Tabnapping: Slightly less restrictive?

Bug reports and enhancement requests
Post Reply
keybounce
Posts: 16
Joined: Fri Nov 20, 2009 10:06 pm

Tabnapping: Slightly less restrictive?

Post by keybounce »

I'm a heavy tab user. (Yes, I suffer from Tabsplosion :-) ). I'm getting a lot of errors like this:

Jul 4 22:54:35 Kleiman-ibook [0x0-0x57057].org.mozilla.firefox[0]: [NoScript] [NoScript] Blocking refresh on unfocused tab, http://forums.libsdl.org/profile.php?mo ... /index.php

Can we please get a tabnapping exception to permit redirects to the same site?
And yes, I know the issue of "Many sites hosted on one domain -- how to tell when its a different site". But a good approximation is that "site.example.com/~user1/" is a site, and if there isn't a ~user, then it's just by hostname. Beyond that, maybe a list of known domains that use a different scheme?

(Yes, that was just the first example I saw in the logs.)
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Top
User avatar
Giorgio Maone
Site Admin
Posts: 9524
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:
Contact Giorgio Maone

Re: Tabnapping: Slightly less restrictive?

Post by Giorgio Maone »

Unfortunately such a relaxation of the current policy would completely defeat the anti-tabnapping purpose.
As a matter of fact, a tabnapping redirection can point to the very same URL (IIRC, it was the case of Aviv Raff's PoC itself).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Top
keybounce
Posts: 16
Joined: Fri Nov 20, 2009 10:06 pm

Re: Tabnapping: Slightly less restrictive?

Post by keybounce »

Now that's odd.

I just went to the proof of concept site, and after telling noscript to permit scripts from his web site, it worked -- including morphing into the jpeg image of gmail and changing the icon. While not the active tab.

So ... what's going on?

---

How about letting me whitelist some domains for "Permit same domain reloads while not active"?
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Top
User avatar
Giorgio Maone
Site Admin
Posts: 9524
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:
Contact Giorgio Maone

Re: Tabnapping: Slightly less restrictive?

Post by Giorgio Maone »

keybounce wrote:I just went to the proof of concept site, and after telling noscript to permit scripts from his web site, it worked -- including morphing into the jpeg image of gmail and changing the icon. While not the active tab.
In fact, by default this feature works only against non-whitelisted sites because once JavaScript is active there are countless ways to morph the page at the right time with no refresh.

If you want it to work on whitelisted sites as well, you can set the noscript.forbidBGRefresh about:config preference to 3, but it's kinda pointless for the aforementioned reason.
keybounce wrote:How about letting me whitelist some domains for "Permit same domain reloads while not active"?
That's what the noscript.forbidBGRefresh.exceptions about:config preference is for (accepting space-separated patterns).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Top
keybounce
Posts: 16
Joined: Fri Nov 20, 2009 10:06 pm

Re: Tabnapping: Slightly less restrictive?

Post by keybounce »

Ahh; thank you.

Got a nice gui for that? :-)
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Top
User avatar
Giorgio Maone
Site Admin
Posts: 9524
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:
Contact Giorgio Maone

Re: Tabnapping: Slightly less restrictive?

Post by Giorgio Maone »

keybounce wrote:Got a nice gui for that? :-)
Nope. Already too many preferences have a GUI, and we should start to cut the clutter.
Most users won't notice anyway.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Top
Post Reply

Return to “NoScript Development”