NoScript re-enabling firefox Javascript + suggestions

[DoNcK]

Hi guys, I have a feature suggestion and kind of a bug to report, not sure it is NoScript or Firefox fault or both. Anyway, here is the way to reproduce it:

#STEPS TO REPRODUCE THE BUG#

- Install firefox
- Set firefox not to enable javascript (Tools>Options menu)
- Install NoScript
- Empty the NoScript white list

At this point, no JavaScript should run on web pages, right? Let's try:

- search for "crap" on google
- hoover the first result, you see a redirection by checking* the status bar like this: http://techdows.com/wp-content/uploads/ ... ooltip.png
(It is visible in the result page html source, look for "url?q=")
- hoover again: the redirection is now masked!

#CONCLUSION#
Installing NoScript partially re-enables javascript execution on web pages while "enable JavaScript" setting is disabled in Firefox.
NoScript is included in ToR Browser Bundle so I think it deserves a fix!

---

#ADDITIONNAL FEATURE REQUEST#
*Problem*
Facebook can be used easily with JavaScript disabled from FFox options and without using NoScript.
Facebook is not usable with Javascript enabled from FFox options and using NoScript.
*Fix*
Add an options to NoScript so a tab can behave as if JavaScript would be disabled from FFox.

---

*The URL shown in the status bar is not a reliable information on Firefox as it can be modifierd using JavaScript, see bug reports:

Bug 474967 - (CVE-2009-0253) Firefox Displays Invalid Link On Mouse-Over Hyperlink https://bugzilla.mozilla.org/show_bug.cgi?id=474967
Bug 705153 - Link target can be spoofed (Links on Facebook) https://bugzilla.mozilla.org/show_bug.cgi?id=705153
Bug 83578 - Differentiate between status bar text from UI and from Web pages (blind links) https://bugzilla.mozilla.org/show_bug.cgi?id=83578
Bug 325274 - [meta] Spoofing link destinations in the status bar https://bugzilla.mozilla.org/show_bug.cgi?id=325274

Workarounds:
Selectively disable specific JavaScript functions. http://forums.mozillazine.org/viewtopic ... 8&t=556659
Configurable Security Policies http://www.mozilla.org/projects/securit ... ml#whatare
making security policies: http://kb.mozillazine.org/Security_Poli ... y_Policies
A brief guide to Mozilla preferences https://developer.mozilla.org/en-US/doc ... #modifying

---

DoNcK

[Giorgio Maone]

- search for "crap" on google
- hoover the first result, you see a redirection by checking* the status bar like this: http://techdows.com/wp-content/uploads/ ... ooltip.png
(It is visible in the result page html source, look for "url?q=")
- hoover again: the redirection is now masked!

This is not a bug, it's a feature.
Specifically, it is the effect of the noscript.surrogates.glinks.* Script Surrogate, which removes the tracking redirection from Google results as soon as you hover o click them.
If you want to disable it, just clear the noscript.surrogates.glinks.sources about:config preference.

*Problem*
Facebook can be used easily with JavaScript disabled from FFox options and without using NoScript.
Facebook is not usable with Javascript enabled from FFox options and using NoScript.
*Fix*
Add an options to NoScript so a tab can behave as if JavaScript would be disabled from FFox.K

Not sure about what you mean here: when I try to use FB with JavaScript disabled from Fx, I'm greeted with a message telling me I need to enable JavaScript or use the mobile version.
Am I missing something?
Could you give me additional details?

[DoNcK]

This is not a bug, it's a feature.
Specifically, it is the effect of the noscript.surrogates.glinks.* Script Surrogate, which removes the tracking redirection from Google results as soon as you hover o click them.

How is this done? Javascript right? Sure there is no security risk? As an example, let's say the website you want to protect from knows you are using NoScript, can't it use the same instruction to mess the links back?

Not sure about what you mean here: when I try to use FB with JavaScript disabled from Fx, I'm greeted with a message telling me I need to enable JavaScript or use the mobile version.
Am I missing something?
Could you give me additional details?

Strange, it seems the behaviour changed. It remmber it was working quite good in the past, but I just retried accessing facebook with all modules and javascript disabled, and now it seems quite limited. However, i'm not getting this mobile version message you have, may be try https://www.facebook.com/?_fb_noscript=1 or add "?_fb_noscript=1" at the end of the url you are already viewing. If I remember, in the past I was going to https://www.facebook.com and was redirected to https://www.facebook.com/?_fb_noscript=1 when javascript was disabled.

[GµårÐïåñ]

I have to agree with Giorgio and I was going to comment before I saw that he had, so I left it. But you are a bit all over the place and seem to have a different understanding of what's what. No surrogates are not scripting per say, they are handled by NoScript's internal scripting engine, but then again so is EVERY addon. However, surrogates cannot be used as a means of tracking on their own like you suggested because what it does is simply remove the payload and let the website think it succeeded, when in fact it got nothing. That's it. Its designed to fool and bypass their implementation without destroying function, that's a feature that was begged for by users shortly after Google decided that if they couldn't directly track you, they are going to passively track you by running each link through a middle code, this surrogate kills that so you get the results and Google gets nothing. Simple as that. If the scripting is disabled, then it stays disabled, NS is not in the business of enabling things that should remain disabled, period. I have the same experience as Giorgio and I think if you are getting something different, you are doing something wrong or worse yet misinterpreting the results or observations you are getting.

[DoNcK]

Ok then fine if the javascript engine is not re-enabled on the page. That wa my only fear abouf NoScript.
Anyway Firefox still needs a fix but that's not the place to deal with this issue.