InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[BUG] temp permission bug when both HTTP and HTTPS exist

https://forums.informaction.com/viewtopic.php?t=26507

Page 1 of 1

[BUG] temp permission bug when both HTTP and HTTPS exist

Posted: Sat Jan 22, 2022 3:04 am
by supercoolman
an example website is https://www.doctorofcredit.com/

in Firefox Private mode, if I set both insecure and secured domain of netdna-ssl.com to temporary allowed (don't have any NoScript rule for the domain), I see 2 problems

1. only one of the two permissions sticks after page reload. I have to set permission on the other and do another reload to get permission to stick
2. when permissions of both are set to temp allowed, secured domain disappeared. not sure if this is due to NoScript, Firefox or the website itself

Re: [BUG] temp permission bug when both HTTP and HTTPS exist

Posted: Sat Jan 22, 2022 7:31 am
by Giorgio Maone
Thanks for your report.
As far as I can see, that's the expected behavior, although it might not be always intuitive: if you set the preset for netdna-ssl.com and keep the lock red/open (insecure), it applies to both http: and https:.
In other words, the green/closed lock limits the permission to secure connections only, which is the default if the domain is already seen over HTTPS when the page loads, otherwise any connection to the domain and subdomain is matched by the rule.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited