Closed Bug 1166455 Opened 9 years ago Closed 8 years ago

Reader Mode doesn't work, by default, with NoScript installed

Categories

(Firefox Graveyard :: Reading List, defect)

Product:
Firefox Graveyard
Component:
Reading List
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1158071

People

(Reporter: dholbert, Unassigned)

Details

STR:
 1. Create a new Firefox profile. Disable e10s, for simplicity.
  (NoScript works differently with e10s, IIRC)

 2. Install NoScript (e.g. by visiting about:addons and searching for NoScript)

 3. Visit some page that we can render with reader mode, e.g.:
https://blog.mozilla.org/blog/2015/05/18/open-web-device-compliance-review-board-certifies-first-handsets-2/

 4. Click the reader-mode button in URL bar.

ACTUAL RESULTS:
Blank page with just a button with a "caution-sign" icon.

EXPECTED RESULTS:
Reader mode version of the page, or an error message about scripts being disabled.


The problem is that NoScript is blocking scripts from "about:reader" by default, and reader-mode doesn't expect to have its scripts blocked & has no fallback rendering.


Giorgio, IIRC NoScript has a built-in whitelist for some "about:" pages -- perhaps about:reader should be added?
(In reply to Daniel Holbert [:dholbert] from comment #0)
> Giorgio, IIRC NoScript has a built-in whitelist for some "about:" pages --
> perhaps about:reader should be added?

(Independently of this, it'd perhaps be nice for about:reader to have a <noscript> tag that displays an error message when its scripts are disabled. Though if this is a slam-dunk for adding to the NoScript default whitelist, maybe that's not worth it.)
Flags: needinfo?(g.maone)
I don't feel very comfortable with the idea of adding about:reader to the default whitelist, because as far as I  know this feature relies on sanitization to neutralize scripting in markup from the original page which gets otherwise inserted into the DOM rendered as "about:reader".
May I suggest this to use event handlers wired by privileged code (a frame script or a sandbox script?), rather than scripts living in the same context as the user-provided (and potentially hostile) HTML to be rendered?
Flags: needinfo?(g.maone)
(In reply to Giorgio Maone from comment #2)
> I don't feel very comfortable with the idea of adding about:reader to the
> default whitelist, because as far as I  know this feature relies on
> sanitization to neutralize scripting in markup from the original page

Yeah, I was worried about that too :-/

Also, I left out version info -- I'm hitting this with latest Nightly 41.0a1 (2015-05-19), with NoScript 2.6.9.22, on Ubuntu Linux 15.04.
This looks like Bug 1158071.
Product: Firefox → Firefox Graveyard
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox41: affected → ---
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.