InformAction Forums

Vidad wrote: 2 - docShell JS blocking for every non-whitelisted site (enables
cross-frame inheritance of JS blocking)

I had it set to 2. Why has it become obsolete ? I suppose it's due to content being run in a separate process with e10s, but could you guys provide some more technically detailed reasons ?

"docShell JS blocking" (i.e. setting docShell.allowJavascript to false) been redundant since NoScript has not been using CAPS anymore to enforce script permissions, because the "new" way (setting a flag at the window level) was inherited by sub-documents by default.
I've removed this option completely now because with e10s this is a source of annoying bugs, too.

Vidad wrote: NoScript has not been using CAPS anymore to enforce script permissions

Is that true for all supported browsers?

Thrawn wrote:

Vidad wrote: NoScript has not been using CAPS anymore to enforce script permissions

Is that true for all supported browsers?

CAPS is completely gone since Gecko 31 at least.

Vidad wrote:"docShell JS blocking" (i.e. setting docShell.allowJavascript to false) been redundant since NoScript has not been using CAPS anymore to enforce script permissions, because the "new" way (setting a flag at the window level) was inherited by sub-documents by default.
I've removed this option completely now because with e10s this is a source of annoying bugs, too.

Not sure what happened to this thread, but this part of the OP looks like it was written by Giorgio. Is that the case?

barbaz wrote:

Vidad wrote:"docShell JS blocking" (i.e. setting docShell.allowJavascript to false) been redundant since NoScript has not been using CAPS anymore to enforce script permissions, because the "new" way (setting a flag at the window level) was inherited by sub-documents by default.
I've removed this option completely now because with e10s this is a source of annoying bugs, too.

Not sure what happened to this thread, but this part of the OP looks like it was written by Giorgio. Is that the case?

Yes, I did edit by error instead of replying w/ quote, sorry

Thanks for the reply!

the "new" way (setting a flag at the window level) was inherited by sub-documents by default.

So if I get it right, not only is the docShellJSBlocking pref redundant, but the "new" way actually behaves the same as if docShellJSBlocking was set to 2 ?

Sounds nice. So now I wonder why docShellJSBlocking's default was 1, but I guess that doesn't matter in any half-recent version of Firefox.

Vidad, if I'm understanding correctly, you're actually looking for about:config > noscript.restrictSubdocScripting

Yes, sounds like this is it, and I do restrict sub-document scripting already.

Reposting the details for the removed pref:
+ New values for the noscript.docShellJSBlocking preference:
0 - no docShell JS blocking
1 - (default) docShell JS blocking for untrusted sites (enables
effective blacklists for defalut-deny modes)
2 - docShell JS blocking for every non-whitelisted site (enables
cross-frame inheritance of JS blocking)

Sounds like the following is correct when sub-doc scripting is restricted, right ?

So if I get it right, not only is the docShellJSBlocking pref redundant, but the "new" way actually behaves the same as if docShellJSBlocking was set to 2 ?

Either way, thanks guys for your explanations!