STR: 1. Create a new Firefox profile. Disable e10s, for simplicity. (NoScript works differently with e10s, IIRC) 2. Install NoScript (e.g. by visiting about:addons and searching for NoScript) 3. Visit some page that we can render with reader mode, e.g.: https://blog.mozilla.org/blog/2015/05/18/open-web-device-compliance-review-board-certifies-first-handsets-2/ 4. Click the reader-mode button in URL bar. ACTUAL RESULTS: Blank page with just a button with a "caution-sign" icon. EXPECTED RESULTS: Reader mode version of the page, or an error message about scripts being disabled. The problem is that NoScript is blocking scripts from "about:reader" by default, and reader-mode doesn't expect to have its scripts blocked & has no fallback rendering. Giorgio, IIRC NoScript has a built-in whitelist for some "about:" pages -- perhaps about:reader should be added?
(In reply to Daniel Holbert [:dholbert] from comment #0) > Giorgio, IIRC NoScript has a built-in whitelist for some "about:" pages -- > perhaps about:reader should be added? (Independently of this, it'd perhaps be nice for about:reader to have a <noscript> tag that displays an error message when its scripts are disabled. Though if this is a slam-dunk for adding to the NoScript default whitelist, maybe that's not worth it.)
I don't feel very comfortable with the idea of adding about:reader to the default whitelist, because as far as I know this feature relies on sanitization to neutralize scripting in markup from the original page which gets otherwise inserted into the DOM rendered as "about:reader". May I suggest this to use event handlers wired by privileged code (a frame script or a sandbox script?), rather than scripts living in the same context as the user-provided (and potentially hostile) HTML to be rendered?
(In reply to Giorgio Maone from comment #2) > I don't feel very comfortable with the idea of adding about:reader to the > default whitelist, because as far as I know this feature relies on > sanitization to neutralize scripting in markup from the original page Yeah, I was worried about that too :-/ Also, I left out version info -- I'm hitting this with latest Nightly 41.0a1 (2015-05-19), with NoScript 126.96.36.199, on Ubuntu Linux 15.04.
This looks like Bug 1158071.
Product: Firefox → Firefox Graveyard
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1158071
You need to log in before you can comment on or make changes to this bug.