Last Comment Bug 1158071 - NoScript interferes with Reader View mode
: NoScript interferes with Reader View mode
Product: Toolkit
Classification: Components
Component: Reader Mode (show other bugs)
: Trunk
: All All
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: :Gijs
: 1166455 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2015-04-24 01:58 PDT by Petruta Rasa [QA] [:petruta]
Modified: 2016-09-25 02:36 PDT (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Petruta Rasa [QA] [:petruta] 2015-04-24 01:58:59 PDT
Reproducible on:
 Firefox 38 beta 6
 latest Aurora 39.0a2 2015-04-23
 latest Nightly 40.0a1 2015-04-13 NON e10s window
Not reproducible on:
 latest Nightly 40.0a1 2015-04-13 e10s window

Steps to reproduce:
1. Install NoScript add-on and restart the browser
2. Open an article (eg from )
3. Click the Reader View icon on the location bar

Actual results:
The article is blocked by NoScript, only "-" icon is shown on the page. The tab title is: about:reader?url=http...

Expected results:
Tab title should not appear as "about:reader". I believe NoScript should not interfere with an integrated Firefox feature such as Reader View.

Notes: 1. Issue reproduces under Win 7 64-bit, Ubuntu 13.04 64-bit and Mac OS X 10.9.5.
2. "Allow about:reader" NoScript option can be selected to display the article in reading view format.
Comment 1 User image Frankie 2016-06-25 06:07:17 PDT
*** Bug 1166455 has been marked as a duplicate of this bug. ***
Comment 2 User image :Gijs 2016-07-13 05:27:32 PDT
If NoScript is deliberately doing this, I don't think it's useful for Firefox to do much to try to counteract this, so going to resolve this bug.

That said, I'm not sure why NoScript is doing this. We already use sanitization on about:reader and so no content-originated JS should ever be running on it. While there's more defense in depth that could happen (e.g. bug 1204818), I wonder if Giorgio would consider enabling the about:reader option by default and/or contributing to whatever he thinks should happen to make this work out of the box.
Comment 3 User image Giorgio Maone [:mao] 2016-09-25 02:36:07 PDT
Sorry for the late answer.
The reasons why about:reader is not whitelisted is that markup sanitization is not perfect and researchers out there can always figure out a new way to work-around it, e.g. by leveraging new elements, attributes or event handler added by the ever changing HTML5 spec.

Bug 1204818 (a sandboxed iframe) is definitely a step in the right direction: I suppose it's meant to be the "web-centric" equivalent of the old, proven way, i.e. disabling scripts in content and wiring the UI from chrome-side event handlers.

Note You need to log in before you can comment on or make changes to this bug.