Page 1 of 1
(Invalid) Scripts Not Blocked On data: URIs!
Posted: Thu May 29, 2014 1:05 am
by barbaz
NS 2.6.8.26rc1, SeaMonkey 2.26 (and Palemoon 24.5)
noscript.allowURLBarJS -> true
STR:
enter in address bar
Code: Select all
data:text/html,<div id=%221%22>...</div><script>document.getElementById(%221%22).innerHTML=%22Scripts ARE ENABLED HERE%22</script>
Expected results: shows "..."
Actual results: shows "Scripts ARE ENABLED HERE", but the icon indicates that scripts are forbidden!
Re: Scripts Not Blocked On data: URIs!
Posted: Thu May 29, 2014 6:04 am
by therube
> noscript.allowURLBarJS -> true
In SeaMonkey, you don't even need to do that.
All you need to do is to open about:config. That is sufficient.
Then just type your data: URI (or javascript: code).
Re: Scripts Not Blocked On data: URIs!
Posted: Thu May 29, 2014 6:06 am
by therube
Hmm.
And FF works differently...
Re: Scripts Not Blocked On data: URIs!
Posted: Thu May 29, 2014 7:23 am
by Giorgio Maone
This is by design.
Actually NoScript goes great length to ensure this works.
Of course, if a non-whitelisted page tries to load a data: URI, scripts will be blocked there.
Re: Scripts Not Blocked On data: URIs!
Posted: Thu May 29, 2014 11:41 am
by therube
But FF & SeaMonkey give different results.
FF returns: "..."
SeaMonkey: "Scripts ARE ENABLED HERE"
Both browsers indicates that scripts are forbidden!
Re: Scripts Not Blocked On data: URIs!
Posted: Thu May 29, 2014 1:06 pm
by Giorgio Maone
therube wrote:
Both browsers indicates that scripts are forbidden!
And scripts ARE forbidden indeed. NoScript enables them "on the fly" if the URL is entered in the URL bar, just like it does with bookmarklets, then disable them back as soon as the "bookmarklet" execution is done.
Re: Scripts Not Blocked On data: URIs!
Posted: Thu May 29, 2014 1:46 pm
by therube
NoScript enables them "on the fly" if the URL is entered in the URL bar, just like it does with bookmarklets, then disable them back as soon as the "bookmarklet" execution is done
Right, & I expect that.
But, SeaMonkey (& seemingly Palemoon) return different results from FF ?
Scripts Are Blocked On data: URIs in FF 29
Posted: Thu May 29, 2014 2:11 pm
by therube
Arbitrarily picked some old NoScript, noscript-2.6.8.10rc1.xpi, & that returns the same results in both browsers, "Scripts ARE ENABLED HERE".
So is the actual situation that, Scripts Are Blocked On data: URIs in FF 29 ?
Re: Scripts Not Blocked On data: URIs!
Posted: Thu May 29, 2014 2:16 pm
by therube
Arbitrarily picked some old NoScript
No, that does not matter, is not the issue. Current NoScript is fine to test with.
Ah, maybe it's "about:blank" (about:newtab) ?
about:newtab
Re: Scripts Not Blocked On data: URIs!
Posted: Thu May 29, 2014 2:23 pm
by therube
http://forums.informaction.com/viewtopic.php?f=8&t=9204
it looks like JavaScript does not work within the context of about:newtab at all - regardless of extensions
So, if that is correct, expected, then there appears to be no issue at all.
Re: Scripts Not Blocked On data: URIs!
Posted: Thu May 29, 2014 5:06 pm
by barbaz
Giorgio Maone wrote:This is by design.
Actually NoScript goes great length to ensure this works.
Of course, if a non-whitelisted page tries to load a data: URI, scripts will be blocked there.
Ah OK then. Didn't realize NS differentiated between URL bar data: URI loads and content-originated data: URI loads.
Tried the obvious exploit scenario - meta refresh to a data URI from a script-blocked server - and indeed, the script did not run.
Also tried allowing the server - and the script ran if I clicked a link (inserted by NoRedirect) to the data URI, but it was blocked if I simply allowed the meta refresh the normal way.
Sorry about the misunderstanding.