InformAction Forums

Our company has a number of hosts running a daemon which provides HTTP services on a non-standard port (5555). The pages produced by the daemon in question include a javascript file served from another host (the service also running on a non-standard port, 8182). While I could permanently allow javascript for all hosts in question (or for the entire corporate domain), I choose to utilize the temporary whitelist mechanism (though I have permanently whitelisted the port qualified host that serves the included javascript file).

The regression I observe is that I am given the option of temporary or permanently whitelisting the base domain (example.com) and the non-port qualified host (host.site.example.com). If I temporarily allow the non-port qualified host, the page does not reload to activate the javascript on the page.

The behavior I would expect is that I would be given the option of temporary or permanently whitelisting the base domain (example.com) and the port qualified host (host.site.example.com:5555). When I elect to temporarily allow the port qualified host, the page would reload to activate the javascript on the page.

Alternately, the page should reload if the non-port qualified host is allowed, but I would prefer to whitelist just specific ports rather than all ports on a given host/domain.

I believe this is a regression from NoScript 2.0.7, running on FireFox 3.6.12 on openSuSE 11.2 (x86_64).

--Andrew Black

The missing reload is actually a regression, thanks.

The missing option was is itself a bug fix, instead, because by design NoScript should hide the host:port !== host implementation detail (when you allow a domain, you're expected to allow the subdomains as well, so why making a difference for ports?)

However you can choose to explicitly handle ports by setting the noscript.ignorePorts about:config preference to false.

While I would agree that it makes sense to hide the host:port !== host detail when you allow a full domain, it doesn't make sense to me when you allow a full address. The contextual menu options I have selected in the NoScript preferences are 'Base 2nd level Domains' and 'Full Addresses'. I suppose I should correct my initial report to state that my observed behavior was 'http://host.site.example.com', rather than 'host.site.example.com' and the expected behavior is 'http://host.site.example.com:5555' rather than 'host.site.example.com:5555'. I didn't notice the distinction when reviewing my post before submission, and I can see how I might have caused confusion after reviewing the NoScript options.

Changing the noscript.ignorePorts option to false does result in the behavior I would expect, but I don't know what other side effects it has, and I didn't need it prior to the 2.0.7 to 2.0.8.1 update.

--Andrew Black

ablackrw wrote:I didn't need it prior to the 2.0.7 to 2.0.8.1 update.

That's why I wrote "bug fix", rather than "feature".

To me, the difference is that you're adding a specific address (hence the name 'Full Address'), not a domain to the whitelist. I would agree that the port shouldn't be considered when you're adding a 'Base 2nd level Domains' or 'Full Domain' entry, but a given host can have web services accessible on multiple ports, and you might not trust the services on all the ports equally.

This change alters behavior that I've come to expect from several years of usage of NoScript, and I didn't see anything in the release notes that indicated this change happened or that the workaround was to use this (non-obviously documented) config switch. I disagree with your classification of the change as a bug fix, but I don't think I'll change your mind on the subject. As such, we will probably just need to agree to disagree.

--Andrew Black

Giorgio Maone wrote:The missing reload is actually a regression, thanks.

Fixed in latest development build.