InformAction Forums

*Note:* The gif is this issue are be very large. They may take some time to load.

We have the following situation:

• * Firefox 43.0.2 installed
  * NoScript 2.7 installed
  * Privacy Badger 1.0.5 installed

Additionally the configuration for NoScript is:

• * the default whitelist was deleted completely
  * a new entry was added to the whitelist: `https://`
  * this means JS is automatically allowed on all HTTPS sites

Now we visit play.google.com and try to search for something. It does not work and the UI does not react on a click.

Here you can see it really only happens in this situation and that these two extensions are the culprit:
https://cloud.githubusercontent.com/ass ... 15362a.gif

https://cloud.githubusercontent.com/ass ... 15362a.gif

I've narrowed this issue down a bit more and the issue only happens when Privacy Badger blocks `www.google-analytics.com` completely (not only cookie-blocking).
https://cloud.githubusercontent.com/ass ... 5651c1.gif

https://cloud.githubusercontent.com/ass ... 5651c1.gif

More details here (another GIF):
http://www.file-upload.net/download-111 ... n.gif.html

This issue was also reported to Privacy Badger: https://github.com/EFForg/privacybadger ... issues/706

Purely a NoScript issue: viewtopic.php?f=7&t=21277

Also there is a "Allow HTTPS scripts globally on HTTPS documents" option that is somewhat safer than whitelisting the entire https internet

barbaz wrote:Purely a NoScript issue: viewtopic.php?f=7&t=21277

Ah thanks for letting me know.

barbaz wrote:Also there is a "Allow HTTPS scripts globally on HTTPS documents" option that is somewhat safer than whitelisting the entire https internet

Thanks for the information, but how exactly is this more secure? And where exactly can I find this option?

BTW: If it is not "such safe" to whitelist https: is it also (a bit) unsafe to whitelist e.g. mega: (this is the "protocol" the Mega Firefox extension uses)?

rugk wrote:Thanks for the information, but how exactly is this more secure?

It's more secure because less potential for MITM attacks in the plain http pages resulting in requests to the https pages crafted to suit the attacker's needs. None of the plain http stuff is allowed this way so that concern is thus avoided.

rugk wrote:And where exactly can I find this option?

NoScript Options > Advanced > HTTPS > Permissions

rugk wrote:BTW: If it is not "such safe" to whitelist https: is it also (a bit) unsafe to whitelist e.g. mega: (this is the "protocol" the Mega Firefox extension uses)?

No idea; I know nothing about that.

Thanks. So in this case should I also enable "Forbid active web content unless it comes from a secure"? What is the difference between these options?

And as for your explanation:

barbaz wrote:It's more secure because less potential for MITM attacks in the plain http pages resulting in requests to the https pages crafted to suit the attacker's needs. None of the plain http stuff is allowed this way so that concern is thus avoided.

So how exactly does this work? If scripts are not allowed on http sites they cannot load any resources so the only load would be through HTML script tags or similar things. Is this what is also disallowed? So does this setting also prevent http websites loading https JS content?

rugk wrote:So in this case should I also enable "Forbid active web content unless it comes from a secure"?

No, that one will prevent you to enable *any* http sites' scripts. Unless you're actually on a proxy of some sort, it's likely not worth it.

rugk wrote: So does this setting also prevent http websites loading https JS content?

This - unless, of course, you had yourself whitelisted that specific http site and the specific https sites it's calling.

Okay thanks for your clarification and all the answers.

Nice support.

You're welcome.

And thank you for the kind words.