Page 1 of 1
[RESOLVED] Newest NS versions break cross-hosted stylesheets
Posted: Wed May 23, 2012 10:57 pm
by CJax
Q: problem?
A: Since Noscript 2.4.2 (newewst RC was tested, nothing changed) cross-hosted stylesheets (and probably some scripts to) are not loading at all anymore, breaking websites like AMO, Youtube, Wikipedia and others who use stylesheets hosted on other servers.
Q: Sure?
A: Absolutely, I singled out Noscript to be the cause by deactivating all Addons except Noscript and then allowing scripts globally... it wouldn't work. On the other hand only disabling Noscript while having every thing else enabled makes all these sites load their stylesheets correctly.
Q: Only Stylesheets?
A: Could be more, but not having stylesheets makes today's webpages unusable anyway.
Q: culprit?
A: XSS-filter:
a) It's been tweaked the most lately
b) It doesn't work with all scripts and objects allowed, so that can't be it.
Q: Versions?
A: You can see, but it also doesn't work with the Stable Friefox 12 release.
Thanks in advance
Re: Newest Noscript versions break all cross-hosted styleshe
Posted: Wed May 23, 2012 11:22 pm
by Thrawn
Hmm...I can't reproduce this, but:
- XSS filter couldn't really be it, since you're talking about stylesheets, which aren't active content. Even a sanitised request should still be able to retrieve them.
- Have you used any custom ABE rules? Options-Advanced-ABE to see them.
- Any messages in Tools-Error Console?
- Have you tried a new profile with nothing installed except NoScript?
Re: Newest Noscript versions break all cross-hosted styleshe
Posted: Sat May 26, 2012 2:06 am
by Tom T.
I haven't had any trouble with any of those sites, either.
CJax wrote:
Q: Sure?
A: Absolutely, I singled out Noscript to be the cause by deactivating all Addons except Noscript and then allowing scripts globally... it wouldn't work. On the other hand only disabling Noscript while having every thing else enabled makes all these sites load their stylesheets correctly.
Doesn't eliminate the possibility of a corrupt profile, as Thrawn suggested.
Also, if "absolutely", why can't we reproduce it? Can you borrow another machine that has NS, and see if it's reproducible on that one?
Q: culprit?
A: XSS-filter:
a) It's been tweaked the most lately
Irrelevant and illogical.
b) It doesn't work with all scripts and objects allowed, so that can't be it.
If it were the XSS filter, you would receive various XSS notifications. Since you haven't reported any, that actually *eliminates* the XSS filter as a culprit.
See
XSS FAQ
Re: Newest Noscript versions break all cross-hosted styleshe
Posted: Tue May 29, 2012 9:11 am
by hanfi
Hi,
I got a similar problem today (well, maybe it was there before, but i did not hit it).
The page in question is a php script returning a xml-page which is then rendered using xslt-stylesheet (not css!)
Now i find these lines in the error console of firefox:
Code: Select all
[NoScript] Blocking cross-site CSS served from https://spahan.ch/mail.xsl with wrong type info application/xml and included by https://spahan.ch/aliasManager.php
Well, first, this is not actually cross-hosted and second, the xsl stylesheet IS xml.
So i think something is wrong here.
NS-Version in use is 2.4.3rc3
Re: Newest Noscript versions break all cross-hosted styleshe
Posted: Tue May 29, 2012 9:29 am
by dhouwn
hanfi wrote:Well, first, this is not actually cross-hosted and second, the xsl stylesheet IS xml.
Maybe it expects the precise content type, see:
Also XSLT is still blocked per default on untrusted pages (since it's pretty powerful, Turing-complete), which can be toggled in the "Untrusted" section of the "Advanced" options.
But indeed, it's not cross-site.
Re: Newest Noscript versions break all cross-hosted styleshe
Posted: Tue May 29, 2012 9:58 am
by hanfi
dhouwn wrote:hanfi wrote:Well, first, this is not actually cross-hosted and second, the xsl stylesheet IS xml.
Maybe it expects the precise content type, see:
I added the xslt+xml type to my webserver, now i get a similar error....
Code: Select all
[NoScript] Blocking cross-site CSS served from https://spahan.ch/mail.xsl with wrong type info application/xslt+xml and included by https://spahan.ch/aliasManager.php
dhouwn wrote:
Also XSLT is still blocked per default on untrusted pages (since it's pretty powerful, Turing-complete), which can be toggled in the "Untrusted" section of the "Advanced" options.
Yes, i always have to allow the site, that is expected.
I too tried disable NoScript and then the page works without problems.
I created a test case (by simply using a static xml instead the php script) one can find here:
https://spahan.ch/test.xml (please ignore ssl errors, i fix that when i get some spare time :-p)
Re: Newest Noscript versions break all cross-hosted styleshe
Posted: Tue May 29, 2012 10:32 am
by Giorgio Maone
Looks like a regression from
http://noscript.net/changelog wrote:
v 2.4.3rc3
=========================================================================
[...]
x Fixed exception raised by inclusion type checks when parent document's
URI has no host
Investigating, thanks.
Re: Newest Noscript versions break all cross-hosted styleshe
Posted: Tue May 29, 2012 12:04 pm
by Giorgio Maone
Fixed in
latest development build 2.4.4rc1, thank you.
Re: Newest Noscript versions break all cross-hosted styleshe
Posted: Thu May 31, 2012 7:40 am
by ATKoerner
Thanks for fixing. I've had the same problems with local xslt style sheet transformations not working any longer with NoScript 2.4.3