InformAction Forums

NoScript doesn't seem to block inline/embeded scripts.
I was looking at a website using an image rotation script embeded in the html page in a <script>...</script> block.
Despite not having allowed the page with NoScript, the images were rotating.
Only after I went into about:config and set javascript.enable=false did the rotation stop.
But this is not a good solution because this will block scripts from trusted pages as well.
Is this a normal behavior?

URL?

What NoScript version are you using?

I just upgraded NoScript to 2.6.8.33.
The problem of the rotating images seems to be gone.
I have no idea what was the problem before the upgrade.

But now I've lost the ability to allow scripts on a per-site basis in case the top page is whitelisted.
If I hover over "Temporarily allow all on this site" I can see the list of external sites trying to execute scripts in a yellow popup, but I don't have the option to temporarily allow/disallow any of those sites individually.
Obviously I have the "Full Addresses" checked in the Appearance tab.

I am sorry if I don't have too much time to spend on this, but there should be an easier way to debug this.
I'll have to figure this one later.
I am just not as confident as before that NoScript is actually blocking scripts as it is supposed to do.

about:config -> set noscript.cascadePermissions to false ?

Yes, noscript.cascadePermissions=false

I just tried latest PaleMoon (like Firefox 24) and SeaMonkey 2.22.1 (like Firefox 25.0.1) with my profile and no such issues here...

I have no idea why you're getting cascading permissions.

This might be a long shot, but try downgrading to NoScript 2.6.8.29 (last release where the cascading feature doesn't support Gecko < 28)
Note: if downgrading does work, I wouldn't consider it an actual solution in the long term - it would be better to figure out why your NS is in cascading permissions mode despite the pref being set to false. Try re-installing the latest version, and if NS is in cascading permissions mode again, do Standard Diagnostic keeping NoScript installed/enabled the whole time. Please let us know the results, thanks.

Another piece of information:
There is totally no response from the page even though the page is whitelisted..
If I go to WebDeveloper for the page I am looking for, WebDeveloper shows no javascripts loaded.
Is it possible that after the upgrade, whitelisting is ignored?

In NoScript, I wish there was a way to identify (such as in a console) which javascript functions/calls have been blocked and which have not!

Balia wrote:Another piece of information:
There is totally no response from the page even though the page is whitelisted..
If I go to WebDeveloper for the page I am looking for, WebDeveloper shows no javascripts loaded.

When it doesn't work, do you see anything related to NoScript in the Browser Console? (Ctrl-Shift-J)
If not, something seems really messed up in your profile.
Please create a clean profile from scratch. Install only NoScript, leaving all the defaults except for adding the necessary whitelist permissions for the one site which isn't responding.
Does everything work properly there? If so, try Standard Diagnostic keeping NoScript installed/enabled the whole time on your normal profile, but bear in mind it's possible your normal profile simply got corrupted somehow; in such case you would have to migrate your extensions and data to a new profile.

Please let us know the results, thanks.

Balia wrote:Is it possible that after the upgrade, whitelisting is ignored?

That would certainly not be normal or expected in any way...

Balia wrote:In NoScript, I wish there was a way to identify (such as in a console) which javascript functions/calls have been blocked and which have not!

NoScript doesn't know that. Basically, it blocks entire script tags at once, not individual JS functions/calls.

Where can I find the previous XPIs? I couldn't locate any through a google search and I would like to roll back to a previous version.
Also where is noscript in the extension directory for the profile? It is not easy to identify and I don't have time for this.
Why is not labeled like other extensions with an easily identifiable name?

Balia wrote:Where can I find the previous XPIs?

https://addons.mozilla.org/addon/noscript/versions/ or http://noscript.net/feed?c=200&t=a
see also my prior post

Balia wrote:Also where is noscript in the extension directory for the profile?

extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
Why do you want to know that?

Balia wrote:Why is not labeled like other extensions with an easily identifiable name?

probably noscript was created before toolkit allowed usage of the addon-name@domain style addon IDs

For info:
1. I reverted back to earlier versions of NoScript; but that didn't solve the problem.
2. I erased my profile folder and replaced it with a two-month old backup.
This seems to solve the problem.
I upgraded NoScript to the latest version and no problem so far.
Something must have corrupted my profile but sorry it would be too time consuming for me to try to pinpoint the source of the corruption.

CONCLUSION: All users should keep a backup of their Firefox profile folder, just in case ...
I was prescient enough to have included it in my backups, so I didn't have to recreate it.

Thank you very much for all the responses and the help I received.

One more comment before I let this go.
It stills bugs me that if it weren't for the rotating image script, it could have gone for a long time before noticing that NoScript had stopped performing its functions. In my view, this is a serious vulnerability. Having a non functional NoScript can lull you in a false sense of security.
An image rotation script isn't rocket science; if such a script was running in the background with NoScript installed, shouldn't there be some algorithmic check in NoScript to ensure that this shouldn't happen?

I assume that NoScript works by commenting out the script tags in the html code.
I've never debugged a Firefox extension and I am not sure how to set this up.
In the Firefox debugger, where do I find the entry point for the extension so I can set up an initial breakpoint?

Balia wrote: I assume that NoScript works by commenting out the script tags in the html code.

Nope, NoScript works by interacting with the JavaScript runtime and by preventing loads from happening.

If it wasn't working, the most likely culprit was another add-on interfering with the browser's script security manager.
That's no way for NoScript to tell wether the browser is working properly or not: it must "trust" at least the browser runtime, unfortunately.

There was no new add-ons between the old profile or the new profile.
So that's unlikely to be the explanation.
Something else happened.

When I said commenting out, I could have well said disabling at run time or on loading.
This is just a question of semantics.
Doesn't NoScript need to identify all the script blocks to disable them in one way or another?