InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Steam-stats - cross-site JS blocked

https://forums.informaction.com/viewtopic.php?t=21776

Page 1 of 1

Steam-stats - cross-site JS blocked

Posted: Tue Mar 29, 2016 5:34 pm
by Elbart
Firefox 24
NS 2.9.0.10 (default settings)
http://store.steampowered.com/stats/content/

steampowered.com and steamstatic.com are allowed.

Opening the link (with Flash disabled) causes the the message:

Code: Select all

[NoScript] Blocking cross-site Javascript served from http://cdn.akamai.steamstatic.com/steam/publicstats/contentserver_bandwidth_stacked.jsonp?v=03-29-2016-17 with wrong type info application/octet-stream and included by http://store.steampowered.com/stats/content/
And the interactive map isn't working.

In a newer Fx-version, whitelisting the domains is enough to make the map work.

Re: Steam-stats - cross-site JS blocked

Posted: Tue Mar 29, 2016 6:07 pm
by barbaz
Is newer Fx versions showing this message too? Because if not, probably safe enough to make exception for this:
about:config > noscript.inclusionTypeChecking.exceptions
add on the end, separated by a space

Code: Select all

.steamstatic.com/steam/*.jsonp*

Re: Steam-stats - cross-site JS blocked

Posted: Wed Mar 30, 2016 11:38 am
by Elbart
barbaz wrote:Is newer Fx versions showing this message too?
No.

Which made me wonder why NS would block it in older Fx-versions, but not in newer ones.

Reason: e10s.

e10s on - No warning, JSONs loaded.
e10s off - Warning, JSONs blocked.

Should have also tested with the latest release-version, which has e10s disabled, and not only with Nightly. :oops:

Re: Steam-stats - cross-site JS blocked

Posted: Wed Mar 30, 2016 1:02 pm
by barbaz
Yeah, NoScript 2.x is not expected to fully work with e10s: https://bugzilla.mozilla.org/show_bug.cgi?id=1058542

Does adding the exception help at all?

Re: Steam-stats - cross-site JS blocked

Posted: Wed Mar 30, 2016 1:42 pm
by Elbart
Yes, thanks.

Should I file a ticket over at BMO for not blocking the wrong-typed json with e10s enabled?

Re: Steam-stats - cross-site JS blocked

Posted: Wed Mar 30, 2016 1:45 pm
by barbaz
You're welcome. Image
Elbart wrote:Should I file a ticket over at BMO for not blocking the wrong-typed json with e10s enabled?
This forum is actually the right place to report it, because it'd be up to Giorgio to fix that. But he likely is already aware of this.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited