InformAction Forums

I'd like to whitelist data-URIs that I type in the address bar. Unfortunately, NoScript blocks data:-URLs, without any exception. Contrary to my expectations, the NoScript button does not have any "Temporarily allow data:text/html,..." option.

"noscript.allowURLBarJS" is set to true in about:config (as suggested here), but that did not give me the ability to whitelist data:-URLs. To make sure that it is not caused by a conflicting add-on, I've created a new Firefox profile and installed NoScript from the website (stable and dev versions).

Steps to reproduce:

1. Open a new tab
2. Type "data:text/html,<script>alert(0)</script>" and press Enter
3. Expected result: Dialog with "0" being displayed. Actual result: No dialog at all.

- Firefox 33.0 (Linux)
- NoScript 2.6.9.2 and 2.6.9.3rc2

How can I get NoScript to whitelist data:-URLs?

I thought it was supposed to allow scripts on URL-bar-typed data: URIs automatically?
EDIT Scratch what was here before. Decided to try this myself, on SeaMonkey - and it works as you say is expected.

However, confirmed broken in latest development build in Firefox 31 ESR (also on Linux), clean profile.
Allow Scripts Globally does get it working, but that's the only thing that gets it working...

Seems this is a Firefox-specific bug.

FF 32.0.3
And yes, SeaMonkey works as expected (mostly).

[Mostly. Still the issue with being too quick & also about:config enabling URL entry without ... something, perhaps enabling the actual Pref - but I'm not complaining about either.)

(frickin FF, Help | About & it automatically starts to download the update. Suppose I hadn't specifically turned off Updating.)

This bug is still present with NoScript in Firefox 37. I remember at the beginning of october 2014, the bug was not present.
We can't use Firefox data: with NoScript until we "allow scripts globally", like barbaz said and we can't add data: in whitelist, why?
I don't know if it's a Firefox specific bug, here is the error on Firefox console (Ctrl + Shift + J): Component returned failure code: 0x805e0007 [nsIWebNavigation.loadURI]

This is a serious problem that has to be fixed. Now people using NoScript are losing Firefox functions, for example the right click -> View Image on an HTML5 canvas will fail.
You can try it yourself, I have a canvas example here: http://drawcode.eu/projects/connect-points/
Before the bug, Firefox would open the data URL in the browser (data:image/png;base64,xxxxx).

I also used it a lot for hacks:
data:text/html,<iframe src="http://www.youtube.com/embed/video_ID">
or
document.location = "data:text/html;charset=utf-8," + encodeURIComponent(document.body.innerHTML).
(Edit: the second example still works)

The canvas view image broken function is a problem that a lot of NoScript users will have. Have you any news on this bug?

baptx wrote:This bug is still present with NoScript in Firefox 37. I remember at the beginning of october 2014, the bug was not present.
We can't use Firefox data: with NoScript until we "allow scripts globally", like barbaz said and we can't add data: in whitelist, why?
I don't know if it's a Firefox specific bug, here is the error on Firefox console (Ctrl + Shift + J): Component returned failure code: 0x805e0007 [nsIWebNavigation.loadURI]

I think that is a different story.. please try go to about:config > set noscript.allowURLBarJS to true and then copy+paste the data URI

I already have set noscript.allowURLBarJS to true. The problem is that we cannot directly open a data URL in Firefox when using NoScript. I have found that if we use JavaScript to open the data URL, it works. For example in URL bar javascript:document.location = "data:text/html,<iframe src=\"http://www.youtube.com/embed/video_ID\">". But using just data:text/html,<iframe src="http://www.youtube.com/embed/video_ID"> in URL bar does not work.

Huh. So they don't.
Firefox 37.0.2, NoScript latest development build


(Thanks for the report, this feels like a very recent regression, give me a moment...)

I'm really confused.
I could have sworn I discussed the subject of data: URIs with Giorgio in PM and it was working.
But even with the exact Firefox & NoScript versions where it worked for me before, it's not working now?

(I tested a clean profile then and now too, this is weird...)



(To note, SeaMonkey is not affected, you can type data: URIs in SeaMonkey and they will load.)

I see we still cannot open data: URIs with NoScript enabled.
So I tried older versions of the addon and found that the problem appeared in version 2.6.9.20rc1 (March 28, 2015): https://addons.mozilla.org/en-US/firefo ... .6.9.20rc1
I checked the source code, you can easily see the diff with previous version on this GitHub mirror: https://github.com/avian2/noscript/comm ... eef317a0ba

The problem comes from the code in xpi/chrome/content/noscript/Policy.js at line 560: I don't know what it is for but it breaks data: URIs. If I remove the "else if" block from the latest version of NoScript, the problem is fixed.
For information, the code is not the same in latest version and looks like this: I hope you will fix it, thanks.

It's to do with viewtopic.php?f=7&t=20657 - I noticed inconsistencies in data: URI handling, and that's how Giorgio fixed it...

If someone wants a fix while the bug is still present in the official NoScript release, I created a fork with the patch: https://github.com/avian2/noscript/pull/4

Edit: A workaround to view the data: URI of an HTML5 canvas is to right click on it and select "View Image" while pressing the "Ctrl" key, so it opens data: URI in a new tab without being blocked by NoScript bug.
It is also possible to open "data:text/html,<iframe src="http://www.youtube.com/embed/video_ID">" in a new about:blank tab but not an existing website tab.
I hope you will fix this problem, it looks like my patch was ignored.

Your patch outright removes an important security measure as well as workaround code needed for certain Addon-SDK panels, it's no surprise it was ignored by Giorgio.