[RESOLVED] noscript.checkInclusionType?

[Actos]

Running the latest version of NoScript and Firefox 3.5.1, noscript is blocking a comics gadget on my igoogle. I tried adding gmodules to the XSS exclusions, that didn't seem to help. Then I went into about:config and tried setting noscript.checkInclusionType to false after I saw a note about it in the change log. The parameter was not in the about:config to begin with, so I added it, but it still didn't seem to help.

Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... icsCore.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#

Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... csPrefs.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#

Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... Display.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#

Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... ocomics.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#

[Actos]

Testing by disabling NoScript and restarting Firefox allowed the page to load correctly, so I'm assuming it's noscript though the error messages are not prefixed. All addons loaded:
Adblock Plus 1.1
ColorZilla 2.0.2
Firebug 1.4.0
Html Validator 0.8.5.8
Image Zoom 0.3.1
NoScript 1.9.6.7
Session Manager 0.6.6.2
Web Developer 1.1.8

[Giorgio Maone]

The problem, as the log explains, is hosting.gmodules.com serving JavaScript files with a wrong Content-type header (text/xml).
I'm contacting some Google guys to understand if it's an oversight which they can fix or there's some other reason for this anomalous behavior.
In the meanwhile you can put hosting.gmodules.com/ig/gadgets/ in the noscript.inclusionTypeChecking.exceptions about:config preference.

[Giorgio Maone]

Please check latest development build 1.9.6.8, it should work-around for gmodules.com and in other cases when the default file extension is used.

[Actos]

The new build did the trick (grabbed 1.9.6.9 a few minutes ago), now I can read my comics while still being protected by one of the most essential firefox addons on the web.

[makini]

Got the same problem with blocking XSS "wrong mimetype text/html" on http://digg.com/tools/widgetjs
Its XP, FF 3.5.1, ver 1.9.6.9 (development build) - installing the dev build didn't help but adding digg.com/tools/ to the inclusionTypeChecking.exception did solve it...

[Giorgio Maone]

Got the same problem with blocking XSS "wrong mimetype text/html" on http://digg.com/tools/widgetjs
Its XP, FF 3.5.1, ver 1.9.6.9 (development build) - installing the dev build didn't help but adding digg.com/tools/ to the inclusionTypeChecking.exception did solve it...

latest development build 1.9.6.92 should let that mistyped script to pass even without an exception (I tuned the inclusion checks to be more forgiving towards bona-fide misconfigurations).
Thanks for reporting.

[makini]

latest development build 1.9.6.92 should let that mistyped script to pass even without an exception (I tuned the inclusion checks to be more forgiving towards bona-fide misconfigurations).
Thanks for reporting.

Yepp, that build did it. Thanks.
It was weird, I found the error after wondering for some time why would that digg widget on my own wordpress site stop working all over the sudden! I guess a lot of sites don't really care for setting correct script' mime types.

[Average Joe]

I'm having a similar problem..

[NoScript] Blocking cross site Javascript served from http://209.85.62.26/... with wrong mimetype text/plain and included by http://s12.invisionfree.com/RSC_Alliance/index.php

XP Home
FF 3.5.1
NoScript ver. 1.9.6.92

[GµårÐïåñ]

I think at some point NS needs to draw the line of leniency and just enforce proper form and its up to the developers to get their act together. As long Giorgio keeps making concessions for their errors, they will not learn and do right. Just saying that I think pressure needs to go to the respective sites to fix the problems but it seems as always Giorgio is way too nice to just say, no.

[Grumpy Old Lady]

I think at some point NS needs to draw the line of leniency and just enforce proper form and its up to the developers to get their act together.

I bet that getting a message from NS raises a big flag in most developers' inboxes these days ;-)

As long Giorgio keeps making concessions for their errors, they will not learn and do right. Just saying that I think pressure needs to go to the respective sites to fix the problems but it seems as always Giorgio is way too nice to just say, no.

That's a point, but surely if Giorgio can make exceptions while he tunes the engine, why not?
And if people are put off asking for fixes, no matter for what, that also reduces Giorgio's data set.
What amazes me always is his rapid responses to so many different uses, and still the thing remains so small.

[Average Joe]

I think at some point NS needs to draw the line of leniency and just enforce proper form and its up to the developers to get their act together. As long Giorgio keeps making concessions for their errors, they will not learn and do right. Just saying that I think pressure needs to go to the respective sites to fix the problems but it seems as always Giorgio is way too nice to just say, no.

I understand your point Guardian, but what good is a security app for the average user if it prevents them from visiting some of their favorite sites?

I would like NoScript to be as secure as possible, but there's something to be said for usability too. I haven't had this problem before until the release of version 1.9.6.9(x).

That being said, I love NoScript. I've been using it for quite some time and it's one of the few add-ons that I feel is a must have for FF. I think I was just expecting it to work for me as seamlessly as it always has.

That's a point, but surely if Giorgio can make exceptions while he tunes the engine, why not?
And if people are put off asking for fixes, no matter for what, that also reduces Giorgio's data set.

I agree. No offense to Guardian, but after reading his comment, I was wondering if I should have kept quiet and waited to see if the problem was fixed in the next stable release.

After all, I have nothing but appreciation and respect for Giorgio for writing such a great program.

[GµårÐïåñ]

You have both missed my point. I meant no offense to anyone and by no means should you have kept quiet. The fact is that if a security tool keeps making exceptions and loosening its restrictions more and more to accommodate poor development, regardless of how popular the service is, then its going to ultimately become less and less effective and that does a disservice to users who are average or not who prefer their security over their convenience of developers to put out crappy websites.

[Giorgio Maone]

Please check latest development build 1.9.6.93, thanks.

[Average Joe]

Yes, that solved my problem.

Your prompt responses and fixes are every bit as impressive as your product!

Thanks again,
*AJ*