Page 1 of 1
Bug report: top-level Javascript required for bookmarklets
Posted: Tue Mar 28, 2017 12:43 pm
by tw001
Since I updated to the latest Firefox (version 52.0.1 but I may have skipped a version, OpenSUSE Linux) I can no longer use bookmarklets without activating Javascript for the top level of the site itself. I use a few bookmarklets very extensively so that this new behavior is really getting into the way. I tried to downgrade NoScript (eventually down to 5.0.1) assuming that the problem originated from the addon but it didn't solve the problem. So, I wonder if it has something to do with the interaction between Firefox and NoScript that can be solved to avoid that the top level has to be activated in order to use the bookmarklets.
Re: Bug report: top-level Javascript required for bookmarkle
Posted: Tue Mar 28, 2017 5:27 pm
by barbaz
Are you using the openSUSE distribution build of Firefox, or the
official Mozilla build?
Re: Bug report: top-level Javascript required for bookmarkle
Posted: Wed Mar 29, 2017 1:14 am
by therube
Examples (sources) of these bookmarklets?
Since I updated to the latest Firefox
Were you also using NoScript with the earlier FF versions?
Pretty sure it's not going to be unusual to have to allow the top-level domain if the bookmarklet is passing data on to a third party site. (Or is it that that third party site needs to be Allowed?)
So if you have an "imgur.com" bookmarklet & you want to "send" an image automatically to imgur, & you click your bookmarklet, quite possible that (& I forget) but either top-level domain, or imgur.com needs to be Allowed, kind of thing.
This:
Code: Select all
javascript:(function(){var unencodedURL=location.href;var websiteURL=encodeURIComponent(unencodedURL);var full=true;var length=full?'0':'600';var url='http://snapito.com/?url='+websiteURL+'&size=800x'+length+'&cache=-1';window.open(url,'Download','')})();
requires snapito.com to be Allowed, not necessarily the top-level domain of the page you're on.
Re: Bug report: top-level Javascript required for bookmarkle
Posted: Wed Apr 05, 2017 1:49 am
by tw001
I use the openSUSE built RPM -- currently 52.0.1-57.3.1
I have used FF and NoScript for many years. In fact, it happened once or twice before some years ago that NoScript would block javascript in bookmarklets. But one or two NoScript updates later it had always worked again.
I'm happy to show examples of the bookmarklets if that matters. But it seemed to me that the blocking was simply universal behavior. I agree that almost all websites seem to use javascript for good reasons so that activating the top level would make sense. But with javascript active comes always the possibility of finger printing etc., which should not be allowed unless I consent. Unfortunately, until now very few people seemed to care.
Re: Bug report: top-level Javascript required for bookmarkle
Posted: Wed Apr 05, 2017 2:27 am
by barbaz
Does it work in the official Mozilla build, in a new
profile created in the official Mozilla build?
If not, please post some example failing bookmarklets as therube requested.
Re: Bug report: top-level Javascript required for bookmarkle
Posted: Sat May 13, 2017 11:33 pm
by tw001
Unfortunately, recent upgrades didn't make a difference: currently running Firefox 52.1.0 (openSUSE) and NoScript5.0.4.
If Javascript is not activated for the top-level of a website then the following bookmarklet does send the data to the server (localhost):
Code: Select all
javascript:function%20loadScript(scriptURL){var%20scriptElem=doument.createElement('SCRIPT');scriptElem.setAttribute('language','JavaScript');scriptElem.setAttribute('src',scriptURL);document.body.appendChild(scriptElem);}h=location.href;t=document.title;e=''+(window.getSelection?window.getSelection():document.getSelection?document.getSelection():document.selection.createRange().text);loadScript('https://localhost:8443/cgi-bin/bmtest.py?url='+encodeURIComponent(h)+'&tags=~openB%20%s&title='+encodeURIComponent(t)+'¬es='+encodeURIComponent(e).replace(/%20/g,'+')+'&cmd=reappend');
For testing purposes, I degraded Firefox. The most recent version where this bookmarklet works without having JS deactivated in NoScript for the top-level of a website was Mozilla Firefox 51.0.1. Version 52 doesn't work neither the RPM from the openSUSE update repository nor from the Mozilla repository!
Re: Bug report: top-level Javascript required for bookmarkle
Posted: Sat May 13, 2017 11:55 pm
by barbaz
Thanks.
That specific bookmarklet should require several changes in NoScript -
1) It's injecting <script> tags into the page, thus the top-level site does need Allowed. Unfortunately such injected scripts are indistunguishable from the page's own scripts.
2) Because it is accessing LOCAL resources from a webpage, you need to add an exception to the default ABE rule. NoScript Options > Advanced > ABE > SYSTEM, add at the very top -
Code: Select all
Site https://localhost:8443/cgi-bin/bmtest.py?*
Accept
3) You also need to whitelist https://localhost:8443
Due to a bug in NoScript, that must be entered manually in NoScript Options > Whitelist.
The fact the bookmarklet did work before
without any of these changes, looks like the NoScript bug to me.
So I'm not really sure what to make of this.
Re: Bug report: top-level Javascript required for bookmarkle
Posted: Sun May 14, 2017 12:06 am
by barbaz
offtopic: I just noticed a typo in your bookmarklet - "doument" should be "document". If I accidentally messed it up when editing your post, my apologies.
Re: Bug report: top-level Javascript required for bookmarkle
Posted: Sun May 14, 2017 9:50 am
by therube