InformAction Forums

Giorgio Maone wrote: computerfreaker wrote:Will setting noscript.AllowLocalLinks to false keep JavaScript from running in local web pages?

Local web pages are not allowed to run Javascript by default. You need to "Allow file://", in order to enable Javascript there.
This preference is used to allow some sites (mainly MMO games) to link local files, especially images, for performance reasons.

On a side note, both noscript.allowClipboard and noscript.allowLocalLinks do have their UI, under NoScript Options|Advanced|Trusted.

Ok, I have a problem with the noscript whitlist feature. It seems that I can't manually allow a whitelist for a specific local files directory in firefaox 3.5, I have the latest versions of both products. I've managed to get the local code to load currently but have an issue with the security concerns. The reason for my concern is the filter only allows to whitelist local files in general. It's not capable of custom local file whitelist. for example: If I want to whitelist C:/mypage/ files only I can't whitelist that directory only on my local side. This brings up the security problem that by allowing the general rule in my whitelist *all local code can execute" This is a severe security problem as I can't whitelist spsific files or directories inside noscript without punching a big hole in my security.

Is it possible to fix the whitelist to allow custom local files to be whitelisted?

I would think that that falls into the general category of Site-Specific Permissions, a feature intended for NoScript 2.x, but Giorgio will have to confirm that or provide an answer. I'll flag it for him.

Sarick wrote:Is it possible to fix the whitelist to allow custom local files to be whitelisted?

No you can't, due to a limitation in Mozilla's core script security manager which can't give different permissions to different paths, assuming that trust-based security is per-domain.

Giorgio Maone wrote:

Sarick wrote:Is it possible to fix the whitelist to allow custom local files to be whitelisted?

No you can't, due to a limitation in Mozilla's core script security manager which can't give different permissions to different paths, assuming that trust-based security is per-domain.

So the problem is the firefox script engine not directly managing local domains? I would assume that the firefox community would fix this if possible. As for the first response by Tom I did have the page marked as unblocked that it was calling.

I never had this issue until Firefox 3.5 the guys at Mozilla must have changes something to optimize the browser there.

Thank you for the quick response.

Sarick wrote: As for the first response by Tom I did have the page marked as unblocked that it was calling.

I wasn't referring to whether the page being called was blocked. If you click the link, there's a long-running thread about individually-grained permissions for each site. E. g., I will allow Java at Hushmail, but nowhere else. Flash at YouTube, nowhere else, etc. -- a feature long awaited and planned for NS 2 whenever Giorgio can breathe long enough to do it. So I took it that this request would end up being similar, "I want to allow file:// from C:\Docs and Settings\USERNAME\This File Folder, but not anywhere else."

I wasn't aware of the issue with the MZ security manager, so I'm glad Giorgio brought it up. Now I know.

As the OP I would like to split the properties "Allow Java Script" and "Allow Local Links". For that reason I like to add something like

user_pref("capability.policy.policynames", "localfilelinks");
user_pref("capability.policy.localfilelinks.sites", "example.com");
user_pref("capability.policy.localfilelinks.checkloaduri.enabled", "allAccess");

to my preferences. As confirmed by other users this doesnt work out of the box. I changed Main.js to append "localfilelinks" beside of maonoscript to policynames. It seems to work but I think that there is already a mechanism to allow multiple policies which is controlled by "excaps". Unfortunally I were not able to use this configurationtoken properly. Could someone give me some advice how to use this option and if it is the right screw to turn?

Thanks for your attention
Toby