Page 1 of 1
Whitelist Entry with Protocol while forcing HTTPS
Posted: Sun May 22, 2011 3:45 am
by dhouwn
I stumbled upon an interesting issue with the following configuration:
I allowed scripts only on
https://www.example.com and at the same time I force www.example.com to use HTTPS (I know that this configuration doesn't make in much sense most cases).
Now I am on a page on example.com with the following source:
Code: Select all
<head>
<base href="http://www.example.com/"></base>
<script type="text/javascript" src="a.js"></script>
<script type="text/javascript" src="http://www.example.com/b.js"></script>
</head>
Now I haven't had the time to look further in this, but at least one of those scripts seems to get executed. Either both of them get loaded and the NoScript icon is incorrectly displaying to me that some scripts are blocked (and offering me to allow
http://www.example.com) or only one gets loaded which I as a user wouldn't expect when enforcement of HTTPS happens before everything.
Re: Whitelist Entry with Protocol while forcing HTTPS
Posted: Sun May 22, 2011 7:25 am
by Giorgio Maone
This kinda expected, since HTTP->HTTPS redirect happens after content blocking checks (which are remade anyway after the redirect).
Re: Whitelist Entry with Protocol while forcing HTTPS
Posted: Sun May 22, 2011 12:23 pm
by dhouwn
Will this change with NoScript 3?
Re: Whitelist Entry with Protocol while forcing HTTPS
Posted: Sun May 22, 2011 12:34 pm
by Giorgio Maone
Most likely not.
Re: Whitelist Entry with Protocol while forcing HTTPS
Posted: Sun May 22, 2011 2:44 pm
by dhouwn
That the content checks are done twice in those cases does not matter that much, but nevertheless it seems unnecessary.
Does it make a difference whether Firefox itself (because of HSTS) or NoScript does the redirection?
Re: Whitelist Entry with Protocol while forcing HTTPS
Posted: Sun May 22, 2011 2:50 pm
by Giorgio Maone
dhouwn wrote:Does it make a difference whether Firefox itself (because of HSTS) or NoScript does the redirection?
Unfortunately, both HSTS and NoScript perform the redirection after content policies have been checked.
This is because content policies are called before the protocol of the request has been evaluated by the browser and the correct channel type created, while HSTS "lives" inside the nsIHTTPChannel implementation (and NoScript hooks it).
Re: Whitelist Entry with Protocol while forcing HTTPS
Posted: Sun May 22, 2011 3:23 pm
by dhouwn
Giorgio Maone wrote:Unfortunately, both HSTS and NoScript perform the redirection after content policies have been checked.
OK, thanks for the explanation.
Just wondering while going overly off-topic here and into realms I don't have much of an understanding of (Mozilla Internals), but would this be an issue
now that HTTP Upgrade is possible (which from what I understand makes it possible to change from http to another protocol type on-the-fly and might play a role for blockable page content if
RFC 2817 gets implemented)?
(very theoretical, I know
)
Re: Whitelist Entry with Protocol while forcing HTTPS
Posted: Sun May 22, 2011 3:31 pm
by Giorgio Maone
dhouwn wrote: would this be an issue
now that HTTP Upgrade is possible (which from what I understand makes it possible to change from http to another protocol type on-the-fly and might play a role for blockable page content if
RFC 2817 gets implemented)?)
I don't believe it would. This HTTP upgrade mechanism is mainly meant to make web sockets work, and the latter would be an issue only if you want to allow HTTP content and forbid HTTPS content on the same domain, something which frankly looks very unlikely. And anyway, if it ends to be an issue, we can ask to have a content policy hook on protocol change (even though I believe this will be implemented with redirection semantic, and therefore will be intercepted by NoScript anyway).