCheck("30") >= 0) return;
if ("urlSecurityCheck" in window) {
let usc = window.urlSecurityCheck;
window.urlSecurityCheck = function(aURL, aPrincipal, aFlags) {
if (!ns.checkLocalLink(aURL, aPrincipal)) {
usc.apply(this, arguments);
}
}
}
if ("handleLinkClick" in window) {
let hlc = window.handleLinkClick;
window.handleLinkClick = function(ev, href, linkNode) {
let ret = hlc.apply(this, arguments);
if (!ret && ns.checkLocalLink(linkNode.href, linkNode.nodePrincipal)) {
try {
let w = ev.view.open("about:blank", linkNode.target || "_self");
w.location.href = linkNode.href;
ev.preventDefault();
ret = true;
} catch (e) {
ret = false;
}
}
return ret;
}
}
},
This code is what determines when to allow local link
Code: Select all
checkLocalLink: function(url, principal, fromPolicy) {
if (!this.allowLocalLinks || this.supportsCAPS && !fromPolicy)
return fromPolicy;
if (url instanceof Ci.nsIURI) {
if (!url.schemeIs("file")) return fromPolicy;
url = url.spec;
} else if (typeof url !== "string" || url.indexOf("file:///") !== 0) return fromPolicy;
let site = principal.URI ? principal.URI.spec : principal.origin;
if (!/^(ht|f)tps?:/.test(site)) return fromPolicy;
let [to, from] = ["to", "from"].map(function(n) AddressMatcher.create(ns.getPref("allowLocalLinks." + n, "")));
return ((from
? from.test(site)
: this.isJSEnabled(this.getSite(principal.origin)))
&& (!to || to.test(url))
);
},
Re: Help documentation for Noscript
Posted: Sun Feb 28, 2016 3:17 pm
by fatboy
Thanks a lot.
Now I was absolutely tangled. <irony>Will have to take a couple of strong guys, to go to Palermo and get to know firsthand.</irony>
Re: Help documentation for Noscript
Posted: Thu Sep 08, 2022 4:21 pm
by barbaz
The information in this old thread is obsolete, and this thread seems to have become a spam magnet now. Locking.