Last Comment Bug 1166455 - Reader Mode doesn't work, by default, with NoScript installed
: Reader Mode doesn't work, by default, with NoScript installed
Status: RESOLVED DUPLICATE of bug 1158071
:
Product: Firefox Graveyard
Classification: Graveyard
Component: Reading List (show other bugs)
: Trunk
: Unspecified Unspecified
: -- normal
: ---
Assigned To: Nobody; OK to take it and work on it
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-19 13:09 PDT by Daniel Holbert [:dholbert]
Modified: 2016-06-25 06:07 PDT (History)
3 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description User image Daniel Holbert [:dholbert] 2015-05-19 13:09:37 PDT
STR:
 1. Create a new Firefox profile. Disable e10s, for simplicity.
  (NoScript works differently with e10s, IIRC)

 2. Install NoScript (e.g. by visiting about:addons and searching for NoScript)

 3. Visit some page that we can render with reader mode, e.g.:
https://blog.mozilla.org/blog/2015/05/18/open-web-device-compliance-review-board-certifies-first-handsets-2/

 4. Click the reader-mode button in URL bar.

ACTUAL RESULTS:
Blank page with just a button with a "caution-sign" icon.

EXPECTED RESULTS:
Reader mode version of the page, or an error message about scripts being disabled.


The problem is that NoScript is blocking scripts from "about:reader" by default, and reader-mode doesn't expect to have its scripts blocked & has no fallback rendering.


Giorgio, IIRC NoScript has a built-in whitelist for some "about:" pages -- perhaps about:reader should be added?
Comment 1 User image Daniel Holbert [:dholbert] 2015-05-19 13:11:33 PDT
(In reply to Daniel Holbert [:dholbert] from comment #0)
> Giorgio, IIRC NoScript has a built-in whitelist for some "about:" pages --
> perhaps about:reader should be added?

(Independently of this, it'd perhaps be nice for about:reader to have a <noscript> tag that displays an error message when its scripts are disabled. Though if this is a slam-dunk for adding to the NoScript default whitelist, maybe that's not worth it.)
Comment 2 User image Giorgio Maone [:mao] 2015-05-19 13:19:31 PDT
I don't feel very comfortable with the idea of adding about:reader to the default whitelist, because as far as I  know this feature relies on sanitization to neutralize scripting in markup from the original page which gets otherwise inserted into the DOM rendered as "about:reader".
May I suggest this to use event handlers wired by privileged code (a frame script or a sandbox script?), rather than scripts living in the same context as the user-provided (and potentially hostile) HTML to be rendered?
Comment 3 User image Daniel Holbert [:dholbert] 2015-05-19 13:36:05 PDT
(In reply to Giorgio Maone from comment #2)
> I don't feel very comfortable with the idea of adding about:reader to the
> default whitelist, because as far as I  know this feature relies on
> sanitization to neutralize scripting in markup from the original page

Yeah, I was worried about that too :-/

Also, I left out version info -- I'm hitting this with latest Nightly 41.0a1 (2015-05-19), with NoScript 2.6.9.22, on Ubuntu Linux 15.04.
Comment 4 User image Andrei Vaida, QA [:avaida] – please ni? me 2015-05-19 23:43:42 PDT
This looks like Bug 1158071.
Comment 5 User image Frankie 2016-06-25 06:07:17 PDT

*** This bug has been marked as a duplicate of bug 1158071 ***

Note You need to log in before you can comment on or make changes to this bug.