InformAction Forums

I'm a heavy tab user. (Yes, I suffer from Tabsplosion ). I'm getting a lot of errors like this:

Jul 4 22:54:35 Kleiman-ibook [0x0-0x57057].org.mozilla.firefox[0]: [NoScript] [NoScript] Blocking refresh on unfocused tab, http://forums.libsdl.org/profile.php?mo ... /index.php

Can we please get a tabnapping exception to permit redirects to the same site?
And yes, I know the issue of "Many sites hosted on one domain -- how to tell when its a different site". But a good approximation is that "site.example.com/~user1/" is a site, and if there isn't a ~user, then it's just by hostname. Beyond that, maybe a list of known domains that use a different scheme?

(Yes, that was just the first example I saw in the logs.)

Unfortunately such a relaxation of the current policy would completely defeat the anti-tabnapping purpose.
As a matter of fact, a tabnapping redirection can point to the very same URL (IIRC, it was the case of Aviv Raff's PoC itself).

Now that's odd.

I just went to the proof of concept site, and after telling noscript to permit scripts from his web site, it worked -- including morphing into the jpeg image of gmail and changing the icon. While not the active tab.

So ... what's going on?

---

How about letting me whitelist some domains for "Permit same domain reloads while not active"?

keybounce wrote:I just went to the proof of concept site, and after telling noscript to permit scripts from his web site, it worked -- including morphing into the jpeg image of gmail and changing the icon. While not the active tab.

In fact, by default this feature works only against non-whitelisted sites because once JavaScript is active there are countless ways to morph the page at the right time with no refresh.

If you want it to work on whitelisted sites as well, you can set the noscript.forbidBGRefresh about:config preference to 3, but it's kinda pointless for the aforementioned reason.

keybounce wrote:How about letting me whitelist some domains for "Permit same domain reloads while not active"?

That's what the noscript.forbidBGRefresh.exceptions about:config preference is for (accepting space-separated patterns).

Ahh; thank you.

Got a nice gui for that?

keybounce wrote:Got a nice gui for that?

Nope. Already too many preferences have a GUI, and we should start to cut the clutter.
Most users won't notice anyway.