InformAction Forums

data: URI & NoScript Icon Indicator

"URL:" http://pastebin.com/pdkzuPjJ

NoScript shows the top level domain to be wikimedia.com
Allow wikimedia.com

NoScript icon unchanged, still shows all to be blocked

Allow http://http

NoScript icon now shows nothing blocked

Yeah, I can confirm the behaviour (after overriding the warning), but I'd say it's probably not worth fixing. Data uris aren't normal...

Data uris aren't normal

Precisely the reason why it is even more important.
Plus, not normal for who, you or I perhaps, but for a browser it is as normal as html.

It's just cosmetic, though, isn't it? NoScript being a bit confused about what constitutes the top-level document? And NoScript blocks you from entering a data URI unless you edit about:config.

Is there an actual security hole here? If so, please elaborate.

> It's just cosmetic

Not at all.

> NoScript blocks you from entering a data URI

True (with exceptions).
But the data: URI need not be necessarily be "added" by you, it could be in a link you clicked.

And just what site are we looking at here?
Take a look. It is not wikipedia.

therube wrote: And just what site are we looking at here?
Take a look. It is not wikipedia.

No, but it tries to import a script from bits.wikimedia.org, which is why NoScript blocks & reports that. The inline scripts (of which there are several) are presumably represented by the entry. So, that looks a bit funky, and even when you allow one or the other of the two script sources, the icon still reports that the top-level document is blocked, but NoScript is still apparently detecting and blocking everything.

Btw, I had spam filter trouble when posting this, even when I disabled automatic URL parsing and wrapped URLs in code tags, so I removed most of them. Not sure whether the angle brackets also contributed?