Security implications of using Reader View on untrusted site

Ask for help about NoScript, no registration needed to post
Post Reply
Cinammon

Security implications of using Reader View on untrusted site

Post by Cinammon »

Hi,

I noticed some time ago that Reader View is not immune to XSS. This vulnerability could even be triggered with NoScript installed.

Has there been changes to NoScript since then to thwart unknown vulnerabilities ? Is about:reader treated in a special way under the hood ? (It isn't displayed in the whitelist but NoScript does many things beyond what the UI says)

For example using uMatrix, if I enable it on about:reader with:

Code: Select all

matrix-off: reader.about-scheme false
And forbid everything, from images and CSS to scripts and XHR, I can see in the log that an XHR still occurred to load the page. (I guess, about:reader cross loading the URL to read) So there is a special treatment going on, probably on Firefox' behalf rather than uMatrix.

Basically, I would like to understand the security implications of using Reader View on a completely untrusted site: No JS, no cookies, no fonts, audio, video, frames, plugins, nothing :)

Thanks!
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Top
Post Reply

Return to “NoScript Support”