InformAction Forums

Hello,

I am unable to load js from a local file via a bookmarklet when NoScript is enabled. The bookmarklet was generated by dragging this link from a local page onto the bookmarks toolbar:

<a href="javascript:var%20c=document.createElement('link');c.rel='stylesheet';c.type='text/css';c.href='http://192.168.1.10/testor.css';var%20h ... stor.js</a>

192.168.1.10 is my local machine. It is running apache httpd and the testor.{css,js} files are being served properly (verified via a web browser). 192.168.1.10 is on the whitelist for both firefox stable and nightly. I also have added ^http://192\.168\.1\.10 to the XSS whitelist. The bookmarklet *only* works (on any site) if NoScript is disabled, both on FF stable and nightly. Also, "Forbid bookmarklets" is unchecked.

The weirdest part is that the bookmarklet works *if* I have *not* allowed any scripts from the site being visited! For example, assume www.bbc.co.uk (and any sites it loads scripts from) is not in my whitelist:
* visit http://www.bbc.co.uk (all scripts disabled)
* click on bookmarklet (it works! verified by checking availability of functions defined in my js file from the FF webconsole and firebug console)

Now If I temporarily allow scripts from bbc.co.uk; which leads to a page reload, clicking on the bookmarklet does nothing. Well, I can see the script and link(for the css) tags being added to the document tree itself, but none of the functions within the js file are available!

I believe this is a bug in NoScript. Please verify and fix if possible. If you would like me to try a few other things, let me know via replies to this post.

Couple of things. 1) do you have ABE enabled? If so have you allowed local access before the LOCAL rule? 2) I have apache and used a dummy CSS/js using your BM and it worked just fine. Can you provide me the css/js either via PM or here in the

Yes, I have ABE enabled. I'm not sure how I allow "local access before the LOCAL rule".

The USER ruleset only has this comment:
# User-defined rules. Feel free to experiment here.

The SYSTEM ruleset has:
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

The script itself is really nothing special. I reduced it to a single line:
function blahblah() { alert("Hello"); }
Likewise with the css file.

I will try with ABE disabled, but I would prefer to keep things as they are on defaults, except for the whitelist and xss exceptions.

Yes, it works if I simply disable the SYSTEM ruleset. Now, I need to know how to get it working without completely disabling the SYSTEM ruleset.

Also, could you check why it works in the special case where scripts are disallowed from the original site? Please try it out as I have specified in my original post with bbc (or use any random site you like with a locally served script in the bookmarklet and noscript default installation; I'm on 2.5.1).

I could understand why the script loads fine when noscript is disabled, but was extremely surprised when it loaded fine if I did not enable any scripts from the original site at all! But my loaded script is not very useful in this case as I most likely will use some functionality from the scripts on the original page as well.

Ok, so that narrows it down. In the system ruleset the LOCAL rule is designed to protect you for anything trying to use you locally. Since you are running this resource locally and not using the traditional localhost, you can try and add your IP on the second line where it says accept from LOCAL and put your IP in there and all should be well.

SO the rule would look like this:

Site LOCAL
Accept from LOCAL 192.168.1.10
Deny

This would tell ABE that in additional to what it considers LOCAL, you are permitting this particular IP to access LOCAL as well. Now keep in mind, god forbid you become compromised, and something malicious decides to exploit you locally, by adding your IP to the "I trust it and so allow it part of the rule" you are effectively giving the exploits a blank check and ABE won't intervene anymore. So use with caution.

/edit: just to be thorough and make sure it is not interpreting LOCAL as something that will still deny you access, I am going to edit the rule I gave you originally to include an extra bit. Try the first one first and see if it works, if NOT, then use this version.

Site LOCAL 192.168.10
Accept from LOCAL 192.168.1.10
Deny

Let me know how it goes please. Also, just a little friendly tip as a programmer, to make your code more "reusable" and less "static" try using more globally used variables such as localhost or even if you want to use an IP use 127.0.0.1 (the loopback) instead of your actual LAN IP, so that the code can be easily reusable without being edited, just a little tip and unsolicited advice, that's all.

Unfortunately, it does not work. This is my SYSTEM ruleset now:

Site LOCAL 192.168.10
Accept from LOCAL 192.168.1.10
Deny

Regardless of the js file being loaded from the bookmarklet, it doesn't work. Also, did you investigate the other behaviour I mentioned? The bookmarklet loads the script fine (even with ABE enabled and without any changes to any ruleset) if all scripts are disallowed from the current site/domain. Ofcourse my ip 192.168.1.10 is on the always allowed whitelist.

So, I'm back to disabling my SYSTEM ruleset

Oh and forgot to mention why I am using the ip instead of localhost. It is because the bookmarklet and (also the script it loads from my machine) will be used by others within my local network.

So, once I get it working with ABE enabled, I simply need to let everyone in the network know that they need to add/modify a rule instead of simply disabling ABE or disabling the SYSTEM rule.

I see, now this is just bizarre, so I am going to hit up Giorgio for an extra pair of eyes and see what we can conjure up, I will have him post his thoughts here directly or I will if he tells me what he thinks. Please stand by.

I don't know if this is related. I whitelisted www.manotick.net. The banner image at the top of http://www.manotick.net/orgs.html shows fine but not from my hard drive. The link works but the image does not load from http://manotick.net/banners/{random image} Any suggestions would be welcome.