Page 1 of 1
JAR/XUL page blocked on browser reload
Posted: Thu Jul 23, 2009 3:44 pm
by nicktook
I have a set of intranet applications implemented as signed JAR files with XUL pages.
Recently NoScript is blocking these applications when I do a reload of the page:
[NoScript] Blocking cross site Javascript served from
https://pg2.arcamax.com:2001/ec/jar/ec4.jar with wrong type info application/java-archive and included by chrome://browser/content/browser.xul
Note: If the user never does a 'reload' then the application works fine. When a reload does occur, the user must restart the browser to get the page working again. The site is listed both in the XSS 'Anit-XSS Protection Exceptions and the 'Jar document blocking exceptions'.
I am running FF 3.5.1 and NoScript 1.9.6.93.
Re: JAR/XUL page blocked on browser reload
Posted: Thu Jul 23, 2009 3:49 pm
by therube
There was a change put in relating to JAR with 1.9.6.4 (
JAR archive traversal vis SCRIPT src).
If you revert back to
noscript-1.9.6.3.xpi, does the issue subside?
(Or does this have to do with
inclusion protection, which landed with 1.9.6.5?)
Re: JAR/XUL page blocked on browser reload
Posted: Thu Jul 23, 2009 4:02 pm
by nicktook
1.9.6.3 works.
Re: JAR/XUL page blocked on browser reload
Posted: Thu Jul 23, 2009 4:07 pm
by nicktook
1.9.6.4 works.
1.9.6.5 fails.
Re: JAR/XUL page blocked on browser reload
Posted: Thu Jul 23, 2009 4:23 pm
by nicktook
I reinstalled 1.9.6.9 created about:config setting noscript.checkInclusionType and tried it as true or false. After a browser restart, it failed in both cases.
Re: JAR/XUL page blocked on browser reload
Posted: Thu Jul 23, 2009 4:26 pm
by therube
As I was about to post, I see you replied ...
OK, in 1.9.6.5 (or the most recent #dev build for that matter), if you disable inclusion, does it then work?
v 1.9.6.5
=====================================================================
+ New layer of inclusion protection, checks whether 3rd party scripts
and CSSs are served with proper content type (it can be disabled
via noscript.checkInclusionType preference; exception patterns can
be listed in the noscript.checkInclusionType.exceptions preference)
(After that we can see about an exception.)
So I guess that is kind of answered. Now we've got to wait for others to chime in.
Re: JAR/XUL page blocked on browser reload
Posted: Thu Jul 30, 2009 7:21 pm
by nicktook
Is there anything happening to fix this problem?
I had been running the old NoScript (1.9.6.4) but this morning I accidentally update and I no longer seem to be able install the old version. The trick of going to the direct down load link and editing the URL to point to the old version no longer works. Is there another way to get the old version?
Re: JAR/XUL page blocked on browser reload
Posted: Thu Jul 30, 2009 9:03 pm
by Giorgio Maone
nicktook wrote:I reinstalled 1.9.6.9 created
about:config setting noscript.checkInclusionType and tried it as true or false. After a browser restart, it failed in both cases.
You just need to set the (existant)
noscript.inclusionTypeChecking about:config preference to false.
Even better, set the
noscript.inclusionTypeChecking about:config preference to
https://pg2.arcamax.com:2001/
Older versions are always available at
http://noscript.net/feed anyway.