InformAction Forums

I think I found a bug that hides part of a page in Firefox 3.6. I haven't tested other browsers.

The .zip file at http://hotfile.com/dl/41775318/e2582be/ ... m.zip.html demonstrates the problem.
With NoScript turned off, it shows the words "one", "two", "three", and "four".
With NoScript turned on, the "one" is missing.

The sample contains no Javascript or other script code.

1. The sample does contain JavaScript (as a XBL binding)
2. Notwithstanding, the "one" list item is displayed for me, no matter the permissions, when NoScript is installed (tested on 3.6.3 and Minefield)

Could you try Standard Diagnostic?

Oh sorry, I didn't even notice the Javascript in the XML file.

Also, I forgot to add that the problem only exists when the page is loaded from a web server (tested with Jetty and Nginx). When I load the page via a file:// URL, it works fine.

I'll try the diagnostics, but I don't think it has anything to do with my setup because several other people have reported the same problem.

http://evil.hackademix.net/test/noscrip ... /test.html

It works if you allow evil.hackademix.net, otherwise the "1" is missing as expected because by default NoScript allows XBL only if same-site and served from a trusted source.

You can change this policy by modifying the noscript.forbidXBL about:config preference:

• 4, allow only XBL from the same trusted site or chrome (default)
• 3, allow only trusted XBL on trusted sites
• 2, allow trusted and data: (Fx 3) XBL on trusted sites
• 1, allow trusted and data: (Fx 3) XBL on any site
• 0, allow all XBL

Not a bug, then. My bad for not RTFM!

Re: http://evil.hackademix.net/test/noscrip ... /test.html, should a page refresh (after an Allow/Forbid) be required to for "one" to appear/disappear?

therube wrote:Re: http://evil.hackademix.net/test/noscrip ... /test.html, should a page refresh (after an Allow/Forbid) be required to for "one" to appear/disappear?

Yes (automatic refresh on permission change should suffice, though).