[RESOLVED] noscript.checkInclusionType?
[RESOLVED] noscript.checkInclusionType?
Running the latest version of NoScript and Firefox 3.5.1, noscript is blocking a comics gadget on my igoogle. I tried adding gmodules to the XSS exclusions, that didn't seem to help. Then I went into about:config and tried setting noscript.checkInclusionType to false after I saw a note about it in the change log. The parameter was not in the about:config to begin with, so I added it, but it still didn't seem to help.
Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... icsCore.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#
Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... csPrefs.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#
Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... Display.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#
Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... ocomics.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#
Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... icsCore.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#
Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... csPrefs.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#
Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... Display.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#
Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... ocomics.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Re: noscript.checkInclusionType?
Testing by disabling NoScript and restarting Firefox allowed the page to load correctly, so I'm assuming it's noscript though the error messages are not prefixed. All addons loaded:
Adblock Plus 1.1
ColorZilla 2.0.2
Firebug 1.4.0
Html Validator 0.8.5.8
Image Zoom 0.3.1
NoScript 1.9.6.7
Session Manager 0.6.6.2
Web Developer 1.1.8
Adblock Plus 1.1
ColorZilla 2.0.2
Firebug 1.4.0
Html Validator 0.8.5.8
Image Zoom 0.3.1
NoScript 1.9.6.7
Session Manager 0.6.6.2
Web Developer 1.1.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
- Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: noscript.checkInclusionType?
The problem, as the log explains, is hosting.gmodules.com serving JavaScript files with a wrong Content-type header (text/xml).
I'm contacting some Google guys to understand if it's an oversight which they can fix or there's some other reason for this anomalous behavior.
In the meanwhile you can put hosting.gmodules.com/ig/gadgets/ in the noscript.inclusionTypeChecking.exceptions about:config preference.
I'm contacting some Google guys to understand if it's an oversight which they can fix or there's some other reason for this anomalous behavior.
In the meanwhile you can put hosting.gmodules.com/ig/gadgets/ in the noscript.inclusionTypeChecking.exceptions about:config preference.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
- Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: noscript.checkInclusionType?
Please check latest development build 1.9.6.8, it should work-around for gmodules.com and in other cases when the default file extension is used.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Re: noscript.checkInclusionType?
The new build did the trick (grabbed 1.9.6.9 a few minutes ago), now I can read my comics while still being protected by one of the most essential firefox addons on the web.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Re: noscript.checkInclusionType?
Got the same problem with blocking XSS "wrong mimetype text/html" on http://digg.com/tools/widgetjs
Its XP, FF 3.5.1, ver 1.9.6.9 (development build) - installing the dev build didn't help but adding digg.com/tools/ to the inclusionTypeChecking.exception did solve it...
Its XP, FF 3.5.1, ver 1.9.6.9 (development build) - installing the dev build didn't help but adding digg.com/tools/ to the inclusionTypeChecking.exception did solve it...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
- Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: noscript.checkInclusionType?
latest development build 1.9.6.92 should let that mistyped script to pass even without an exception (I tuned the inclusion checks to be more forgiving towards bona-fide misconfigurations).makini wrote:Got the same problem with blocking XSS "wrong mimetype text/html" on http://digg.com/tools/widgetjs
Its XP, FF 3.5.1, ver 1.9.6.9 (development build) - installing the dev build didn't help but adding digg.com/tools/ to the inclusionTypeChecking.exception did solve it...
Thanks for reporting.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Re: noscript.checkInclusionType?
Yepp, that build did it. Thanks.Giorgio Maone wrote: latest development build 1.9.6.92 should let that mistyped script to pass even without an exception (I tuned the inclusion checks to be more forgiving towards bona-fide misconfigurations).
Thanks for reporting.
It was weird, I found the error after wondering for some time why would that digg widget on my own wordpress site stop working all over the sudden! I guess a lot of sites don't really care for setting correct script' mime types.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Re: noscript.checkInclusionType?
I'm having a similar problem..
[NoScript] Blocking cross site Javascript served from http://209.85.62.26/... with wrong mimetype text/plain and included by http://s12.invisionfree.com/RSC_Alliance/index.php
XP Home
FF 3.5.1
NoScript ver. 1.9.6.92
[NoScript] Blocking cross site Javascript served from http://209.85.62.26/... with wrong mimetype text/plain and included by http://s12.invisionfree.com/RSC_Alliance/index.php
XP Home
FF 3.5.1
NoScript ver. 1.9.6.92
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3369
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: noscript.checkInclusionType?
I think at some point NS needs to draw the line of leniency and just enforce proper form and its up to the developers to get their act together. As long Giorgio keeps making concessions for their errors, they will not learn and do right. Just saying that I think pressure needs to go to the respective sites to fix the problems but it seems as always Giorgio is way too nice to just say, no.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: noscript.checkInclusionType?
I bet that getting a message from NS raises a big flag in most developers' inboxes these days ;-)GµårÐïåñ wrote:I think at some point NS needs to draw the line of leniency and just enforce proper form and its up to the developers to get their act together.
That's a point, but surely if Giorgio can make exceptions while he tunes the engine, why not?As long Giorgio keeps making concessions for their errors, they will not learn and do right. Just saying that I think pressure needs to go to the respective sites to fix the problems but it seems as always Giorgio is way too nice to just say, no.
And if people are put off asking for fixes, no matter for what, that also reduces Giorgio's data set.
What amazes me always is his rapid responses to so many different uses, and still the thing remains so small.
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.0.12) Gecko/2009070811 Ubuntu/9.04 (jaunty) Firefox/3.0.12
Re: noscript.checkInclusionType?
I understand your point Guardian, but what good is a security app for the average user if it prevents them from visiting some of their favorite sites?GµårÐïåñ wrote:I think at some point NS needs to draw the line of leniency and just enforce proper form and its up to the developers to get their act together. As long Giorgio keeps making concessions for their errors, they will not learn and do right. Just saying that I think pressure needs to go to the respective sites to fix the problems but it seems as always Giorgio is way too nice to just say, no.
I would like NoScript to be as secure as possible, but there's something to be said for usability too. I haven't had this problem before until the release of version 1.9.6.9(x).
That being said, I love NoScript. I've been using it for quite some time and it's one of the few add-ons that I feel is a must have for FF. I think I was just expecting it to work for me as seamlessly as it always has.

I agree. No offense to Guardian, but after reading his comment, I was wondering if I should have kept quiet and waited to see if the problem was fixed in the next stable release.Grumpy Old Lady wrote:That's a point, but surely if Giorgio can make exceptions while he tunes the engine, why not?
And if people are put off asking for fixes, no matter for what, that also reduces Giorgio's data set.

After all, I have nothing but appreciation and respect for Giorgio for writing such a great program.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3369
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: noscript.checkInclusionType?
You have both missed my point. I meant no offense to anyone and by no means should you have kept quiet. The fact is that if a security tool keeps making exceptions and loosening its restrictions more and more to accommodate poor development, regardless of how popular the service is, then its going to ultimately become less and less effective and that does a disservice to users who are average or not who prefer their security over their convenience of developers to put out crappy websites.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
- Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: noscript.checkInclusionType?
Please check latest development build 1.9.6.93, thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Re: noscript.checkInclusionType?
Yes, that solved my problem.
Your prompt responses and fixes are every bit as impressive as your product!
Thanks again,
*AJ*

Your prompt responses and fixes are every bit as impressive as your product!

Thanks again,
*AJ*
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1