[INVALID] NoScript unexpectedly not blocking script
Posted: Tue Nov 26, 2013 8:10 am
NoScript 2.6.8.5 is unexpectedly not blocking a script where I expect it to block a script. Since this appears to be a security issue, I've shown everything but the exact information, which I've marked [redacted]. If you want me to put this information on a public forum, please confirm, since I can't un-post it once I've posted it.
1) I disabled all extensions except NoScript.
2) I reset NoScript (after exporting my settings)
3) I quit Firefox (25.0.1), deleted extensions.[whatever] files, and restarted.
4) Details
a) The address or addresses (URL) where this occurs: [redacted]
NoScript status shows the snake with a big red forbidden symbol over it, followed by the words "Scripts currently forbidden" | <SCRIPT>: 2 | <OBJECT>: 0
b) the exact steps we need to follow to reproduce your problem
1. In the drop-down menu reading [redacted], choose [redacted].
Actual result: Browser goes to [redacted] (uses JavaScript to accomplish this)
Expected result: Script blocked
[23:52:20.517] HEAD [redacted] [HTTP/1.1 200 OK 398ms]
[23:52:20.941] GET [redacted] [HTTP/1.1 200 OK 233ms]
[23:52:21.342] GET [redacted] [HTTP/1.1 200 OK 219ms]
[23:52:21.344] GET [redacted] [HTTP/1.1 200 OK 416ms]
[23:52:21.175] Unknown property 'frameborder'. Declaration dropped. @ [redacted]:[redacted]
------
Afterwards, I confirmed that the page load was being done with JavaScript by disabling both JavaScript and NoScript and restarting the browser. With JavaScript and NoScript disabled, I get the following:
1. In the drop-down menu reading [redacted], choose [redacted].
Actual result: Nothing happens
Expected result: Nothing happens
1) I disabled all extensions except NoScript.
2) I reset NoScript (after exporting my settings)
3) I quit Firefox (25.0.1), deleted extensions.[whatever] files, and restarted.
4) Details
a) The address or addresses (URL) where this occurs: [redacted]
NoScript status shows the snake with a big red forbidden symbol over it, followed by the words "Scripts currently forbidden" | <SCRIPT>: 2 | <OBJECT>: 0
b) the exact steps we need to follow to reproduce your problem
1. In the drop-down menu reading [redacted], choose [redacted].
Actual result: Browser goes to [redacted] (uses JavaScript to accomplish this)
Expected result: Script blocked
[23:52:20.517] HEAD [redacted] [HTTP/1.1 200 OK 398ms]
[23:52:20.941] GET [redacted] [HTTP/1.1 200 OK 233ms]
[23:52:21.342] GET [redacted] [HTTP/1.1 200 OK 219ms]
[23:52:21.344] GET [redacted] [HTTP/1.1 200 OK 416ms]
[23:52:21.175] Unknown property 'frameborder'. Declaration dropped. @ [redacted]:[redacted]
------
Afterwards, I confirmed that the page load was being done with JavaScript by disabling both JavaScript and NoScript and restarting the browser. With JavaScript and NoScript disabled, I get the following:
1. In the drop-down menu reading [redacted], choose [redacted].
Actual result: Nothing happens
Expected result: Nothing happens