InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

NoScript interfering with Mozilla capabilities policies?

https://forums.informaction.com/viewtopic.php?t=3824

Page 1 of 1

NoScript interfering with Mozilla capabilities policies?

Posted: Thu Feb 11, 2010 7:59 pm
by aloishammer
I'm having problems with a default-deny cookie policy at https://club.nintendo.com/ (see for yourself: https://club.nintendo.com/js/clubn-dialogs.do and other JS containing code like:

if (typeof navigator.cookieEnabled == "undefined" && !cookieEnabled)

...which is clearly going to fail with default-deny for cookies (I'm using Cookie Monster to allow per-site). Since I can't make out how to write script surrogates, and gave up on that route, I'm attempting to simply deny usage of the .cookieEnabled property.

This works:

user_pref("capability.policy.default.Navigator.cookieEnabled", "noAccess");

...but if I try to follow the template laid out at http://www.mozilla.org/projects/securit ... olicy.html and set something like this:

user_pref("capability.policy.policynames", "brokencookiedetect");
user_pref("capability.policy.brokencookiedetect.sites", "https://club.nintendo.com/");
user_pref("capability.policy.brokencookiedetect.Navigator.cookieEnabled", "noAccess");

...my prefs.js gains this setting:

user_pref("noscript.policynames", "brokencookiedetect");

...and the policy isn't enforced. Help, please?

:!: (If the best and correct and best path is to set script surrogates, I could use one for https://club.nintendo.com/js/clubn-dialogs.do as well as something involving http://my.monster.com/Login.aspx , which is broken the same way, last I looked.) (I've just been using Chromium instead for Monster. This is my first attempt to outwit witless webdevs who use broken objects like navigator.* for important things, like deciding whether to allow me to log in.)

:!: (By the way, my account, aloishammer, on this forum, ended up disabled while I was trying to change my email address.)

Re: NoScript interfering with Mozilla capabilities policies?

Posted: Thu Feb 11, 2010 8:33 pm
by Giorgio Maone
  1. NoScript is the main CAPS client around, and using another CAPS policy with NoScript installed is not recommended, since it may be very complicated if not impossible
  2. A surrogate for your purpose would be:
    noscript.surrogate.cookie.sources=club.nintendo.com my.monster.com
    noscript.surrogate.cookie.replacement=navigator.__defineGetter__("cookieEnabled", function() { return true; })
  3. I forced reactivation on your account

Re: NoScript interfering with Mozilla capabilities policies?

Posted: Fri Feb 12, 2010 12:27 am
by aloishammer
Giorgio Maone wrote:
  1. NoScript is the main CAPS client around, and using another CAPS policy with NoScript installed is not recommended, since it may be very complicated if not impossible
  2. A surrogate for your purpose would be:
    noscript.surrogate.cookie.sources=club.nintendo.com my.monster.com
    noscript.surrogate.cookie.replacement=navigator.__defineGetter__("cookieEnabled", function() { return true; })
  3. I forced reactivation on your account
I'm afraid that those surrogates don't have the same effect as denying access. Can you check out https://club.nintendo.com/ ? No account required-- if you have cookie policy set to default-deny, you should get an in-document "dialog box" pop pretty much immediately.

Re: NoScript interfering with Mozilla capabilities policies?

Posted: Fri Feb 12, 2010 8:46 am
by Giorgio Maone
aloishammer wrote:
Giorgio Maone wrote:
  1. NoScript is the main CAPS client around, and using another CAPS policy with NoScript installed is not recommended, since it may be very complicated if not impossible
  2. A surrogate for your purpose would be:
    noscript.surrogate.cookie.sources=club.nintendo.com my.monster.com
    noscript.surrogate.cookie.replacement=navigator.__defineGetter__("cookieEnabled", function() { return true; })
  3. I forced reactivation on your account
I'm afraid that those surrogates don't have the same effect as denying access. Can you check out https://club.nintendo.com/ ? No account required-- if you have cookie policy set to default-deny, you should get an in-document "dialog box" pop pretty much immediately.
In fact, that surrogate have the effect of always returning true for navigator.cookieEnabled.
Maybe you want deny access because the side effect is throwing an exception disrupting the current method.
If this is the case, just turn the replacement into:

Code: Select all

navigator.__defineGetter__("cookieEnabled", function() { throw "x" }

Re: NoScript interfering with Mozilla capabilities policies?

Posted: Fri Feb 12, 2010 9:44 pm
by aloishammer
Giorgio Maone wrote:
aloishammer wrote:
Giorgio Maone wrote:
  1. NoScript is the main CAPS client around, and using another CAPS policy with NoScript installed is not recommended, since it may be very complicated if not impossible
  2. A surrogate for your purpose would be:
    noscript.surrogate.cookie.sources=club.nintendo.com my.monster.com
    noscript.surrogate.cookie.replacement=navigator.__defineGetter__("cookieEnabled", function() { return true; })
  3. I forced reactivation on your account
I'm afraid that those surrogates don't have the same effect as denying access. Can you check out https://club.nintendo.com/ ? No account required-- if you have cookie policy set to default-deny, you should get an in-document "dialog box" pop pretty much immediately.
In fact, that surrogate have the effect of always returning true for navigator.cookieEnabled.
Maybe you want deny access because the side effect is throwing an exception disrupting the current method.
If this is the case, just turn the replacement into:

Code: Select all

navigator.__defineGetter__("cookieEnabled", function() { throw "x" }
That makes perfect sense-- but I'm afraid it's still not working for me. Probably a silly question, but are you sure about the syntax of user_pref("noscript.surrogate.cookie.sources", "club.nintendo.com my.monster.com"); ?

Re: NoScript interfering with Mozilla capabilities policies?

Posted: Fri Feb 12, 2010 11:26 pm
by Giorgio Maone
aloishammer wrote: That makes perfect sense-- but I'm afraid it's still not working for me. Probably a silly question, but are you sure about the syntax of user_pref("noscript.surrogate.cookie.sources", "club.nintendo.com my.monster.com"); ?
Yes. You can easily check using a simple alert("test") as the replacement.
However I think I know why it's not working yet, I omitted a closing bracket in the second replacement. Should be:

Code: Select all

navigator.__defineGetter__("cookieEnabled", function() { throw "x" })

Re: NoScript interfering with Mozilla capabilities policies?

Posted: Fri Feb 12, 2010 11:59 pm
by aloishammer
Giorgio Maone wrote:
aloishammer wrote: That makes perfect sense-- but I'm afraid it's still not working for me. Probably a silly question, but are you sure about the syntax of user_pref("noscript.surrogate.cookie.sources", "club.nintendo.com my.monster.com"); ?
Yes. You can easily check using a simple alert("test") as the replacement.
However I think I know why it's not working yet, I omitted a closing bracket in the second replacement. Should be:

Code: Select all

navigator.__defineGetter__("cookieEnabled", function() { throw "x" })
...I'm afraid that doesn't work, either. For reference: I'm not seeing any JS exceptions in the console.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited