Closed Bug 1278735 Opened 8 years ago Closed 8 years ago

JS doesn't work in private tabs post Bug 1269361 with NoScript installed (and "Allow [domain]" can't be used - NoScript incorrectly thinks scripts are being allowed)

Categories

(WebExtensions :: General, defect)

Product:
WebExtensions
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox48 unaffected, firefox49 fixed, firefox50 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox48 --- unaffected
firefox49 --- fixed
firefox50 --- fixed

People

(Reporter: Cykesiopka, Assigned: ma1)

References

Details

(Keywords: regression) 

STR:
1. Start up any Nightly with the changes from Bug 1269361 included, using a
   fresh profile.
2. Install NoScript 2.9.0.11 or 2.9.0.12rc1 and restart.
3. Visit https://www.youtube.com/watch?v=hxUAntt1z2c in a normal tab.
   (any page which is different with JS disabled should also work, but YouTube
    pages make it very visually obvious when something is broken).
4. Perform step 3, but with a private tab.

ER:
Step 3: The video should play. Thumbnails should appear on the right.
Step 4: The video should play. Thumbnails should appear on the right.

AR:
Step 3: The video plays. Thumbnails appear on the right.
Step 4: The video doesn't play. Thumbnails don't appear on the right.

No idea of relevance, but e10s status does not make a difference.
> 18:18.97 INFO: Last good revision: 16b4946069a9470a94f33791de7440966844747d
> 18:18.97 INFO: First bad revision: ff298d2993a32aeaca0eacac32d8e673298cf5c5
> 18:18.97 INFO: Pushlog:
> https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=16b4946069a9470a94f33791de7440966844747d&tochange=ff298d2993a32aeaca0eacac32d8e673298cf5c5
> 
> 18:19.23 INFO: Looks like the following bug has the changes which introduced the regression:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1269361

As a sanity check, I also did local m-i builds:
16b4946069a9 (one revision before): Good
ff298d2993a3: Bad
James: Does this seem like an issue with the Bug 1269361 code? If not, then maybe we can morph this bug into a Tech Evangelism bug against NoScript.

Thanks.
Flags: needinfo?(jandreou)
This may be caused by NoScript relying on OriginAttributes somehow...  Anyway, I think Giorgio is a better person to investigate.
Flags: needinfo?(g.maone)
Component: DOM → Add-ons
Product: Core → Tech Evangelism
Broadening summary a bit, for searchability. (after filing bug 1279945 and not coming across this bug when doing a brief search)
Summary: JS doesn't work in private tabs post Bug 1269361 with NoScript installed → JS doesn't work in private tabs post Bug 1269361 with NoScript installed (and "Allow [domain]" can't be used - NoScript incorrectly thinks scripts are being allowed)
Keywords: regression
OS: Unspecified → All
Hardware: Unspecified → All
Flags: needinfo?(jandreou)
This bug is most likely caused by interaction by NoScript and OriginAttributes. As Ehsan said, Giorgio would be the best person to investigate!
NoScript does not rely on OriginAttributes AFAIK, but I'm investigating this nonetheless. 
I'll let you know as soon as I figure it out.
Flags: needinfo?(g.maone)
(In reply to Giorgio Maone [:mao] from comment #7)
> NoScript does not rely on OriginAttributes AFAIK, but I'm investigating this
> nonetheless. 

Do you persist principals somehow, or use the origin suffix or such by any chance?

> I'll let you know as soon as I figure it out.

Great, thanks!
(In reply to :Ehsan Akhgari (out sick) from comment #9)
> (In reply to Giorgio Maone [:mao] from comment #7)
> > NoScript does not rely on OriginAttributes AFAIK, but I'm investigating this
> > nonetheless. 
> 
> Do you persist principals somehow, or use the origin suffix or such by any
> chance?
Flags: needinfo?(g.maone)
I'm looking at regressions for FF 49. What is the impact of this bug? Do we need to fix this before release (or consider any backouts)?
I've found the culprit, being an usage of principal.origin instead of principal.originNoSuffix while matching JavaScript permissions, which are mapped to "legacy" origin strings.
Fixing it in next release, hopefully this very week-end.
Flags: needinfo?(g.maone)
That's great news -- thanks Giorgio!

I'll reply to David's questions:
(In reply to David Bolter [:davidb] from comment #11)
> What is the impact of this bug?

If you have the NoScript add-on installed, Private Browsing becomes unusable, for any sites that require some JS. (All website-provided JS gets blocked, with no way to unblock.  Moreover, NoScript's UI confusingly says all scripts are allowed.)

> Do we need to fix this before release

If at all possible, yes.  (Though it's NoScript add-on code that needs to be updated to fix this, to accommodate the expanded OriginAttributes that we added in bug 1269361. Happily, it sounds like a fix is close!)

> (or consider any backouts)?

If we were to backout to fix this, we'd be backing out bug 1269361. That was a decently large patch, and it might not be easy/safe to back it out at this point.
Fixed in NoScript 2.9.0.12rc2, thank you.
https://noscript.net/getit#devel
Thanks!

Fixed for me using NoScript 2.9.0.12rc2 and Nightly 50 and Aurora 49 => FIXED, but feel free to reopen if needed.
Assignee: nobody → g.maone
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Verifying.
Component: Add-ons → General
Product: Tech Evangelism → WebExtensions
You need to log in before you can comment on or make changes to this bug.