NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/
Code: Select all
[NoScript] Blocking cross-site Javascript served from http://lesscss.googlecode.com/files/less-1.0.30.min.js with wrong type info text/x-c++, attachment; filename="less-1.0.30.min.js" and included by http://www.liberoquotidiano.it/
Uh, oh...sounds a bit like getting all of your drinking water from the pond at the local park...Giorgio Maone wrote:using googlecode.com (which is a code repository, where anyone can check in arbitrary and possible malicious JavaScript) like a CDN, to spare some cents on their bandwidth bill.
NB ABE probably can't save you here, since their deliberately-included JavaScript could be compromised.you can work around by adding lesscss.googlecode.com to your noscript.inclusionTypeChecking.exceptions about:config preference (space-separated).
Er...is adding an exception for that a good idea? I mean, yeah, the site breaks without it, but OTOH, isn't allowing it inherently dangerous? Not just on liberoquotidiano, but on any site that might foolishly try the same trick? Better, I would think, to let sites like that break, and have users go digging around, find out about the sloppy coding, and make an informed decision about whether or not to trust their safety to these webmasters. Otherwise, I might decide to trust a site that I want to get working, oblivious to the fact that they're importing scripts that aren't under their control.Giorgio Maone wrote:Notice that the exception mentioned in my previous message has eventually been included in recent NoScript versions.
Nonetheless, the practice of including JavaScript libraries from code repositories remains idiotic and dangerous.
Read here for more reasons.