InformAction Forums

There's no good reason to block these pages, they are run in a safe (I would say sandboxed) context and are usually useful. Reader mode is broken with the current setting, heath report, contrary to what I expected, seems to working due mozilla.net whitelisting, about:debugging is crippled (debug buttons are non-functional). It should be trivial to add an entry to the Trusted tab. Thanks.

braiam wrote:There's no good reason to block these pages, they are run in a safe (I would say sandboxed) context and are usually useful.

Actually not all about: pages are necessarily safe: viewtopic.php?f=10&t=20937
Plus, NoScript supports more than just Firefox, those about: pages you name are not present on SeaMonkey and should therefore not be whitelisted there.

braiam wrote:It should be trivial to add an entry to the Trusted tab.

It should be trivial for you to add those entries to your NoScript Trusted tab.

No need to foist your choice on everyone.

barbaz wrote:

braiam wrote:There's no good reason to block these pages, they are run in a safe (I would say sandboxed) context and are usually useful.

Actually not all about: pages are necessarily safe: viewtopic.php?f=10&t=20937

You should fact check that:

barbaz wrote:about:reader renders content from the Web in its own context and is therefore not necessarily trustworthy

This is untrue. Before it starts to render the content, the readability library removes all dynamic, css, objects, fonts, etc. elements. Check it yourself https://mxr.mozilla.org/mozilla-central ... ty.js#1768

barbaz wrote:about:blank can have scripts injected into it from any site

Quite annoying they haven't fixed that. I haven't found a bug report for this. I presume that is intended.

barbaz wrote:about:newtab contains untrusted content (thumbnails & "enhanced" tiles)

I don't know any jsm to give an accurate assessment, so I defer to your judgment.

barbaz wrote:Plus, NoScript supports more than just Firefox, those about: pages you name are not present on SeaMonkey and should therefore not be whitelisted there.

That, I didn't know.

barbaz wrote:

braiam wrote:It should be trivial to add an entry to the Trusted tab.

It should be trivial for you to add those entries to your NoScript Trusted tab.

No need to foist your choice on everyone.

That was totally uncalled for! Your about page promise me, among other things, that FAQ 1.5 about: pages are whitelisted by default

about:xyz, moz-safe-about:, resource:
A bunch of internal pseudo URLs. They can't be removed because they help your browser to work as expected.

So, it's not me "foisting" my choice on everyone, is you not delivering what you promised. In fact, this was intended to be a bug report. That entry should be clarified that some about: pages are not whitelisted since they are product dependent, as you pointed out.

braiam wrote:You should fact check that:

barbaz wrote:about:reader renders content from the Web in its own context and is therefore not necessarily trustworthy

This is untrue. Before it starts to render the content, the readability library removes all dynamic, css, objects, fonts, etc. elements. Check it yourself

When telling someone they're lying and don't know it, use reasoning that actually follows. On the Web, untrusted content doesn't become trusted by being sanitised of that dynamic stuff then interacted with privileged code.


Does having a friend of yours remove the clip of a loaded gun make it safe to point the gun at your leg, undo the safety, then pull the trigger?

Now imagine if you instead pick up a bullet in your hand and place it on your foot.

See the difference?

braiam wrote:Quite annoying they haven't fixed that. I haven't found a bug report for this. I presume that is intended.

Yes it's intended. Some pages create iframe (which has URL about:blank by default) and drop content in it by document.write

about:blank is whitelisted by default, but unlike other default-whitelisted about: URIs it's not forced whitelisted.

braiam wrote:Your about page promise me, among other things, that FAQ 1.5 about: pages are whitelisted by default
[...]
So, it's not me "foisting" my choice on everyone, is you not delivering what you promised. In fact, this was intended to be a bug report.

No bug here. What do you think gets achieved by taking an unpaid volunteer to task over what is extrapolations from poor reading comprehension?

braiam wrote:That entry should be clarified that some about: pages are not whitelisted since they are product dependent, as you pointed out.

The FAQ is looking in need of another update, shouldn't be too hard to add something to that effect while we're at it. I'll note this and see if others agree it's a good idea. Thanks.

braiam wrote:

barbaz wrote:

braiam wrote:It should be trivial to add an entry to the Trusted tab.

It should be trivial for you to add those entries to your NoScript Trusted tab.

No need to foist your choice on everyone.

That was totally uncalled for!

Actually, default-whitelisting a URL is pushing a choice onto everyone, and for many people who use NoScript, it is a big deal. Not trivial at all. So I would say that barbaz' reply was quite accurate and appropriate.