[RESOLVED] noscript.checkInclusionType?

Ask for help about NoScript, no registration needed to post
Actos

[RESOLVED] noscript.checkInclusionType?

Post by Actos »

Running the latest version of NoScript and Firefox 3.5.1, noscript is blocking a comics gadget on my igoogle. I tried adding gmodules to the XSS exclusions, that didn't seem to help. Then I went into about:config and tried setting noscript.checkInclusionType to false after I saw a note about it in the change log. The parameter was not in the about:config to begin with, so I added it, but it still didn't seem to help.

Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... icsCore.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#

Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... csPrefs.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#

Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... Display.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#

Blocking cross site Javascript served from http://hosting.gmodules.com/ig/gadgets/ ... ocomics.js with wrong mimetype text/xml and included by http://ig.gmodules.com/gadgets/ifr?view ... e.iglegacy#
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Actos

Re: noscript.checkInclusionType?

Post by Actos »

Testing by disabling NoScript and restarting Firefox allowed the page to load correctly, so I'm assuming it's noscript though the error messages are not prefixed. All addons loaded:
Adblock Plus 1.1
ColorZilla 2.0.2
Firebug 1.4.0
Html Validator 0.8.5.8
Image Zoom 0.3.1
NoScript 1.9.6.7
Session Manager 0.6.6.2
Web Developer 1.1.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
Giorgio Maone
Site Admin
Posts: 9524
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: noscript.checkInclusionType?

Post by Giorgio Maone »

The problem, as the log explains, is hosting.gmodules.com serving JavaScript files with a wrong Content-type header (text/xml).
I'm contacting some Google guys to understand if it's an oversight which they can fix or there's some other reason for this anomalous behavior.
In the meanwhile you can put hosting.gmodules.com/ig/gadgets/ in the noscript.inclusionTypeChecking.exceptions about:config preference.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
User avatar
Giorgio Maone
Site Admin
Posts: 9524
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: noscript.checkInclusionType?

Post by Giorgio Maone »

Please check latest development build 1.9.6.8, it should work-around for gmodules.com and in other cases when the default file extension is used.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Actos

Re: noscript.checkInclusionType?

Post by Actos »

The new build did the trick (grabbed 1.9.6.9 a few minutes ago), now I can read my comics while still being protected by one of the most essential firefox addons on the web.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
makini
Posts: 2
Joined: Wed Jul 22, 2009 10:42 am

Re: noscript.checkInclusionType?

Post by makini »

Got the same problem with blocking XSS "wrong mimetype text/html" on http://digg.com/tools/widgetjs
Its XP, FF 3.5.1, ver 1.9.6.9 (development build) - installing the dev build didn't help but adding digg.com/tools/ to the inclusionTypeChecking.exception did solve it...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
Giorgio Maone
Site Admin
Posts: 9524
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: noscript.checkInclusionType?

Post by Giorgio Maone »

makini wrote:Got the same problem with blocking XSS "wrong mimetype text/html" on http://digg.com/tools/widgetjs
Its XP, FF 3.5.1, ver 1.9.6.9 (development build) - installing the dev build didn't help but adding digg.com/tools/ to the inclusionTypeChecking.exception did solve it...
latest development build 1.9.6.92 should let that mistyped script to pass even without an exception (I tuned the inclusion checks to be more forgiving towards bona-fide misconfigurations).
Thanks for reporting.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
makini
Posts: 2
Joined: Wed Jul 22, 2009 10:42 am

Re: noscript.checkInclusionType?

Post by makini »

Giorgio Maone wrote: latest development build 1.9.6.92 should let that mistyped script to pass even without an exception (I tuned the inclusion checks to be more forgiving towards bona-fide misconfigurations).
Thanks for reporting.
Yepp, that build did it. Thanks.
It was weird, I found the error after wondering for some time why would that digg widget on my own wordpress site stop working all over the sudden! I guess a lot of sites don't really care for setting correct script' mime types.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Average Joe

Re: noscript.checkInclusionType?

Post by Average Joe »

I'm having a similar problem..

[NoScript] Blocking cross site Javascript served from http://209.85.62.26/... with wrong mimetype text/plain and included by http://s12.invisionfree.com/RSC_Alliance/index.php

XP Home
FF 3.5.1
NoScript ver. 1.9.6.92
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3369
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: noscript.checkInclusionType?

Post by GµårÐïåñ »

I think at some point NS needs to draw the line of leniency and just enforce proper form and its up to the developers to get their act together. As long Giorgio keeps making concessions for their errors, they will not learn and do right. Just saying that I think pressure needs to go to the respective sites to fix the problems but it seems as always Giorgio is way too nice to just say, no.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: noscript.checkInclusionType?

Post by Grumpy Old Lady »

GµårÐïåñ wrote:I think at some point NS needs to draw the line of leniency and just enforce proper form and its up to the developers to get their act together.
I bet that getting a message from NS raises a big flag in most developers' inboxes these days ;-)
As long Giorgio keeps making concessions for their errors, they will not learn and do right. Just saying that I think pressure needs to go to the respective sites to fix the problems but it seems as always Giorgio is way too nice to just say, no.
That's a point, but surely if Giorgio can make exceptions while he tunes the engine, why not?
And if people are put off asking for fixes, no matter for what, that also reduces Giorgio's data set.
What amazes me always is his rapid responses to so many different uses, and still the thing remains so small.
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.0.12) Gecko/2009070811 Ubuntu/9.04 (jaunty) Firefox/3.0.12
Average Joe

Re: noscript.checkInclusionType?

Post by Average Joe »

GµårÐïåñ wrote:I think at some point NS needs to draw the line of leniency and just enforce proper form and its up to the developers to get their act together. As long Giorgio keeps making concessions for their errors, they will not learn and do right. Just saying that I think pressure needs to go to the respective sites to fix the problems but it seems as always Giorgio is way too nice to just say, no.
I understand your point Guardian, but what good is a security app for the average user if it prevents them from visiting some of their favorite sites?

I would like NoScript to be as secure as possible, but there's something to be said for usability too. I haven't had this problem before until the release of version 1.9.6.9(x).

That being said, I love NoScript. I've been using it for quite some time and it's one of the few add-ons that I feel is a must have for FF. I think I was just expecting it to work for me as seamlessly as it always has. :roll:

Grumpy Old Lady wrote:That's a point, but surely if Giorgio can make exceptions while he tunes the engine, why not?
And if people are put off asking for fixes, no matter for what, that also reduces Giorgio's data set.
I agree. No offense to Guardian, but after reading his comment, I was wondering if I should have kept quiet and waited to see if the problem was fixed in the next stable release. :oops:

After all, I have nothing but appreciation and respect for Giorgio for writing such a great program. 8-)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3369
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: noscript.checkInclusionType?

Post by GµårÐïåñ »

You have both missed my point. I meant no offense to anyone and by no means should you have kept quiet. The fact is that if a security tool keeps making exceptions and loosening its restrictions more and more to accommodate poor development, regardless of how popular the service is, then its going to ultimately become less and less effective and that does a disservice to users who are average or not who prefer their security over their convenience of developers to put out crappy websites.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
Giorgio Maone
Site Admin
Posts: 9524
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: noscript.checkInclusionType?

Post by Giorgio Maone »

Please check latest development build 1.9.6.93, thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Average Joe

Re: noscript.checkInclusionType?

Post by Average Joe »

Yes, that solved my problem. ;)

Your prompt responses and fixes are every bit as impressive as your product! 8-)

Thanks again,
*AJ*
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Post Reply